2010 Cyber Storm III global cybersecurity exercise concludes on 10.01.10: All of at this coinsides with Mossad release of ‘Stuxnet Virus’

Source: Federal News Radio

In places like Arlington, Va.; Washington, D.C.; across the U.S. and around the world, a global cybersecurity exercise is underway designed to test the limits not only of the “network of networks,” but the ingenuity of the people charged with protecting it.

Welcome to Cyber Storm III.

This is the third time that the Department of Homeland Security, in conjunction with other federal agencies, is holding this global cybersecurity exercise. Previous Cyber Storm exercises were conducted in 2006, and again in 2008. For the first time, DHS will manage its response to Cyber Storm III from its new National Cybersecurity and Communications and Integration Center.

Normally, this facility, located in a nondescript office building in Arlington is classified and closed to the public. But the NCCIC recently opened its doors for an inside look to let DHS officials brief the media on Cyber Storm III, a worldwide cybersecurity response exercise that has been underway since late Monday.

Brett Lambo, the director of the Cybersecurity Exercise Program with DHS’s National Cybersecurity Division, is the architect, or game master for this global cybersecurity exercise.

“The overarching philosophy,” he told reporters in a recent briefing at the NCCIC, “is that we want to come up with something that’s a core scenario, something that’s foundational to the operation of the Internet.”

Cyber Storm III includes many players in places across the U.S. and around the world:

* Seven federal departments: Homeland Security, Defense, Commerce, Energy, Justice, Treasury and Transportation.
* Eleven states: California, Delaware, Illinois, Iowa, Michigan, Minnesota, North Carolina, New York, Pennsylvania, Texas, Washington, plus the Multi-State Information Sharing and Analysis Center (ISAC). This compares with nine states that participated in Cyberstorm II.
* Twelve international partners: Australia, Canada, France, Germany, Hungary, Japan, Italy, the Netherlands, New Zealand, Sweden, Switzerland, and the United Kingdom (up from four countries that participated in Cyber Storm II).

DHS officials also say 60 private sector companies will participate in Cyber Storm III, up from 40 who participated in Cyber Storm II. Firms include banking and finance, chemical, communications, defense industrial, information technology, nuclear, transportation and water.

Lambo said to preserve the exercise’s value as a vigorous test of cybersecurity preparedness, exact details of the scenario which participants will deal with over the next three days are secret. However, he did share some of the broad parameters of the scenario he helped write, and which he will administer.

“In other exercises, you do have specific attack vectors; you have a denial of service attack, you have a website defacement, or you have somebody dropping a rootkit,” he said. “But we wanted to take that up a level to say, ‘All of those things can still happen, and based on what you do, if you’re concerned about the availability of infrastructure, we can look at what happens when the infrastructure is unavailable.’”

Lambo said another way to look at the scenario is that it builds upon what they learned from previous exercises.

“In Cyber Storm I, we attacked the Internet, in Cyber Storm II, we used the Internet as the weapon, in Cyber Storm III, we’re using the Internet to attack itself,” he said.

Lambo added under normal circumstances, the Internet operates based on trust that a file, or a graphic, or a computer script is what it says it is, and comes from a trusted source. But what if that source was not what it said it was, or the source has a malicious intent?

“What we’re trying to do is compromise that chain of trust,” he said, in further explaining in broad strokes of the Cyber Storm III exercise scenario.

Lambo and his colleagues at the Cyber Storm control center also will introduce new, and hopefully unexpected conditions to the scenario to further test participants.

“We have the ability to do what we call dynamic play,” he said. “If we get a player action coming back into the exercise that is either different from what we expected it to be, if it’s something we’d like to chase down further, or if it’s something we’d like to pursue, we have the ability to write injects on the fly.”

He said those injects could include new attacks.

The Cyber Storm exercise will be conducted primarily using secure messaging systems like e-mail or text messages to relay intersects to participants and that the simulated attacks are not being conducted over a live or a virtual network now in operation on the Internet, he said.

For the U.S. government, Cyber Storm III also offers the opportunity to test the DHS’ National Cyber Incident Response Plan.

“We want to focus on information sharing issues,:” he said. “We want to know how all of the different organizations are compiling, acting on, aggregating information that they’re sharing, especially when you’re thinking about classified lines coming into the unclassified domain. There’s a concept called tearlining, in which we take classified information, and get it below the tearline, so that those without security clearances and get it, and act on it.”

The Cyber Storm III exercise is expected to conclude by 10.01.10

Was Stuxnet Built to Attack Iran’s Nuclear Program?

