One of my favorite stories of cybersecurity gone wrong is the Stuxnet worm. It's become the stuff of legend, and like a lot of legends, it has so many wild stories that it's hard to separate out what's true and what's fiction.
In early 2010, Iran is busy trying to enrich uranium for its nuclear facilities. However, the centifuges keep failing at an unusual rate and nobody can quite figure out why. Meanwhile, a computer security firm in Belarus finds that computers are rebooting for no known reason. After some research, they discover that it's a computer worm. If you think about computer worms as being similar to "The Very Hungry Caterpillar," you're probably not too far off track. They work their way through programs, eat everything in sight, and use all their newfound bulk to change or reproduce.
Some of the legends about Stuxnet are that it got into the Iranian nuclear facilities via a USB drive, and that it caused physical damage to the centrifuges, but told the scientists that everything is running fine. Phrased differently, legend says that some idiot plugged in a thumb drive he shouldn't have, which put the virus onto the computers; and that once it was on the computers, a computer version of Ocean's 11 was being pulled off where things were blowing up in the lab while the scientists upstairs think everything is running fine. This is a great story, it's just not entirely accurate.
There is evidence that the suppliers of key components were hacked- not a USB drive brought in. I find this a much more likely scenario. Say you want to break into the US government or a large, multinational corporation. Those are big, difficult targets. While it's hard to take them head-on, it's much easier to find a supplier that isn't doing things properly. Attack the supplier, get access to the big target through them.
In addition, it's probably an overstatement to say that the Iranian scientists were completely unaware that there were problems. As the article at Wired says, they noticed the centrifuges were failing at an unusual rate. They just didn't know the cause of the failure. That being said, it was unusual because it caused physical damage. That's the part of Stuxnet that continues to fascinate me. Most cyberattacks attack digital assets. Those assets may have real world counterparts and cause damages because of the loss of value to the assets, but this is a computer worm that caused actual, physical damage. By telling the centrifuges to spin at a different rate, they failed. When the centrifuges fail, they cannot enrich uranium. Without enriched uranium, the nuclear facilities were unable to function and it set it back years (or decades).
Recently, there have been reports that Stuxnet (or something very similar) was attempted against North Korea. The fact that Stuxnet is still making news in 2015 is astounding to me. While it's been discussed regularly, people are still trying to piece together the details of what happened (and continues to happen), and separate the facts from the myth. While the myth is great and I'd love to imagine a story that's fit for a Hollywood blockbuster, the truth appears to be less complicated. A supplier was attacked and it caused major problems. When phrased like that, it's not too far removed from any other cyber attack.
No comments:
Post a Comment