Home » cyber security » Stuxnet – A Lesson in Combating Modern Cyber Warfare

Stuxnet – A Lesson in Combating Modern Cyber Warfare

The threat of cyber attacks is more prevalent today than ever before. Criminals and government organizations are in a fierce battle that many don’t notice until the aftermath. Credit cards and personal information are leaked from large companies and the breaches are widely publicized by the media. However, there’s another, less publicized type of cyber warfare occurring…and these strategic attacks often go unnoticed until it’s too late.

Stuxnet is a perfect example.

The goal of Stuxnet was to destroy the fragile equipment that’s used to refine uranium into a form that can be weaponized. This attack was executed with great precision so that only the intended target would be affected. Even though many systems contracted the worm, they were not harmed by it. Only the hackers’ target, the uranium facility, was harmed.

The Stuxnet worm is still one of the greatest worms ever crafted. It moved system to system on USB drives until finally an infected USB was inserted in to the refining facility. And that’s when the worm started its attack.

Organizations can learn two important lessons from Stuxnet:

  1. Removable media is one the greatest threats to an air-gapped system. This type of system that has no connection to the internet and the only way into the network via an infected removable media device.
  2. Users should be prohibited from inserting removable media into high-target systems – i.e. any system that’s air gapped – unless it’s been properly sanitized and approved for use.

Stuxnet also draws attention to the fact that some systems are vulnerable no matter what. There was little the plant could’ve done to safeguard the components that were used to cause the failure in the facility. The dropper part of the worm is the only thing that could’ve been stopped. This means that a more in-depth defense and user training is needed to better protect systems that cannot full secured.

Establishing a Fortified Security Policy

There’s a lot that can be done to lower the risk of a security breach in this modern world of cyber warfare. And one of the most important is a good security policy that’s strictly enforced. A sound security policy takes into consideration how an organization does business and works to find and resolve issues before they become problems. It also takes into account the people responsible for its enforcement.

The weakest point of any security policy is people. Because everyone make mistakes. By providing employees with on-boarding training, as well as annual cyber security training, employees can educated on cyber security best practices and red flags, such as phishing emails, to look out for.

Once a staff is properly trained in cyber security procedures, an organization’s network should be assessed to ensure the most recent patches are installed on servers and workstations. All critical servers or server that are high value targets, such as credit card databases, should also require user input to be validated to protect the database from injections that can cause the table to be dropped onto the attacker’s machine.

Another way to make sure a network is as secure as possible is via penetration tests and vulnerability scans. These exercises expose a network to a variety of attacks and show what hosts are on it, which helps to eliminate advanced persistent threats from rogue devices. Pen test and vulnerability scans also show where improvements can be made without causing interference to users and customers.

While a good security policy can only do so much to protect a company, it’s an absolute necessity. And its something that should be revisited and updated regularly as new threats emerge and the organization’s needs change and evolve.

Preventing Another Stuxnet

To prevent another attack like Stuxnet, organizations need to take their cyber security more seriously. Implement a custom security policy, train users on best practices and threat detection and ensure that network engineers have an accurate account of all systems. Doing so will go a long way in strengthening an organization’s security posture and prevent a large scale breach.

Custom malware can go undetected for years. So making it difficult for cyber criminals to infiltrate networks is a logical line of defense. However, even if attackers are able to access a high-value target, they still have to get the data out. Closely monitoring everything that is outbound from a network will help detect if and when it’s compromised.

Yet in the case of Stuxnet, the key was preventing removable media from being inserted into the air-gapped network. There are many ways to eliminate the removable media options from computers. Either by physically removing the drives, or by logically severing the ability to make the connection. In the case of an air gapped system, physically removing the ability to insert any form of removable media is the best option; however it is a more extreme one.

Hackers have nothing but time on their hands. They can create custom malware that won’t be detected by anti-virus. And they can bide their time and perform tests to ensure the attack’s will be successful. If an actor is able to get into a power gird or water systems that use SCAD systems, how would we see them? Could we stop them before they caused irreparable damage and extreme loss of life? Stuxnet brought to light the seriousness of this threat. It demonstrated the power of cyber warfare and the damage a strategically engineer attack can have on our nation’s critical infrastructure.



About Spence Witten

Spence has somehow survived ten years at start-ups and small businesses without suffering a (major) nervous breakdown. As Lunarline's Director of Federal Sales, Spence actually loves working on proposals. If there were any doubt, this is proof that he is in fact certifiably insane. While his title says "Sales" Lunarline doesn't let him off that easy. We make him do real work, too. Luckily he's a recognized subject matter expert in security policy and loves helping clients navigate their way around tricky security compliance standards. He's also been known to lead a software development initiative or two, though that pretty much always ends poorly for everyone involved. He can be reached at spence.witten@lunarline.com.