By Robert McMillan, IDG News

September 2010

A highly sophisticated computer worm that has spread through Iran, Indonesia and India was built to destroy operations at one target: possibly Iran’s Bushehr nuclear reactor.

That’s the emerging consensus of security experts who have examined the Stuxnet worm. In recent weeks, they’ve broken the cryptographic code behind the software and taken a look at how the worm operates in test environments. Researchers studying the worm all agree that Stuxnet was built by a very sophisticated and capable attacker — possibly a nation state — and it was designed to destroy something big.

Though it was first developed more than a year ago, Stuxnet was discovered in July 2010, when a Belarus-based security company discovered the worm on computers belonging to an Iranian client. Since then it has been the subject of ongoing study by security researchers who say they’ve never seen anything like it before. Now, after months of private speculation, some of the researchers who know Stuxnet best say that it may have been built to sabotage Iran’s nukes.

Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran’s Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm’s attack.

Experts had first thought that Stuxnet was written to steal industrial secrets — factory formulas that could be used to build counterfeit products. But Langner found something quite different. The worm actually looks for very specific Siemens settings — a kind of fingerprint that tells it that it has been installed on a very specific Programmable Logic Controller (PLC) device — and then it injects its own code into that system.

Because of the complexity of the attack, the target “must be of extremely high value to the attacker,” Langner wrote in his analysis.

Langner is set to present his findings at a closed-door security conference in Maryland this week, which will also feature a technical discussion from Siemens engineers. Langner said he wasn’t yet ready to speak to a reporter at length (“the fact of the matter is this stuff is so bizarre that I have to make up my mind how to explain this to the public,” he said via e-mail) but others who have examined his data say that it shows that whoever wrote Stuxnet clearly had a specific target in mind. “It’s looking for specific things in specific places in these PLC devices. And that would really mean that it’s designed to look for a specific plant,” said Dale Peterson, CEO of Digital Bond.

This specific target may well have been Iran’s Bushehr reactor, now under construction, Langner said in a blog posting. Bushehr reportedly experienced delays last year, several months after Stuxnet is thought to have been created, and according to screen shots of the plant posted by UPI, it uses the Windows-based Siemens PLC software targeted by Stuxnet.

Peterson believes that Bushehr was possibly the target. “If I had to guess what it was, yes that’s a logical target,” he said. “But that’s just speculation.”

Langner thinks that it’s possible that Bushehr may have been infected through the Russian contractor that is now building the facility, JSC AtomStroyExport. Recently AtomStroyExport had its Web site hacked, and some of its Web pages are still blocked by security vendors because they are known to host malware. This is not an auspicious sign for a company contracted with handling nuclear secrets.

Tofino Security Chief Technology Officer Eric Byres is an industrial systems security expert who has tracked Stuxnet since it was discovered. Initially he thought it was designed for espionage, but after reading Langner’s analysis, he’s changed his mind. “I guessed wrong, I really did,” he said. “After looking at the code that Ralph hauled out of this thing, he’s right on.”

One of the things that Langner discovered is that when Stuxnet finally identifies its target, it makes changes to a piece of Siemens code called Organizational Block 35. This Siemens component monitors critical factory operations — things that need a response within 100 milliseconds. By messing with Operational Block 35, Stuxnet could easily cause a refinery’s centrifuge to malfunction, but it could be used to hit other targets too, Byres said. “The only thing I can say is that it is something designed to go bang,” he said.

Whoever created Stuxnet developed four previously unknown zero-day attacks and a peer-to-peer communications system, compromised digital certificates belonging to Realtek Semiconductor and JMicron Technology, and displayed extensive knowledge of industrial systems. This is not something that your run-of-the-mill hacker can pull off. Many security researchers think that it would take the resources of a nation state to accomplish.

Last year, rumors began surfacing that Israel might be contemplating a cyber attack on Iran’s nuclear facilities.

Bushehr is a plausible target, but there could easily be other facilities — refineries, chemical plants or factories that could also make valuable targets, said Scott Borg, CEO of the U.S. Cyber Consequences Unit, a security advisory group. “It’s not obvious that it has to be the nuclear program,” he said. “Iran has other control systems that could be targeted.”

Iranian government representatives did not return messages seeking comment for this story, but sources within the country say that Iran has been hit hard by the worm. When it was first discovered, 60 percent of the infected Stuxnet computers were located in Iran, according to Symantec.

Now that the Stuxnet attack is public, the industrial control systems industry has come of age in an uncomfortable way. And clearly it will have more things to worry about

“The problem is not Stuxnet. Stuxnet is history,” said Langner in an e-mail message. “The problem is the next generation of malware that will follow.”

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com

Start Slide Show with PicLens Lite PicLens