Recently I was invited to speak at an international event on global security and terrorism hosted by Reuters (see coverage here). Besides the opportunity to meet senior correspondent Peter Apps and a bunch of journalists from all over the world, the event included a screening of the documentary Countdown to Zero, along with a discussion with its producers. Focused on the threat posed by the nuclear weapons arsenal and by proliferation, this film is, surprise, a must-see for anyone in control system security. Why? Well, because it turns out that ICS security problems even extend to launch control of inter-continental ballistic missiles carrying nuclear warheads. According to the accounts of several insiders interviewed in the film, there had been more than one incident when ICBMs had almost been launched accidentally because of control system flaws and false alarms, some of which can be characterized as insufficient system understanding.
One of the more bizarre episodes in the film is the part where permissive activation link (PAL) codes are explained, the codes that are required to activate nuclear warheads. A former Minuteman launch control officer explains that when the need for activation codes was pushed by Secretary of Defense McNamara and President Kennedy, military leaders strongly objected. In the end, the military gave in, but Strategic Air Command quietly ordered to have all code digits set to zero on all systems – to avoid potential fiddling with code entry during their one-minute timeframe for missile launch. Sounds familiar? Sure it does, it’s the killer argument against authentication for control systems across industries. This policy stayed in effect for almost twenty years, until the late seventies. (Last year at WeissCon I learned from a US Air Force Colonel that it is now common practice to have soldiers input activation codes from memory within seconds, and they do change their codes frequently. Guess what, it works.)
In the film you can also see German nuclear scientist Alexander Glaser from Princeton explaining how easy it is to build a nuclear bomb once that you have the fissile material (you just have to buy a big surplus army cannon and fire at the fissile material). Alexander’s outstanding work on IR-1 cascade structures was crucial for our success in cracking Stuxnet’s 417 attack code.
Lesson learned: The fact that the layperson thinks that there must be reasonable safety and security in respect to any specific system does not imply that there actually is, not even on systems that in case of malfunction or compromise could have made much of the planet’s surface uninhabitable.
Ralph Langner