(This article was originally published on the Findings From the Field blog.) Kevin Haley at Symantec has just published his predictions for computer security in 2011. He mentions Stuxnet many times and mentions “cyber warfare” in passing. Many others have heralded 2010 as the beginning of a new era of cyber warfare. I think that if the 2009 Ghostnet and Aurora attacks and the 2010 Stuxnet attack represent a new “cyber warfare” then such warfare has more in common with the cold war era than with a conventional conflict. My own predictions for 2011 and 2012 follow. In summary, all I’m really saying is that “the cold war will continue.” That seems a pretty safe bet given how long the first cold war lasted. Thinking of the events of 2009-2010 as a cold war, though, does help to answer key questions like: When will we see new, sophisticated attacks? Who will be targeted? And how do we protect important civilian infrastructure from these kinds of attacks? Cold War I regard the most sophisticated attacks of 2009-2010 as a cold war because of type of attack and because of the agencies presumed to be responsible.
Predictions for 2011 In predicting events in 2011 and beyond, bear in mind:
Prediction: At Least One Large Intelligence Gathering Attack I predict that 2011 will see at least one large, new, sophisticated intelligence-gathering attack attack attributed to a national government. This prediction needs little defense though, since whoever launched Ghostnet and Aurora appears to have had some success and appears to have suffered no consequences. What worked before will work again. That said, intelligence gathering attacks will be focused more on “enterprise” computing systems than on control systems. Stealing information from control systems and programmable logic controllers is usually harder than stealing the original diagrams, plans and documentation from other repositories in an enterprise. Prediction: At Least One New Sabotage-Type Attack I predict that 2011 will yield at least one new, sophisticated and highly-targeted attack which sabotages a militarily-sensitive physical process of some sort. I think the most likely target for that attack is in the middle east. Again, the agents responsible for the Stuxnet attack are thought to have had some success with the worm, and there do not appear to have been any repercussions for them. What worked before should work again. I suspect that 2011 will yield attacks against militarily-significant sites in western democracies as well, but it is unclear how effective those attacks will be. I have the impression that such sites are better protected than the average civilian control system, even when civilian systems are regulated by NERC-CIP and CFATS. Iran and North Korea are both said to have made significant “cyber warfare” investments, but it is not clear how accurate those reports are, or how effective those organizations are. If western military sites are attacked in 2011 though, we may never know. Such attacks are likely to become state secrets. What I have trouble predicting is whether we will see a credible sabotage-type malware attack on western civilian infrastructure in 2011. On one hand, an attack with a large number of civilian casualties seems likely to trigger a direct, multi-national response like the response to the World Trade Center attack. A cold war is focused on intelligence gathering and military sabotage, not direct conflict. On the other hand, militaries, intelligence agencies, and governments have made some questionable decisions in the past. Anything is possible. I do not think we will see any credible attacks arise out of a manipulation of the Stuxnet worm itself. There are reports of researchers and others experimenting with the Stuxnet worm, substituting different parts of the payload and re-packaging the worm. However, any such “bragging rights” experiments, even if one escapes or is deliberately released into the wild, will have limited impact. Patches are available for four of the five Microsoft vulnerabilities the worm exploited. This means the worm will have a very hard time spreading on enterprise networks any more. I do not think we will see sophisticated sabotage-type attacks launched by terrorist organizations any time soon. The Symantec analysis suggests at least 6 very well trained people spent at least 6 months on the artifact that is the Stuxnet worm. From the decades I spent developing many kinds of software, my own guess is that the worm easily cost three times that much when you count the thoroughness and complexity of the QA effort. That means a large, well-trained, well-funded team, likely supported by an intelligence agency, working for a long time in a stable working environment with good computer hardware and software support. In my understanding, terrorist groups tend not to have those resources available and unlikely to develop them in the foreseeable future. Defenses Against Sophisticated Attacks To defend civilian control systems from sophisticated attacks like the Stuxnet worm takes a much stronger defense-in-depth posture than is the current, regulated best practice. The most urgently-needed improvements in best practices are greater use of whitelisting/HIPS technologies, greater network segmentation and stronger programs controlling the use of removable media. All defenses have costs to implement, but it seems to me that the “greater network segmentation” defense may face the greatest resistance. Truly secure sites, like most nuclear and military sites, have serious restrictions as to what kind of information can be exchanged across security perimeters. Enterprise integration and the widespread commercial exploitation of valuable control system data has been taken for granted for years now. Reducing the amount and kind of information that flows between security zones in civilian control systems will be difficult and costly. It seems clear that a new kind of international conflict is developing. Even if we suspect that civilian control systems will not be targeted for the next year or two, it would be prudent for civilian sites which represent the greatest threat to public safety to use the next year or two to invest in protections sufficient to ward off sophisticated attacks by foreign governments. |
NEWS, TECHNOLOGIES, PRACTICES, AND EXPERIENCE
Note: Comments in this blog are blocked for any posting 14 days old, or older
2010-11-29
Cyber Cold War Predictions |
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment