And you thought evercookies were a problem…
Surely you’ve heard of Stuxnet, the worm that may be eating up Iran’s nuclear apple? Tell me you’ve at least thought about it, right? I mean the news services and their writers have.
Some initial background regarding Israel–completely unrelated so far as you know–from Reuters:
Cyber warfare has quietly grown into a central pillar of Israel’s strategic planning, with a new military intelligence unit set up to incorporate high-tech hacking tactics, Israeli security sources said on Tuesday.
This from the New York Times:
The Iranian government agency that runs the country’s nuclear facilities, including those the West suspects are part of a weapons program, has reported that its engineers are trying to protect their facilities from a sophisticated computer worm that has infected industrial plants across Iran.
Depending on who you believe inside Iran, it’s either ‘not serious and has more or less been halted,’ or it is ‘electronic warfare and has affected 30,000 computers.’
But wait, there’s more:
The malware was so skillfully designed that computer security specialists who have examined it were almost certain it had been created by a government and is a prime example of clandestine digital warfare. While there have been suspicions of other government uses of computer worms and viruses, Stuxnet is the first to go after industrial systems. But unlike those other attacks, this bit of malware did not stay invisible.
Many of us might consider ‘clandestine’ and ‘not staying invisible’ as mutually exclusive, but I digress.
Is it possible Stuxnet is an example of cyberwar ‘in the wild?’ That is, like a biological virus in a Michael Crichton novel, it may yield unintended consequences?
Siemens has said that the worm was found in only 15 plants around the world using its equipment and that no factory’s operations were affected. But now the malware not only is detectable, but also is continuing to spread through computer systems around the world through the Internet.
“Proliferation is a real problem, and no country is prepared to deal with it,” said Melissa Hathaway, a former United States national cybersecurity coordinator. The widespread availability of the attack techniques revealed by the software has set off alarms among industrial control specialists, she said: “All of these guys are scared to death. We have about 90 days to fix this before some hacker begins using it.”
What’s the way ahead?
The ability of Stuxnet to infiltrate these systems will “require a complete reassessment” of security systems and processes, starting with federal technology standards and nuclear regulations, said Joe Weiss, a specialist in the security of industrial control systems who is managing partner at Applied Control Solutions in Cupertino, Calif.
Applied Control Solutions is an industrial control systems consultant, so they’ve likely been saying this since Y2K. Of course, such advice isn’t necessarily wrong as the rule of thumb is this: when in doubt, consult, legislate, and regulate. It worked for the financial sector, right?