Warning: Creating default object from empty value in /nfs/c03/h01/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Tag Archives | stuxnet

Guestpost — The Weakest Link (I)

The state of cybersecurity and governmental response.

After Stuxnet and a series of high profile attacks against government and corporate cyber infrastructure this past year, it is clear that a new age of warfare is here, where state- and non-state actors increasingly use cyberspace to perpetrate attacks against their adversaries. These actions should remind us of the inexorable link between cyber-security and national security. Recently, the U.S. Department of Defense stated in a press release that cyberattacks constituted an “act of war,” if they originated from a foreign country, and that these acts of war could be responded to with conventional military force.

However, given the increase in frequency and sophistication of cyberattacks, and the proliferation of technology in India, there is little indication that the Government of India truly understands the nature of warfare being imposed on States in the world. Indeed, while the Government of India recently released a cybersecurity policy draft, that draft is effectively a policy orphan, as India does not have a national security policy. Cybersecurity is a subset of national security; the former cannot meaningfully exist without the latter.

Takshashila Institution’s Srikanth R., Senior Research Associate for Cyber Strategy Studies writes in a two-part series on The Filter Coffee, about the nature of the threat, and actions India and other governments must take to prevent attacks or effectively mitigate damage.


After last year’s Stuxnet attack on Iran’s facilities, it was revealed recently that the attack was  the result of efforts by the governments of US and Israel.  In March 2011, an “independent Iranian hacker ” took credit for hacking into RSA Corporation’s  master “token seed” database for one of their flagship products, ostensibly retaliating against the Stuxnet attack.  The stolen data from RSA was used to attack other major US corporations, raising fears of escalating attacks on critical US infrastructure.

In response, Pentagon released an official statement that “cyberattacks can count as acts of war if it originates from a foreign country,” most likely directed at the State that hacked into RSA’s databases. However, this did not deter a cyberattack on defense contractor Lockheed Martin on June 2.  Lockheed revealed that stolen information from RSA was used to attack their network. RSA’s official response ambiguously emphasized that “the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology“.   Given that RSA database theft was stolen on March 17th, this attack would by definition be categorized as a “known” threat, and thus not a “new threat”.

While this may appear to be just another database that was hacked into, it has serious implications for all RSA’s customers, which include companies such as Comodo, which provide authentication certificates for users to interact with corporations such as Google, Yahoo, Skype, Mozilla, etc.  Customers of RSA such as Comodo depend on the robustness of RSA’s services to guarantee the integrity of the authenticated SSL certificates issued to Comodo’s customers.  In fact, all the above customers that depend on RSA’s security platform were breached in the weeks after the loss of RSA data.

Token based authentication is a common and popular scheme used to provide  a  user to access specific resources from a site by interacting with an authentication server.  An authentication server provides temporary access to a set of resources or capabilities based on  user’s name and  password by generating a “token”  that allows the user temporary access to  specific resources on the web, and companies like RSA base their products on “seeds” that generate an infinite number of secure tokens. Secure tokens are required for any organization that needs to provide secure access to databases on its servers or secure access to their VPN networks.

The most serious implication of a stolen master database of token seeds is that the stolen information can be used to create “cloned” tokens that can be misused by intruders to attack, for example, a VPN network that is vulnerable to hacker attacks.   On May 29, Reuters reported a defense company  acknowledging it had detected a “tenacious cyberattack” which was eventually thwarted successfully.

It should be noted that  RSA had taken for physical safety of its data, such as “(a) keeping the token records containing the token seed values (secret keys) offline; (b) hardening the SecureID server’s operating system; (c) strictly limiting administrative access to it per RSA’s guidance, and (d) monitoring the SecureID server for signs of fraud and abuse. We felt that the residual risk to our customers as a result of these measures was fairly low.” However, these precautions were insufficient to thwart RSA-type attacks, also known as Advanced Persistent Threats (APT).

Advanced Persistent Threat (APT) attacks are initiated by gaining entry into a network and then remains hidden for a long period of time, actively collecting information but hiding all the stolen information within a machine in the network before shipping all of it out at the very end.  APTs can arise by exploiting zero-day attacks or  fooling known users of the network to part with information to gain entry to a secured network.

Once inside a secure network, this malicious entity hides within the organization’s network silently collecting information for days maybe years before abruptly leaving with all the stolen information.  Given that there are no solutions to avoid zero-day attacks, it is not possible to thwart APT attacks.  However, there could be limited use for network monitoring tools to filter off-hours activity not initiated by a known user in the network — this is not sufficient to thwart APT attacks but can at least detect malicious presence in the network sooner rather than later.


In Part II, Srikanth will discuss what India and other governments must do to effectively prevent exploitation of these security vulnerabilities, or mitigate damage, if they are indeed exploited.

Read full story · Comments { 8 }

Guestpost: Stuxnet and India

[This is a guest blogpost by Srikanth R., Senior Research Associate at the Takshashila Institution. In this blogpost, Srikanth provides context to the Stuxnet Trojan and highlights preventive measures India can take to minimize collateral damage.]

News on the impact of what has come to be known as the Stuxnet Trojan on Iran’s nuclear facilities at Natanz and Bushehr has generated a considerable amount of media and academic interest on its origins.  In a briefing to the U.S. Senate Homeland Security and Governmental Affairs Committee, Sean McGurk, director of Homeland Security’s national cybersecurity operations center, described Stuxnet as a “game changer.”

According to the Siemens product support site, Stuxnet affects Microsoft Windows PCs with WinCC and PCS 7.  The malware spreads via mobile data carriers, for example USB sticks, and networks. The Trojan is activated solely by viewing the contents of the USB stick.  The website also suggests that Stuxnet was not developed by a hacker but “with the product of a team of experts who must have IT expertise as well as specific know-how about industrial controls, their deployment in industrial production processes and corresponding engineering knowledge” and “This means that the malware is able, under certain boundary conditions, to influence the processing of operations in the control system.”

There is a procedure to clean a system infected with Stuxnet, but the Trojan can be activated by plugging in a USB device that has been infected, and cleaning a network of infected machines cannot be done without disrupting all activity and shutting down the entire network. As explained in the support website:

It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications. [Siemens]

Indeed, Iran’s centrifuge program had to go through a shutdown and restart process to cleanup its infected system, delaying its schedule. The implications of the Trojan for the India’s own nuclear program have thus far been unreported.  Since the Trojan’s target is system-specific (WinCC and PCS7), the impact is likely minimal unless India employs the same software to program its spinning machines.  However, it is still conceivable that similar SCADA systems are used in Indian industry for a variety of other purposes and could potentially be vulnerable to Stuxnet-like attacks in the future.

Given the inherent vulnerability of WinCC-based processes to such attacks, it is prudent to take precautions and design processes to ensure that no unverified software can be loaded onto the system, either over the Internet or via USB memory sticks.  Industries that are currently vulnerable to such attacks must consider moving to non-WinCC systems in the long run.

What Stuxnet tells us is that a malignant organization or country can put together a team of experts to create Stuxnet-like Trojans to target SCADA systems in India or elsewhere.   While cybersecurity policy makers assess the long term implications of Stuxnet-like Trojans, short term precautionary measures are necessary to prevent further collateral damage.  Sites operating such systems should segment their different SCADA systems in different isolated subnets to ensure that infection of one system does not spread to others. Furthermore, it may be useful to institute security protocols to prevent the ingestion of USB devices into any machine in the network. USB devices of unknown origin must be forbidden from being used.

It is also advisable to move towards more secure Unix-based platforms for Industrial Control systems, where the security architecture is more robust than those in Windows-based SCADA systems. Windows-based systems are affected by about 2 million known malware, with Linux a distant second with 1,178 vulnerabilities.

Read full story · Comments { 1 }