Christian Science Monitor – One year ago a malicious software program called Stuxnet exploded onto the world stage as the first publicly confirmed cyber superweapon – a digital guided missile that could emerge from cyber space to destroy a physical target in the real world.
Ralph Langner about a month to figure that out. He is an industrial control systems security expert in Hamburg, who deciphered and tested pieces of Stuxnet’s “payload” code in his lab and declared it a military-grade cyberweapon aimed at Iran’s nuclear facilities.
With Stuxnet as a “blueprint” downloadable from the Internet, he says, “any dumb hacker” can now figure out how to build and sell cyberweapons to any hacktivist or terrorist who wants “to put the lights out” in a US city or “release a toxic gas cloud.”
LANGNER: The most dangerous development is that DHS (Dept of Homeland Security) and asset owners completely failed to identify and address the threat of copycat attacks…. With every day [that] cyber weapon technology proliferates; the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares.
LANGNER: Son of Stuxnet is a misnomer. What’s really worrying are the concepts that Stuxnet gives hackers. The big problem we have right now is that Stuxnet has enabled hundreds of wannabe attackers to do essentially the same thing. Before, a Stuxnet-type attack could have been created by maybe five people. Now it’s more like 500 who could do this. The skill set that’s out there right now, and the level required to make this kind of thing, has dropped considerably simply because you can copy so much from Stuxnet.
CSM: But we haven’t seen a follow-up to Stuxnet yet?
LANGNER: Not yet. But the clock is ticking. Parts of Stuxnet can simply be copied now. A cybersecurity researcher named Dillon Beresford this summer described to a hacker conference an industrial control system exploit that involved copying. His findings confirm my view that you don’t have to be a genius to create a program that works on a control system exactly the way Stuxnet does. You just have to know how to copy parts of it. After that, you just need a little more knowledge to make a simple but effective digital dirty bomb. It may not be nearly as powerful as Stuxnet on a single system, but it could have a far broader effect on many systems. That’s a digital dirty bomb.
CSM: But you yourself recently decided to demonstrate how simple a Stuxnet attack could be – just four lines of code – to make an industrial system freeze. A time bomb, really. Why did you do that?
LANGNER: I couldn’t stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened. What you still hear today from all kinds of people is how a Stuxnet-type attack requires so much insider knowledge. I finally had to publish this four-line attack just to make sure no smart-guy tells his boss that this is impossible. I left out some key parts of it so it could not be used.