Cyber Cold War Predictions

(This article was originally published on the Findings From the Field blog.)

Kevin Haley at Symantec has just published his predictions for computer security in 2011. He mentions Stuxnet many times and mentions “cyber warfare” in passing. Many others have heralded 2010 as the beginning of a new era of cyber warfare. I think that if the 2009 Ghostnet and Aurora attacks and the 2010 Stuxnet attack represent a new “cyber warfare” then such warfare has more in common with the cold war era than with a conventional conflict.

My own predictions for 2011 and 2012 follow. In summary, all I’m really saying is that “the cold war will continue.” That seems a pretty safe bet given how long the first cold war lasted. Thinking of the events of 2009-2010 as a cold war, though, does help to answer key questions like: When will we see new, sophisticated attacks? Who will be targeted? And how do we protect important civilian infrastructure from these kinds of attacks?


Disclosure in an Era of Cyber Warfare

(This article was originally published on the Findings From the Field blog.)

Symantec reports that the Stuxnet worm targets PLC’s which control high frequency, frequency-converting power supplies. Such drives are export-controlled in the United States because they can be used as components in gas-centrifuge uranium enrichment processes. Symantec stops short of identifying Iran’s Natanz uranium enrichment facility as the target of the worm, but the information they supply is suggestive of that target. This begs the question: if the objective of the worm was to prevent Iran from developing nuclear weapons, was wise to give the worm all of the publicity it received?


Stuxnet Report Updates

(This article was originally published on the Findings From the Field blog.)

Last week ESET updated their Stuxnet Under the Microscope report, and Symantec updated their W32.Stuxnet Dossier. Important changes: the Symantec dossier includes a description of how to identify compromised PLC’s, and the ESET report describes the still-unpatched Task Scheduler vulnerability in enough detail to exploit it. The ESET disclosure is surprising – usually such descriptions are reserved until a patch is available for the exploit.


Security Basics: One-way Diodes

(This article was originally published on the Findings From the Field blog.)

The Owl Computing Technologies presentation at the ICSJWG 2010 Fall Conference caught my eye. Owl has been showing up at more conferences lately, providing some competition for the incumbent industrial diode leader Waterfall Security Solutions. The question I had when I first heard of this kind of technology is “when would you use that?” The concept behind the diodes is simple: the diode hardware allows communication in only one direction. A diode can push data from one place to another, but it is incapable of sending any information back. How can this be useful in a world full of two-way communications protocols?

Security Basics: Jump Boxes

(This article was originally published on the Findings From the Field blog.)

The initial ballot on proposed revisions to NERC-CIP 005-4 is complete and the results and comments have been posted. Votes for the negative carried the day. I hope the proposed changes can be salvaged because they do have value. The revisions would require sites to use a “remote access server” or more succinctly, a “jump box” to provide access to critical assets inside an electronic security perimeter. The measures, described in more detail in a Draft Guidance Document, are intended to address serious problems with remote access mechanisms observed at NERC-CIP sites. Industrial Defender security assessors report that they agree with NERC – they also see weak and misconfigured remote access mechanisms routinely, issues that the proposed regulations should help address.