The mysterious computer worm known as Stuxnet has gained more than a little notoriety since it was discovered in the summer of 2010. It wreaked havoc on Iran’s nuclear program. It stirred suspicions that it had been unleashed by the Israelis, the Americans or both. And, last but hardly least, it heightened long-standing concerns about the potential for a cyber attack on critical infrastructure in the West.
In the case of Iran, Stuxnet worked its way into an industrial control system by rather insidious means -- identifying the centrifuges used to enrich uranium and causing them to spin so rapidly that they began to break. But experts have said that the worm could just as easily serve as a blueprint to sabotage machines that are critical to power plants, electrical grids and other utilities in the United States and elsewhere.
Ralph Langner, a German cyber expert was among the first to analyze Stuxnet and identify its ability to target control systems. Langner, who is in Washington this week for a handful of events, including one Tuesday at the Brookings Institution, took some time to talk about the aftermath of Stuxnet.
He remains as concerned as ever that infrastructure in the United States, Europe and elsewhere is vulnerable to cyber attack. And he says it’s not going to take a sophisticated attacker or the resources of a nation-state to launch a strike that could have major economic and national security consequences. Excerpts of the interview are below.
Checkpoint: It’s been a little more than a year since the discovery of Stuxnet. At the time of its discovery, experts said that the worm in many ways opened up a Pandora’s box – that it could be used to develop other cyber attacks. Here we are a little more than a year later, and we haven’t really seen a major attack, at least not in quite the same way. Why do you think we haven’t seen one yet?
Langner: I think, in a way, it is probably the wrong question. Let’s step back in history to Sept. 11, 2001. Let’s assume that somebody, a year later, said: “Well, you know what, nothing has happened so far. Do we really have to implement these hardened cockpit doors on all these airplanes?” Certainly, you’ve got to do this because the vulnerability is there. You don’t want to wait until some attacker actually figures it out.
The projection that I and others made after the discovery of Stuxnet was that, worst case, you would see copycat attacks within three months. Now, fortunately, this hasn’t happened. But something else did happen.
Just recently, a couple of weeks ago, a hacker released some very low-level exploit code. ... This is one of the things that I had predicted a year ago. Just by its media presence, Stuxnet and attacks against control systems will become irresistible for the hacker community. This is one thing that we have seen and that we will continue to see – these folks just out of curiosity and in the interest of getting media exposure, start playing around and [find] vulnerabilities. And as soon as they release exploit code in the wild, we are going to have problems.
Checkpoint: Is the story of Stuxnet over, or is it still being written?
Langner: Any rumor that Stuxnet could morph into different versions, hit different targets is, in a technical way, not valid. This cannot happen, this will not happen. Unless the technicians in Iran are completely incompetent, at this point they should have gotten rid of the virus, and they should be back on track.
The bigger problem that we have with Stuxnet is not the virus itself – it is that various exploits used in Stuxnet can be copied and can be used against targets .... These systems remain vulnerable. These systems cannot only be found somewhere in Iran – they can also be found, for example, in U.S. power plants, chemical facilities, in production facilities for food and beverages, et cetera.
Checkpoint: Are there areas of U.S. infrastructure that you see as particularly vulnerable to cyber attack?
Langner: Well, I would say almost all areas of critical infrastructure are vulnerable to cyber attack – not only in the United States but also in Europe, for example. Unfortunately, we have been discussing critical infrastructure protection against cyber attack for over a decade now and we haven’t made any significant progress.
Checkpoint: Why do you think that is?
Langner: Just out of complacency. You could say, we need another cyber attack for people to actually wake up. For a security expert like me, this is just nuts. This drives me crazy – that people are actually waiting for something to happen rather than working on the existing and proven vulnerabilities.
We don’t want to just sit and wait until someone exploits your existing vulnerabilities.
Checkpoint: Do you think the next major cyber threat is likely to comes from a nation-state, or is it more likely to come from individual actors?
Langner: Unfortunately, we are seeing threats from all directions. After Stuxnet, it extends throughout the spectrum, from nation-states down to the average hacker. These vulnerabilities that I have been talking about, they are not that difficult to exploit. What we have seen in Stuxnet is unique in many ways because the attackers took very great care to limit collateral damage and to limit detection and to carry out the attack in a way that is very stealthy – that can progress over a time frame of several years.
It doesn’t have to be the same way for the next attack. Your next attacker ... could have completely different plans and say: “We are not interested in a stealthy attack. We are just interested in a big smash,” and just produce as much damage as possible all at once. Such an attack would be considerably different. Again, they won’t need the resources of a nation-state in order to attack, for example, critical infrastructure.
Checkpoint: What do you mean when you say the attack wouldn’t require the same kind of resources?
Langner: What we have seen in Stuxnet is that the attackers had full insider knowledge about the attacked facility – so they had a full understanding of the automation systems there, of the machinery, of the piping, of the valves, of the pumps, of everything. And most people are under the assumption that you would need this full level of insider understanding to pull off a cyber attack against what we call nowadays cyber-physical systems. But this is just not true.
You can pull off a cyber strike against such systems without any insider knowledge at all – something like what you would call a denial-of-service attack in the IT industry. You just make sure that one machine or conveyer belt or whatever stops working. It’s not that difficult to try to achieve a little bit of material damage on top – all without any insider knowledge.
Most people overestimate the level of technical skills required for such an attack. Some of the attacks that we have seen in Stuxnet can be automated. You don’t need an experienced engineer to do something similar. You don’t need a genius in control systems or in hacking. You just need to copy the design. You can automate this in what we call an exploit tool or penetration testing framework ...Any idiot, any stupid hacker, can use such a tool and configure and administer a sophisticated cyber attack just by using his mouse. This is going to happen at some point in time.
Checkpoint: What is the appropriate response at this point? Is it simply a policy solution? Is it about more resources?
Langner: The most important thing is to finally do what we have been talking about for a decade – critical infrastructure protection. All of the concepts are there ... the methodology is there, the willingness to do something is there.... It only needs to be done. What we see as the major factor here is a very high degree of complacency by vendors, by contractors to finally do something about the problem.
As we discussed earlier, it’s probably out of a feeling that: “Well, why should we invest time and money here? Nothing has happened so far. We are not in the uranium enrichment business, so we don’t need to worry about Stuxnet anymore, and since Stuxnet, nothing has happened.”
We’ve really got to change this behavior and this complacency. That would be the most important thing to do in my opinion.