Jul
29

2011

A letter to Congress

Being very much concerned about the threat of Stuxnet-inspired attacks, I thought I write a letter to inform the US House of Representatives. Here is my letter to a congressperson who is concerned with critical infrastructure protection against cyber threats (emphasis added later).

So after this week’s hearing on cyber threats to US critical infrastructure, Congress heard the message twice (well, I didn’t use so much words as the DHS fellows) — within an interval of almost a year, as my letter was written and submitted last September.

Ralph Langner

Jul
21

2011

A time bomb with fourteen bytes

We have often pointed out that contrary to common belief, an attacker needs zero insider information and zero programming skills at the controller level in order to perform a Stuxnet-inspired attack against control systems. How would that be possible? Here is an example of a very simple generic attack that uses less than twenty bytes of code to achieve a calendar based loss of control; a basic logical time bomb. It’s also the most basic copycat attack that a Stuxnet-inspired attacker could come up with – and yet achieve dramatic effects. Read more »

Jul
01

2011

Ralph’s ICCC talk is online

NATO’s CCD COE made Ralph’s talk publicly available here. Be advised that watching the video stresses your imagination as you don’t see the slides. This can get demanding especially when Ralph fidgets with the laser pointer.

Jun
28

2011

Coming soon: Ralph’s book on robust control system networks

Efforts to enhance control system security are around for about a decade. Yet the average chemical plant, power plant, automotive factory or military weapon system still shows a security posture that might not even survive a simple network scan. This led Ralph to reason that simply doing more of what has been done before (more risk assessments, more firewalls, more security patches, more av updates) might not be sufficient to prepare for advanced attacks that everybody must expect after Stuxnet. Therefore Ralph suggests to take a radically different approach that is also better aligned with the way operations and engineering approach reliability problems. In his new book Robust Control System Networks, he shows how complex control system networks can be made robust – and thus reliable and secure – without stressing concepts of risk and threat that most engineers are uncomfortable with as they always involve some kind of crystal ball looking and drama.

Caveat: The book does not contain a thrilling account on Stuxnet and cyberwar. It is a hardcore engineering textbook.

Jun
25

2011

Don’t assume it is safe and secure just because it ought to be

Recently I was invited to speak at an international event on global security and terrorism hosted by Reuters (see coverage here). Besides the opportunity to meet senior correspondent Peter Apps and a bunch of journalists from all over the world, the event included a screening of the documentary Countdown to Zero, along with a discussion with its producers. Focused on the threat posed by the nuclear weapons arsenal and by proliferation, this film is, surprise, a must-see for anyone in control system security. Why? Well, because it turns out that ICS security problems even extend to launch control of inter-continental ballistic missiles carrying nuclear warheads. According to the accounts of several insiders interviewed in the film, there had been more than one incident when ICBMs had almost been launched accidentally because of control system flaws and false alarms, some of which can be characterized as insufficient system understanding. Read more »

Jun
11

2011

Observations from ICCC

Last week I was in Tallinn to give a talk at NATO’s International Conference on Cyber Conflict. Here are some impressions. Read more »

Jun
07

2011

Enumerating Stuxnet’s exploits

There are several misconceptions about the exploits used in Stuxnet, such as that all underlying vulnerabilities would have been fixed by now, or that there’s no need to worry about copycats because the exploits at the controller level were highly specific and would require insider knowledge and extreme resources to be copied. Here we will explain why such provisions are wrong and why Stuxnet can actually be thought of as some kind of toolbox for the wannabe cyber warrior. Read more »

Jun
03

2011

A declaration of bankruptcy for US critical infrastructure protection

According to the Wall Street Journal, DoD’s first formal cyber strategy is based on the doctrine that a cyber attack on US critical infrastructure can be retaliated by a conventional military strike. The article is decorated with macho statements from unidentified military officials, such as “if you shut down our power grid, maybe we will put a missile down one of your smokestacks.” The military person who said that may have had full confidence in how deterring and frightening his or her line would be to wannabe attackers, and yet could not be more off the mark. Here is what everybody can read from DoD’s cyber strategy, given that the WSJ’s report is authentic (which I don’t call in question):

Read more »

May
31

2011

Meet Ralph in Tallinn

Ralph is going to talk next week at NATO’s International Conference on Cyber Conflict in Tallinn, Estonia.

Mar
31

2011

Ralph’s TED talk is online

You can now watch Ralph’s TED talk here.

Older posts «

» Newer posts