What Stuxnet Means for Small Business
When the cyberweapon hit, it rocked the computer industry and aftershocks rattled brains in cybersecurity centers around the world. This is no plot line from a science fiction novel, someone really did design and build a groundbreaking computer program — a cybermissile. Called Stuxnet, it was designed to hunt and destroy a specific industrial process, maybe even blow something up.
Identity theft, viruses, Trojan horses, and denial of service attacks are no longer the only weapons in the cyberwarriors' (or cyberterrorists') bag of tricks. With the deployment of Stuxnet, weapons that can jump the gap from the cyber world to the real world to do physical damage are a reality, not just speculation. The genie is out of the bottle.
What does all this have to do with small business? Like an earthquake, no one can say for sure when another will hit, where it will happen, and how serious it will be — but we know it will happen again. When a disaster occurs, your business may be caught in the middle even if it wasn't the target. You need to plan for it now, not try to figure out what to do when the catastrophe occurs.
The Stuxnet worm relies on forged security certificates that had to be physically stolen. It uses extensive sophisticated code that exploits five different vulnerabilities in the Windows operating system. The program and "payload" spreads four ways including thumb drives targeting systems that aren't hooked to communications lines for security reasons. It looks specifically for process controllers built by Siemens used to tell industrial devices what to do: squirt more oil, spin faster, turn up the heat, increase pressure, vibrate more. All of which suggests that it wasn't a weekend effort by a couple of bored, but misdirected, smart kids out to vandalize a factory.
The code has been picked apart, but who did it and exactly what the target was isn't clear, although Iran is the only Siemens customer that has claimed damage. There are actually more infected PCs (if not process controllers) in China. Stuxnet doesn't harm PCs anyway, except to take up a little space and use a little bandwidth to phone home before it deletes itself if the computer it's found its way onto isn't the intended target.
India or Pakistan, apparent victims of collateral damage (if mere infection counts), might actually have been a target with the Iranian computers used to deflect attention. The not-so-subtle references in the code to dates or symbols that could point to Israel are probably just misinformation intended to deflect suspicion, too. While Israel and the U.S. have reason not to want a nuclear-capable Iran, Russia has inscrutable interest in the whole affair beyond their role as architects and contractors of the Natanz nuclear enrichment facility and the Bushehr nuclear power plant.
Tempest in a teapot? Not by a long shot. Network and control systems are often under attack from foreign nation-states. Worldwide, hackers have managed to break into, control, and steal large amounts of data from non-profits, government agencies, and companies large and small. This, however, is a significant escalation.
The threat doesn't always come from overseas, either. A year ago Mario Azer, an IT consultant for Pacific Energy Resources in Long Beach, California pled guilty after tampering with industrial control process software in the company's offshore derricks. Can you spell BP?
In fact, oil and gas companies report the highest rate of cyberattacks. A recent report prepared by the Center for Strategic and International Studies (CSIS) for security firm MacAfee quotes Michael Assante, chief security officer of the North American Electric Reliability Corporation: "There are absolutely foreign entities that would definitely conduct [cyber] reconnaissance of our power infrastructure. They would be looking to learn, preposition themselves to get a foothold and try to maintain sustained access to computer networks."
20 percent of critical infrastructure organizations report that they've been the victims of extortion through cyber-attack threats. According to the FBI, Marathon Oil, ExxonMobil, and ConocoPhillips were each attacked by a major foreign intelligence agency (China). Attackers took control of major portions of the companies' networks to siphon off information, emails, passwords, messages, plus proprietary exploration and discovery information that cost hundreds of millions of dollars to develop.
Besides the potential loss of proprietary information at the corporate level, and lost competitiveness at the national level, cybercrime in general and Stuxnet in specific presents clear financial threats to you and your business.
Your PC, infected by an innocuous Adobe or Microsoft email attachment carrying pretty pictures, may contain a piece of code that sits quietly waiting for you to log on to a bank. Then it adds fields to the web page for you fill in, asking for credit card numbers, ATM PINs, or authentication codes.
Old versions, such as Torpig, had configuration files for hundreds of banks so they could mimic the bank website's look and feel, and new Silentbanker malware actually changes information you enter so money is transferred to the thieves while you, say, pay bills online.
Another family of programs is even smart enough to check account limits and stay below the radar. Worse, a new family of general-purpose rip-off programs are available for sale on underground sites that allow users to participate in processes they can tailor to their specific nefarious needs.
Stuxnet's effect will be longer term, and broader based. According to Langner Communications GmbH, the first to analyze the Stuxnet code:
"Stuxnet will live on, it will be the zombie of our nightmares for those who are responsible for industrial control systems that run something of any value. Stuxnet shows everybody who is interested HOW to manipulate process control on the PLC level (that's where all the drives, valves, pumps, sensors etc. are electrically connected)…
That's the real threat Stuxnet poses for all of us. It provides a blueprint for aggressive attacks on control systems that can be applied generically. Depending on where you live, such very same control systems may control the power plant that provides your electricity, the water utility that provides your water, the factory where you work in, and the traffic lights you see on your way home. The technology for how to manipulate all such systems is now on the street, and don't be so naive to assume that nobody would take advantage of it."
So what can you do as a business owner or concerned consumer?
You have to become fanatical about assessing the value of your information, and then keep an eye on it. The more valuable the information you have, the more effort and money bad guys will be willing to invest to get it — and the more zealous you should be protecting it.
Make cybersecurity part of your corporate culture, not just something you bring up occasionally in staff meetings. Make sure you have ways to detect intruders and to slam cyber doors to cut off access to important data if problems are detected.
Cybersecurity strategist Steve Hunt, whose father and grandfather were locksmiths, told me in an interview that what they taught him is still true: You need to slow intruders down and make them noticeable. The problem, he says, is most companies consider security an extra layer of cost and inconvenience. Most security expenditures are not made to protect against cyber threats or vulnerabilities, and almost none is spent on assessment.
For individuals, financial information is probably the most valuable you have. Account numbers and PINs are more valuable than the fact that you paid $3.65 for a latte. For retail businesses, customer information, especially credit card data, is often the most valuable information they handle, but high-tech companies will have valuable proprietary information that has to be protected.
Even seemingly unimportant information can be valuable to some people, however. Yesterday, for example, an email from Facebook said my sister had posted something on my 'wall' and offered a link to see it. Fortunately, when the webpage appeared I noticed the URL was http://lolvideos-a58.kor.st/ even though the page looked like the Facebook login page. A WHOIS search showed the site was registered in the Bahamas and was running on computers in Sweden. Not Facebook, it was a phishing site. (Today, the site has a DMCA takedown notice on it...in Korean).
Once you've identified what information is valuable, do more than just turn on your firewall or run anti-virus software. Watch network activity, especially what's going out. On a Mac, use programs such as the built-in Activity Monitor (free), Wireshark (free) or Little Snitch 2 ($30). If you have a PC, use the built-in Windows NETSTAT program (free) or Wireshark (free). You need to know what information on your systems is being accessed and by whom, and where it's going. The more valuable the information, the more closely you want to watch it.
Finally, make sure you have some kind of third-party assessment to assure yourself, your Board, and your investors that the security systems are doing what they are supposed to do.
If you run a small business, watching network traffic yourself may be all you need, along with vigilance when you use the web. However, large firms, and companies working with proprietary information may want to consider tiger team penetration exercises or scenario-based assessment approaches, such as Redwolf.
Let's be careful out there.