SCADA Security Cyberwar

The Iranian Supreme National Security Council has called for the “International Atomic Energy Agency (IAEA) to form a fact-finding committee to detect agents involved in nuclear terrorism and operation of Stuxnet computer worm to attack nuclear industry”. The majority of the world has been far from upset by the likelihood of Stuxnet delaying Iran’s nuclear problem, but how would the world feel if this type of cyber attack had occurred on a European government program? The call for an international investigation would not be laughed off.

With this as a backdrop, there are two new interesting cyberwar documents to consider. The first is an Executive Order by President Obama that describes, according to the Associated Press,:

how far military commanders around the globe can go in using cyberattacks and other computer-based operations against enemies and as part of routine espionage in other countries. …

In a broad new strategy document, the Pentagon lays out some of the cyber capabilities the military may use during peacetime and conflict. They range from planting a computer virus to using cyberattacks to bring down an enemy’s electrical grid or defense network.

As an example, the new White House guidelines would allow the military to transmit computer code to another country’s network to test the route and make sure connections work — much like using satellites to take pictures of a location to scout out missile sites or other military capabilities.

The digital code would be passive and could not include a virus or worm that could be triggered to do harm at a later date. But if the U.S. ever got involved in a conflict with that country, the code would have mapped out a path for any offensive cyberattack to take, if approved by the president.

Reread those last two paragraphs. If accurate, after all they are coming from anonymous sources, they would allow the US Government to penetrate foreign government networks, perform reconnaissance and even load proof of concept, “passive” files. They would likely do this periodically so they would maintain the ability to execute an attack when necessary. Think persistent / APT.

That policy certainly cedes the moral high ground. The US couldn’t complain if foreign governments breached US Government or critical infrastructure networks as long as they don’t initiate an attack until hostilities have started.

The second document is the article Stuxnet Poses Interesting International Law Issues from the Spring 2011 IA Newsletter (ht: @taosecurity). The author asks the question, assuming Israel was responsible for Stuxnet:

Could Iran claim that Israel has perpetrated an “armed attack” against it, thereby permitting Iran to respond in self defense?

The author provides background on UN Article 51 that describes the right of self-defense in the case of armed attack and a variety of other international law documents and principles. It is a worthwhile read, but the conclusion is the appropriate legal vehicle and response would be based on who performed the attack. It could lead to criminal prosecution of an individual or individuals or the right of kinetic or cyber self defense against a nation or group, similar to what the US did to Al Qaeda after the 9/11 attacks.

The tie between the two articles is the damage that would trigger the right of self defense. If damage similar to a kinetic attack is required, then the US guidelines would not be an armed attack that would allow a response in self defense.

Getting back to Iran, if we generalized the names of the attacker and attack target then the international response might be quite different. For example, what would be the response if countries A and B used a cyber attack to destroy key facility in country C, similar to what a bomb would do in terms of cost and capabilities?

  1. The international community could support an investigation to determine who the attackers were, like the Iranians are now asking the IAEA.
  2. The international community could support country C retaliating with a cyber or kinetic attack against countries A and B, if the attack source was confirmed to a degree that satisfied the international community.

For a critical infrastructure owner/operator the only clear thing is this approach increases the threat. If countries around the world take the US Cyberwar Guidelines, the countries will be actively probing and attempting to maintain the ability to get on SCADA and DCS and disable them at will. If the US is determined to have launched a cyberwar effort, then a smaller country or organization could have the internationally recognized right to respond with a cyber attack on a part of the US critical infrastructure.

Image by ssoosay