So we aren't doomed, we should really protect against exploits

We’re all doomed, doooomed!

So, this post is a bit late. We know, so those of you making noise in the cheap seats at the back can sit down and zip it! We’ve been busy here at 23Squared for the last few weeks, lots of learning, lots of writing code and lots of praying for Summer. The smell of Summer in the air and the warmth of the midday sun on our backs has got us in the mood for being outside! We hope it’s got you going too. That’s our excuse for the late post, well that’s the story we’re sticking to M’lud.

‘The title?!’ We here you ask. Are we all really doomed?? Should we go out and buy all the spam and eggs we can get our hands on? No. No you shouldn’t. Mainly because that wouldn’t provide a nutritionally balanced diet come the apocalypse.

We were intending to write about some computer vision frameworks we’ve been looking into (http://docs.opencv.org/doc/tutorials/introduction/desktop_java/java_dev_intro.html) but we’ve also been reading a lot about Stuxnet and thought that this would feed in nicely to the previous post.

For those of you who haven’t heard about it (most likely those of you in the cheap seats, at the back) Stuxnet was an worm that was released into the wild some time around 2009 / 2010. Cue faces dropping and tumbleweed. Why are you writing about an internet worm I hear you say, the stuff of pedestrian computer use. Well, Stuxnet gained a lot of interest because of its target. Although it was discovered on computer systems worldwide it was dormant on the vast majority of them. Stuxnet was only active on Windows machines that had Siemens Step 7 software installed. Step 7 is a software suite that’s used to control PLC systems primarily in industrial control scenarios.

Stuxnet’s main aim was to destroy centrifuges used in the Uranium enrichment process; either for creation of fuel for nuclear reactors or making nuclear weapons. The plot thickens. The worm used a collection of zero day exploits and encrypted payloads to deploy itself to host machines and then send nefarious commands to the devices controlling the motors in the centrifuges, all whilst masking this behaviour by sending faked commands back to the management systems. This caused the enrichment cascades to destroy themselves.

This is just a quick summary about Stuxnet to bring you lovely readers up to speed – we don’t profess to know the exact details or execution of the attack. There’s lots of information around including plenty of expert analysis that will provide every detail you ever wanted to know, go have a look as it’s a very interesting read.

The interesting questions raised by Stuxnet are the why, the who and the what else.

The Who & Why

There are plenty of firms around that will supply zero day exploits at a price to anyone with the money. Then who would want to buy them? Rumour has it that Stuxnet was implemented and deployed by countries trying to inhibit enrichment of Uranium by other nations not deemed responsible enough to be doing such things. This changes things, previously worms and viruses were the domain of enthusiasts and later, organised criminals. The implication that governments are using computer exploits as weapons changes the battlefield. Wars will no longer be fought in the real world but in the digital world of the internet. Is this a bad thing? It’s hard to say, less people will die as a direct result of war as there will no longer be soldiers involved but will innocent bystanders become the victims?

The What Else

The fact that Stuxnet ended up on machines around the world virtually unchallenged raises questions about the protection that’s implemented around industrial control systems. In the wake of Stuxnet it became quickly apparent that a huge number of these systems had no security at all.

With more and more devices being connected to the internet so that they can be monitored remotely, there is an ever increasing risk that these devices are exposed , without any security, to anyone that wants to access them. These systems range from water treatment plants to electricity substations. With the ability to remotely control such key pieces of infrastructure attackers gain the ability to bring a country to its knees with only a few lines of well placed code. Large scale attacks on a city go from requiring large groups of people to needing just one or two people; worst still these people can be hired.

How Do We Get ‘un-doomed’?

Fortunately, the solution isn’t as tricky as it sounds. Security, security, security. The tech industry has been doing security and doing it pretty well. The difference is that other industries don’t take it as seriously. Security is, at best, an afterthought. This needs to change, all industries with internet connected devices need to consider security as an important element in their system design.

Hopefully other industries are beginning to take notice and we won’t all have to hide in our panic rooms for the next 50 years. Until next time viewers, you’ve been great and we’ve been…

~23Squared