I asked Jay Holcomb what he made of the big article about Stuxnet that ran in Sunday's New York Times. Here is his response.

By Jay Holcomb
Best Defense infowar article critic

I enjoyed reading the New York Times article, "Israeli Test on Worm Called Crucial in Iran Nuclear Delay" published Jan. 16. Everyone seems to agree that this was by far the most complex cyber event ever seen in the wild. By complex I'm referring to the number of technical features, such as zero-day exploits, industrial control system expertise, intelligence on target configurations, number of cyber exploits used on the target, such as root kits, botnet-type command and control, user view manipulation, etc.

I believe that the more media exposure we can generate from complex cyber events like this one, the better. However, I still believe we are missing the bigger picture with regard to these types of complex events. While I realize many folks really want to know where the Stuxnet package originated, I propose that we should be spending as much (or more) time looking around at what these events mean today, and in the near future, with regard to our cyber exposure -- federal/state/local government resources, critical infrastructure, civilian industries, and even our own personal exposure.

I agree with Mr. Langner's quote in the article, referring to the Stuxnet package, that, "It's like a playbook.... Anyone who looks at it carefully can build something like it." Langner makes an important statement that I have not seen many people outside the industrial control system and cybersecurity industries mention or highlight. We can assume it is not only nation-states that are looking at events like these; terrorists and common criminals are most likely very busy right now looking at this too!

Many of the items highlighted in the article potentially read like a fortuneteller's glass ball: "The vulnerability of the controller to cyberattack was an open secret. In July 2008, the Idaho lab and Siemens teamed up on a PowerPoint presentation on the controller's vulnerabilities that was made to a conference in Chicago at Navy Pier, a top tourist attraction." This is not unusual, as significant vulnerabilities in software will often be publicly known. The vulnerabilities often are not addressed until (what seems like) enough public pressure is applied for a fix/patch to be produced and/or applied. While I have no specific information on "Smart Meters," recent articles which point out potential security concerns related to the deployment of "Smart Meters" make me wonder whether we're not looking into a fortuneteller's glass ball. I'll include some reference links about this at the bottom of this note.

One final thought: While the Stuxnet event and associated reports have generated some public media exposure on complex cyber events, I find myself looking back on a report released by the U.S.-China Economic and Security Review Commission, dated Oct. 9, 2009, which does a great job explaining a very complex cyber intrusion -- I wonder if that was a cyber building block to our current Stuxnet discussion?


Smart Meters:

"Money trumps security in smart-meter rollouts, experts say"

"Security Pros Question Deployment of Smart Meters"

"More Researchers Point to Smart Meter Security Holes"

"UK business electricity supplier reaches 12,000 smart meter installations"

"PSO says Owasso customers will be converting to smart grids as part of pilot program"

"The three stages of SmartMeter^TM technology"

 

The U.S.-China Economic and Security Review Commission, "Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" (p. 59, "Operational Profile of An Advanced Cyber Intrusion"), Oct. 9, 2009