Shadows of Stuxnet: Recommendaions for U.S. Policy on Critical Infrastructure Cyber Defense Derived from The Stuxnet Attack

Ronald Lendvay

EXECUTIVE SUMMARY

pdf

Cyber security for critical infrastructures (Cis) ranks among the highest United States (U.S.) national security priorities. The national well-being and the fabric of American’s daily lives rely upon the security and resiliency of CIs. The Department of Homeland Security (DHS) refers to (CI) as the, “backbone of our nation’s economy, security and health.”[1] While Americans may not think about it, they unknowingly interact with CI in their daily lives through the electricity used and the clean water consumed. Computerized CIs also affect everyone’s daily lives by managing the transportation systems used for personal or business travel and the communications systems utilized to stay connected with friends, family, and coworkers.[2] Interruptions to these or other critical services, such as delivering public safety and national defense, could be disruptive or devastating for this nation’s well-being and security. The CI systems and facilities that provide these foundational services have become increasingly computer reliant and networked. Computerized components, called industrial control systems (ICS), measure and control many of the industrial or mechanical processes needed to produce the desired outputs of U.S. CIs.

This thesis identifies the pivotal areas of U.S. CI cyber security policy that could be enhanced to provide the most effective overarching solutions to the current vulnerabilities highlighted by the Stuxnet attack on Iran’s Natanz Uranium enrichment facility. The Stuxnet attack is the first publicly known use of a cyber-weapon to destroy the CI of another country, accomplishing with computer programming, what only used to be possible through bombing or traditional sabotage.[3] It provides a blueprint for how to conduct a specifically targeted cyber attack on the computer systems of a high security government controlled CI target.[4] More specifically, it shows potential cyber adversaries how to inject malicious code into real time ICS controllers.[5]

Three crucial points of failure contributed to the vulnerability that allowed Stuxnet to infiltrate, thrive within, and destroy centrifuges at Natanz. The first point of failure at Natanz, leading to the Stuxnet infection, was the insider threat of system access at the facility. Stuxnet was engineered to be hand carried into the Natanz plant to infect the computer network. The second point of failure at Natanz was the successful spread of Stuxnet through the air-gapped network to the programmable logic controllers (PLC), which controlled the precise spinning speed needed for proper centrifuge operations. These first two points of failure fall underneath the third point of failure, which was a deficiency in cyber security policy. Although the Iranian government will not publicly share its Natanz policy portfolio, a deficiency occurred in either establishing or following appropriate security protocols that led to the system access and system security breakdowns noted as the first two points of failure.

Three key areas where policy enhancement could bolster U.S. national CI and ICS defenses have been identified as: enhancing national unity of effort, expansion of the coordination of effort between the private and government sectors, and incentivizing private sector compliance with best practices in cyber security.

Three corresponding policy recommendations derived from these key areas for enhancement include:

  • The creation of a new federal Department of Cyber Affairs, led by a presidential cabinet level Secretary of Cyber Affairs, and the subsequent assignment to the department of developing a unified cyber security policy for the United States.
  • The consolidation of U.S. government cyber security expertise and assets for a more focused approach toward unified cyber defense for U.S. CIs.
  • The development of a voluntary business cyber security certification program that allows businesses exhibiting cyber security best practices to be recognized in the marketplace for their commitment by customers, investors and partners similar to the United Kingdom’s (U.K.’s) “Cyber Essentials” program.

These recommendations would most effectively be implemented together as programs managed under a new federal Department of Cyber Affairs. The second two recommendations could also potentially be implemented independently and managed by separate government entities, which could be assigned responsibility for the separate recommendations. The disadvantage to that approach would be the continued fragmentation of cyber security responsibility among stakeholders within the United States when unity of effort should be the key to this diverse landscape of military, government, business and private sectors owners of U.S. CI.
THIS PAGE INTENTIONALLY

[1] “What Is Critical Infrastructure,” last modified October 24, 2013, http://www.dhs.gov/what-critical-infrastructure.

[2] Ibid.

[3] David Sanger, “Obama Order Sped Up Wave of Cyberattacks Against Iran,” The New York Times, May 31, 2012, http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=all&_r=0.

[4] Stamatis Karnouskos, “Stuxnet Worm Impact on Industrial Cyber-Physical System Security,paper presented at the 37th Annual Conference of the IEEE Industrial Electronics Society (IECON 2011), Melbourne, Australia, November 7–10, 2011, http://papers.duckdns. org/files/2011_IECON_stuxnet.pdf.

[5] Ralph Langer, “To Kill a Centrifuge,” The Langer Group, November 2013, 19, http://www. langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf.

No Comments

Post a Comment