In the wake of Stuxnet it is clear that our critical infrastructure "is in play," says Black Hat founder Jeff Moss, and resilience is a strategic deterrent to attack.
Because of its very nature, critical infrastructure should be resilient. It should be able to withstand disastrous events, mitigate their impact, fail gracefully and recover quickly. But in a new era in which cyber war is a reality, resiliency is becoming a strategic necessity.
“The critical infrastructure is in play,” Black Hat founder Jeff Moss said in opening the annual Black Hat Federal cybersecurity conference last week. “If your assets are in play, you’d better be able to respond and recover faster.”
What put these assets into play — or at least gave notice of the fact — was the Stuxnet worm, which Moss called “the topic that won’t die.” It was publicly revealed in July and since found to be a targeted attack against a specific process control system. It is widely believed to have been intended to disrupt Iran’s uranium enrichment program, which it might well have done, but 60,000 other infections have been identified around the world.
Stuxnet is merely one example of a new reality, Moss said.
“I don’t believe this is the first one,” he said of the worm that appears to cross the line between cyber and kinetic warfare. “I believe it’s the first public one. This is the new normal. This is the new world we will be living in.”
Moss, best known as the founder of the Black Hat and DEF CON hacker conferences, also is a security consultant and a member of the president’s Homeland Security Advisory Council.
Just what Stuxnet is and how good it is still is being debated. As one Black Hat Federal presenter, Tom Parker, director of security consulting services at Securicon, pointed out, “the fact that we are talking about it now shows that the developers failed to some extent.” It apparently was never intended to circulate in the wild where it could be captured and analyzed.
However, it is sophisticated. Who made it is not known, but the consensus of analysts is that it was the work of a team with considerable resources. The effort would be measured in man-years. It required access to expensive and regulated hardware as a test bed, and apparently took advantage of detailed intelligence about its target. It was not done on the cheap.
On the one hand, this is alarming: We don’t know who made Stuxnet and nobody wants them crafting another worm to attack us. But on the other hand, there is some comfort here, not only in the fallibility of the developers but also in the apparent complexity and expense of the attack. Nobody pretends to know what Stuxnet cost to develop, but it was not a trivial exercise, and the attackers will have to consider the return on investment before unleashing it.
That is where resiliency comes in.
Hardening the country’s power grid or the control systems for critical utilities and services to the point that they are invulnerable to attack would be cost-prohibitive, if it were possible at all. But having the ability to mitigate the impact of an attack, fail gracefully and recover quickly — that is, being resilient — could be effective, because launching a Stuxnet-like attack might make little economic sense for the attackers.
The country’s critical infrastructure is far from what it should be, but past failures, such as the massive Northeast Blackout of 2003 that affected about 55 million people from the Hudson Bay to the Chesapeake show, that we can recover from catastrophic failures without catastrophic damage. Improving the infrastructure’s ability to defend against and respond to such failures will be an important strategic deterrence to attack.