Jim Lewis on SCADA security threats, Stuxnet analysis

Following the Stuxnet attacks, few would attest to having full faith in the security of SCADA systems, but just what are the threats, and what are the best strategies to mitigate them?

In this video, Jim Lewis, Director and Senior Fellow in the Technology and Public Policy Program at the Center for Strategic and International Studies, gives his Stuxnet analysis and explains what he thinks are the most worrisome SCADA security threats.

View the Idaho National Labs SCADA hack experiment .

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact editor@searchsecurity.com.   

Jim Lewis on SCADA security threats, Stuxnet analysis

Mike Mimoso: Hi, I'm Mike Mimoso and Jim Lewis is with me, today. How are
you, Jim? Thanks for joining us.

Jim Lewis: Great to be here.

Mike Mimoso: I'm curious as to your initial reaction to Stuxnet, in terms of its
targeting and its sophistication.

Jim Lewis: It shouldn't have been a surprise. There was a set of tests at Idaho
National Labs in 2007, called the Aurora tests. You used to be able to see
the video online, don't know if they finally got it off. In the Aurora
tests at Idaho National Labs, people were able to demonstrate that you
could penetrate the control system of electrical generators. Not the
computers, but the SCADA system and cause the SCADA system to malfunction
and have the machine shake itself to pieces. That was public in 2007. If we
know how to do it, believe me, the other guys know how to do it, too. So, this
has been around now for five years or so. What we saw in Stuxnet was kind
of interesting. Very sophisticated combination, a very sophisticated
combination of techniques. Four zero day attacks, two stolen credentials.
How they got it into networks that may very well have been air-gapped,
suggests a little human intrigue there. It was a cool story. It's a nice
spy story. I'm looking forward to the movie but what else is there to say
about it? There's one other thing to say about it, which is there was an
alternative to Stuxnet and that alternative would have been air strikes on the
Iranian nuclear facility. If you have to pick between air strikes and
Stuxnet, that's why cyberwar is so much fun. You never have to give CPR in
a cyber war.

Mike Mimoso: There's no blood.

Jim Lewis: Yeah, that's right. What we need to think about, though, again, is if
we can do it, other people can do it and as we know, with these products. They
start out being the high end. Only the Russians, the Chinese, the Americans
and the Brits have them, and they slowly trickle out. It takes years, but
this will show up in the black market and someone will figure out how to make
money off it, or some group that we don't like, like the Iranians or the
North Koreans will get their hands on it and then we can be on the
receiving end. We have some time, but we don't want to wait for that to

Mike Mimoso: In the last 12 to 18 months there's been a lot of talk about the
development and use of offensive weapons in cyberspace and even the
militarization of cyberspace. Is that a viable strategy?

Jim Lewis: I have no idea what that means. I heard someone say that this morning,
"The militarization of the Internet." It's like what are they talking
about? DOD talks about it as a domain and when DOD says domain is what
they mean is naval forces operating on the water. Air forces operating in
the air. Ground forces operating on the land and now how do you get these
forces to operate jointly? Joined forces are more effective and they've
added a new domain, the cyber domain where you have information weapons,
information techniques that working with the other forces, make our
military more effective. I don't know if that's the militarization of the
Internet, I mean the Internet started out as a DOD project. Countries have
been using it for espionage purposes since the mid-1980’s. Militaries have
been exploring it as an attack technique, since the early 1990's. This is
nothing new but it's just another weapons system. It's just like a cruise
missile. It's faster, but it doesn't make as big a bang. It's just like an
airplane. You can launch it and if you have enough time, maybe you can turn
it around so I don't worry about this so much. It's just another weapons
system and as long as only states have that weapon, I don't think they're
going to use it freely.

Mike Mimoso: Why has critical infrastructure fallen down so hard in terms of

Jim Lewis: Well the smart grid is a good example, which is everyone loves smart
grid. Everyone except the people of New South Wales, who apparently hate
the smart grid and had massive demonstrations against it but other than those
people, they love it because it will make us more efficient and it's green
and it's all that good stuff. People loved it so much that they rushed out
to deploy it without thinking about security. Yes, we've heard this story
before. No one thinks about security, right? We've built systems. I heard
about a smart grid technology on these meters. It was really quite funny
because this was about a year ago and someone was telling me how the smart
grid meters worked. They said, "They're secure because they have a random
number generator in them." I say, "That's great, how does it work?" Well we
have a list of numbers and we start randomly somewhere on the list. I heard
of ways to beat that in 1995. That's not a random number generator. That's
an easily defeatable technique. When the infrastructure companies, whose
job is to make money, right? When they hear about a product that will let
them make money, they tend to chase it. They aren't used to being targets.
They aren't used to thinking about having to protect themselves from
foreign opponents. You can't blame them for that, right? That's why I think
the government has to step in.

Mike Mimoso: Are they too far behind to catch up?

Jim Lewis: Not clear. One of the reasons we need international understandings on cyber
conflict, is that things we do on our own may not be enough. We need to
have a common understanding among people that this kind of cyber attack
against critical infrastructure is just like an attack if you’d sent in a
team of commandos and they had blown it up.

We're going to react. But we need to let everyone know that, and we
haven't done that. Could we catch up on some of this? Sure. I mean things
like Stuxnet, show you that we'll patch the holes that Stuxnet revealed.
What we won't patch are the holes that we don't know about. Those are the
ones that our opponents will be looking for. Can we make it better? Yes.
Is each company doing better network security enough? No.

Mike Mimoso: All right. Thanks for joining me, Jim.

Jim Lewis: Great. Thanks Mike.

Mike Mimoso: For more information, please visit searchsecurity.com.


View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.