Experts may be divided on the exact dangers of Stuxnet, which some dubbed the most sophisticated malware to date, but most agree it took the cyber threat to the next level. As opposed to a traditional cyber attack, Stuxnet was able to do actual physical damage, which opened a whole new can of (malware) worms. Last November, a senior DHS official warned that attackers could create Stuxnet variations targeting other industries, affecting the production of everything from chemicals to baby formula.
Cliff Unger, director of public sector initiatives at Belkin, talked to The New New Internet about the nature of Stuxnet, what precautions government and industry can take to avoid similar attacks, and how the cyber-threat landscape is evolving.
Cliff Unger: From our perspective, the Stuxnet worm was really eye opening, and not a surprise to anybody. If you have been following us for some time, you understand sort of the nature of that attack. The really interesting thing about that attack is that it is the first time we saw somebody not only attack from a penetration standpoint and really try to — for a lack of a better way to put it — worm their way into the system, but also have executable initiatives that actually went out from an industrial standpoint and attacked particular machinery.
The real interesting level of complexity that this worm contained was the fact that they were able to create sort of that ghosting or from an operational standpoint they were able to cover their tracks, so to speak. When they started working on centrifugal equipment, all the alerts and all of the sophistication that was built into that technology were really circumvented by showing normal operations, not really alerting folks to what was taking place.
That introduces a new level of cyber warfare rather than just cyber tampering or the previous level of sophistication that we were familiar with where people can put malware in place and they have the ability to sniff or track keyboard strokes, other sorts of information in that fashion. This is the first time where we saw somebody go in and actually physically take control of the equipment to some degree unbeknownst to the organization until the damage was done.
The New New Internet: How can industry and government protect against these threats?
Cliff Unger: There is a host of different ways that industry and government can protect against these things. We’ve seen a statement from the government that they will be coming out with some additional information about the investments and additional steps they plan to take from a cybersecurity standpoint at the legislative level. There are a number of things that are generally common knowledge; physical security is one, obviously physical security to the locations in which our intelligence and defense folks work – that’s something that we probably do a pretty good job of, the common access card implementation across most of the unsecure networks, identification verification, some of the sophistication in biometrics and those sorts of things are certainly ways to protect against these types of attacks.
One of the ways that we are able to work with folks to protect against these types of attacks is ensuring that when these attacks occur, they are isolated to the particular systems or particular networks from which the attack was made. In any area where multiple different networks coalesce or come together, there is an inherent risk that if something were to happen in one particular network, the risk is that it could bleed over or we could find it attacking other networks that coincide or touch the network under attack. We have solutions that we work with intelligence and defense agencies with that protect that ability for an attack to move from one network to the next.
In many cases, that piece of the puzzle is often overlooked and our job in industry and in collaboration with our public-sector partners is to make sure they understand the significance of that part. We know that tens of thousands of errors take place on an annual basis that’s pure human error; it’s just the nature of us as a species, if you will. Even those errors that take place that have no malintent can expose those things to potential attackers and those sorts of things. We try to, whenever possible, mitigate human error as well as just make sure that those disparate networks maintain their segregation.
The New New Internet: It seems like the U.S. has been spared from these worms and viruses, can you explain why?
Cliff Unger: I don’t have a particular perspective on that. There may be some level of noise around that. We know that there are tens of thousands of attacks on an annual basis. The Computer Emergency Readiness Team actually reports about a 400 percent increase in incidents between 2006 and 2009. They show that about 30,000 incidents occurred in the 2009 calendar year, which is up significantly from just a few years prior. They’ve also got a performance and accountability report that shows 21 of 24 major federal agencies recognize that there are, in some cases, inadequate information systems in place or protection over information systems.
That said, I think there is a number stuff from a public-sector standpoint – our government and other agencies have put in place, it’s interesting that we haven’t seen more about this, but I wouldn’t be surprised if these things either are taking place or that the Stuxnet as an example may be just the beginning of this level of sophistication within these attacks.
The New New Internet: Some critics doubt the claims of Iran being attacked recently. What is your take on it?
Cliff Unger: We don’t have a position particularly on that. From a political standpoint, there are probably motivations on multiple different sides of the fence as to what has taken place or what hasn’t taken place. It’s not something that we have an official position on.
The New New Internet: How do you see the cyber-threat landscape evolving in the near future?
Cliff Unger: In general terms, I would expect a certain level of sophistication to evolve. There are internal vulnerabilities and there are external vulnerabilities. We focus primarily more on external vulnerabilities; it’s kind of the first line of defense. It is sort of the fence outside of the building with the barbed wire on it. I think there has been a tremendous focus looking at how we make sure people don’t get in, for a lack of a better way to put it.
There still remains, related to the human error component, and human nature in general, some inherent vulnerabilities. There are occasions where there is unintentional, malicious action and behavior and as vendors, we need to work with our agency counterparts to mitigate those occurrences. All we can do, both as vendors in the space and partners with our agency counterparts, is try to mitigate those wherever possible. I would not be surprised if the level of sophistication, similar to the evolution that we saw represented in the Stuxnet worm continues to evolve. We need to do our best to try to stay ahead of what may be next.
The New New Internet: Is there anything else you wanted to throw in about this topic? Is there anything we need to know?
Cliff Unger: I think what I would leave you with is as good a job as we may or may not be doing, and I certainly believe that the industry as a whole is improving, I think there are some inherent overlooked vulnerabilities that exist. At Belkin, we not only build solutions to address that, but we also educate folks. We’ve got the white paper available that really educates folks on the sort of things that may be overlooked, and desktop security really is one of those things.
Obviously, network security for years and years and years has been a tremendous focus. We want to make sure people stay out of the networks and that we safeguard ourselves against network intrusion. In many cases outside of the data center, the desktop environment is a large percentage of where those networks coalesce, and that piece of the puzzle really needs to be taken seriously.
We would encourage people to make sure that in addition to external vulnerability protection, some of the internal vulnerability mitigation that they do with regard to locking down USB and other types of communication protocols people need to consider the physical environment as well. It certainly is not something that should be overlooked, and people need to ensure that where they have networks colliding, they’ve got some real safeguards in place to make sure that they are protected on that front as well.