Perhaps we are missing a lesson from Stuxnet?

This summer some of us noted the 10th anniversary of the discovery of Stuxnet.  That is when it became known to the public.  Since 2010 we have learned that earlier forms of Stuxnet were being developed and tested on the target several years earlier.[1] To commemorate this anniversary several articles and presentations have been published.  One in particular drew my attention as it was from one of the key researchers on Stuxnet.  This was a superb review of this event including new information which one would think was sufficient to close the page on Stuxnet’s history.  However, in concluding the researcher made a rather puzzling point of saying that since Stuxnet we have not seen any serious cyber-physical incidents.  That is an incident worthy of attracting the attention of experts. As someone who closely followed the events occurring in the cyberspace threat environment since Stuxnet this conclusion was unsettling.  One wonders about the criteria used to make such a statement for there were several noteworthy events in cyberspace that would seem to contradict such an assertion.

My first thought returned to Germany’s Federal IT Department’s 2014 report on cyber incidents.  A government officially reported on a cyber incident at an industrial plant where control systems were targeted resulting in physical damage to the plant.  The information provided was scant (perhaps to protect the victim’s identity) but the fact remains that a Government reported that a cyber-physical event did take place at an industrial site in Germany in 2014.  This was an advanced form of cyber-attack compared to the 2012 incident at energy company Saudi Aramco where the data on 30,000 hard drives was erased.  The office IT side of the company’s operations felt the blow but the industrial and control equipment in the oil fields and refineries were left alone.

In December 2015 and again in December 2016 parts of Ukraine’s electric grid were disrupted.  In the first case intruders from cyberspace succeeded in taking over control of the links to substations and succeeded in opening breakers as surprised operators watched in amazement as someone clicked on the screens cutting the flow of power. Cyber means were used to open breakers.  Sounds like it fits in as a cyber-physical attack to me.  In the next incident a part of Ukraine’s capital, Kyiv, went dark.  Later analysis showed that the attack was more sophisticated then the previous years.  While the power disruption was more limited it was found that attempts were made to comprise the relays.  The later attack also qualifies as cyber physical because malware was used to disrupt supply of electricity (again the effect was physical). While this effect was not so dramatic as the earlier case the fact that attempts to compromise the relays arguably raised the possibility of a more devastating cyber-physical attack.  This is because relays are like safety systems for power grids.  When the grid goes down and the operator tries to bring the power back on-line again the presence of the relays ensures that problems with the restart (also black start) procedure will not lead to physical damage of equipment.  If the relays were compromised than the dangers for going to manual control and restarting the grid can increase dramatically.  To me this represents a higher skill level and potential for greater damage to equipment.

In June of 2017 perhaps as a result of a spillover effect of the undeclared war between Russia and Ukraine encryption malware spread throughout the world stopping industrial and manufacturing operations at several sites on different continents.  Most notably Maersk shipping, one of the largest maritime operators in the world, suddenly lost their IT capabilities forcing nearly all of its port operations to suddenly halt.  One can perhaps argue whether this was a cyber-physical attack or not.  Industrial control systems did not suffer but the IT needed to run the cranes and container handling systems no longer worked.  The result one can argue was physical and also cost the company over 300 million euros to restore operations.

Almost at the same time in 2017 a petrochemical plant in the middle east experienced a plant shutdown.  The cause was believed to be a problem with the Triconix safety instrumented systems (SIS) at the plant.  The suspect controllers were sent to the manufacturer for testing.  Nothing wrong was found and returned them to the operator with a clean bill of health.  Then 2 months later the plant was unexpectedly shut down again. In this second occurrence more SIS controllers tripped.   This time a cybersecurity investigation was conducted and only then was it determined that this was an intentional cyber-attack on the SIS of a petrochemical plant[2].  I argue that this incident can also be added to the list of cyber-physical incidents since Stuxnet.  Yes, the shutdown may not have been the intention of the attackers but the fact that attempts were made to compromise the code of the controllers raises significant questions about the utility found in asserting that no real cyber-physical attacks occurred after Stuxnet. Not to mention that the cyber-attack did cause a physical effect: a petrochemical plant was shut down with all the associated costs in repair and restarting again to be incurred by the victim.[3]

I have worked in IT security and defense policy for nearly 30 years.  Some of the things we look for are demonstrations of capability, intention and ability to execute. In the cases noted above we see in addition to demonstrations of intention and capability, an increasing disregard for the consequences.  We also see some improvements in capability from experimentation (returning with more sophisticated attacks as in Ukraine) and shifting toward targets (relays in an electric grid and SIS) that can result in more serious physical outcomes in terms of lost lives, damaged property and harm to the environment.

In my opinion it is not safe to imply that because something has not happened in a long time it will not likely happen in the future.  No one swimming near a beach where someone was hurt in a shark attack would buy that argument and I do not think it is an argument for security practitioners to ignore relevant threats from cyberspace.  Yes, we should not make ourselves easy prey for a vendor’s sale pitch on a product guaranteed to solve our problem. Yes, we should not cry wolf for no good reason.  However, we need to keep watch and be aware of what we need to protect and the evolving threats that can significantly undermine safety, reliability and performance of mission critical assets. Many of us can only be watchful based upon on what is reported to the public.  That is dangerous for we usually find that after the reporting of a major incident it is later revealed is that the malicious activity has been active long before. We need to address this Cyberg[4] before it leads to something unexpected and unwanted. Let us not make the mistake of the Titanic’s captain and make light of the warnings.  Instead let us stop and take a closer look at what is going on, take appropriate protective measures and continue being vigilant.

P.S. We are focusing a lot of effort and attention on the sexy topic of “attacks”.  I hope to address the topic of the non-malicious cyber incidents that can also result in loss of life, equipment and harm to the environment.


[1] See Kim Zetter’s excellent book “Countdown to Zero Day”

[2] For more firsthand information about these attacks watch Julian Gutmanis’s first responder presentation at S4: https://www.youtube.com/watch?v=XwSJ8hloGvY

[3] Have written about the significance and implications of cyber-attacks on SIS in this article: https://www.enseccoe.org/data/public/uploads/2018/10/v.butrimas-new-escalation-of-cyber-threats-to-critical-energy-infrastructure.pdf

[4] See definition at http://www.cyberg.us/ I prefer the 4th meaning “A cyber-related condition whereby a threat, or warning of a possible threat, results in either the misinterpretation or misunderstanding of a given situation, resulting in a decision in which no corrective action is taken”

https://enseccoe.org/en

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 28 years. Mr. Butrimas has participated in several cybersecurity exercises, contributed to various international reports and trade journals, and has published numerous articles on cybersecurity and policy issues.

Related posts