Looking at the educational value of a famous cyber incident

In a recent discussion on SCADASEC one contributor spoke of the educational value of Stuxnet. Yes there are several lessons that can learned from an incident that was first made public in 2010. It has been well documented from a technical point of view but perhaps some lessons can be still learned from an international security policy perspective.

In my opinion the main educational value of STUXNET was the knowledge that very professional and highly resourced APT teams were now targeting the engineering behind an industrial process. The very same technologies and processes used to support the modern economic activities and social well-being of societies. Societies located in cities with large populations which are dependent on the availability of the services these technologies provide. The second important lesson was that the team “got away with it” and this fact was likely noticed by other APT teams (perhaps the ones that hit the German steel mill and the regional power grid in Ukraine, to name just a few events) and those that task them. The third important lesson and related to the second was that this malicious activity was shown that it can be Effective, Cheap (for a Government) and Deniable. The fourth important lesson was that IT departments or national computer emergency response teams (CERTS) were not equipped to deal with this kind of threat due to poor knowledge of what goes on in OT. The fifth lesson is that the OT side needs to reach out to the IT side and vice a versa. This need was recently demonstrated again in a report mentioned in SCADASEC of an IT team doing port scanning on a control network with substations at the other end.

The sixth lesson that has yet to be learned is that malicious cyber activity directed against the critical infrastructure of another state which results in kinetic damage or disruptions belongs to the same category as nuclear weapons testing, use of chemical weapons or other WMD. When this lesson is learned the international community led by Governments (including those that seldom appear on the “usual list of suspects” ) will agree on a code of behavior or convention similar to those established for nuclear and chemical misuse. This top down approach will complement the bottom-up work of the engineers to make future Stuxnet type ops (the ones that go after the critical engineering) more rare and less likely to cause extensive damage and perhaps loss of life.

Realize that I am repeating what I have been saying at conferences and in published articles for some years now. Perhaps it is my stubborn way to meet the stubbornness of those APT’s out there. The effort seems worthwhile when considering the stakes are much higher than addressing the challenges of a botnet or web defacement.

By the way some hopeful news came out this week in this area from a corner one would not expect, Microsoft. See:

Microsoft president says the world needs a digital Geneva Convention
https://www.theregister.co.uk/2017/11/10/microsoft_president_calls_for_digital_geneva_convention/

“While there is life there is hope” – from the Hobbit, by Tolkien.

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.