Is Your Particle Accelerator Secure?

by Andreas Fabis

After the Stuxnet attack on industrial centrifuges, security experts scrambled to dissect and understand the advanced and persistent threat that the worm embodied. With this attack, a new chapter in the book of cyber-warfare was written wherein a very complex, well-designed, and narrowly-targeted attack was successfully carried out on critical infrastructure – a scenario that, so far, has been more reminiscent of a Hollywood movie plot than a real-world threat.

The effort devoted to creating the Stuxnet worm was deemed to be beyond the capabilities of individual hackers, so it should serve as a serious wake-up call for IT professionals, managers of airports and power plants, and government agencies: the attackers are professionals themselves!

Traditional anti-virus software would not have helped protect against Stuxnet, because it was a brand-new, customized malware that only affected very specific networks. It was also delivered via USB stick directly to the host computer; like most current virus outbreaks, it started within the secured perimeter.

The IT infrastructure (hardware and software) intended to control industrial machinery was designed to be operated by trusted personnel only. But control of this IT infrastructure is now accessible via its connection to networks, and relies on minimal or non-existent security; after all, it wasn’t built with outside threats in mind, but for maximum performance and efficiency. So, when this infrastructure is exposed to attackers, existing vulnerabilities can be easily exploited.

The Stuxnet attack also raises questions about assurance within the supply chain. How can government organizations and companies who run critical infrastructure make sure that none of the countless components used in their systems open back doors to attackers, or contain malicious code that waits, undetected, for the command to shut down or hand over system control to an attacker?

Organizations will have to look at all levels of operation to defend against these kinds of elaborate attack. Some points for scrutiny include activities to:

• put in place organizational security policies and procedures that identify critical assets and mitigate risks connected to them
• educate employees to make them aware of attack scenarios such as social engineering, tainted USB sticks, and phishing attempts
• use certified hardware and software that offers appropriate assurance for its intended environment
• broaden the scope of IT security to include industrial machinery and all equipment connected to networks

From our view as a consulting company, we have always looked at IT security as being inextricably intertwined with your business as well as your operations. IT security should not be an add-on; it should support and protect your whole business, and serve as an active part of your organization.