In the good old days, power stations, national grids, telephone networks, communication systems, even banks were all separate entities. Initially computers started appearing in these critical parts of our infrastructure, but they were special isolated computers, often running a custom operating system, designed for the purpose of say monitoring and controlling the temperature of a reactor core in a nuclear power station. Back in the 50s and 60s, there was no internet as we know it today. The first networks were appearing, but these were dedicated networks, connected by expensive runs of cable and exclusively for that organisation. They were called “leased lines” or “dedicated circuits.” Mostly, the mission critical machines that controlled reactor cores, air traffic control, banks’ computers etc were isolated from these early networks, and were relatively simple, in that they only had to perform a few (important) functions, for example, measure the temperature of a core and inject coolant when it exceeds a certain temperature, and sound a buzzer, flash a warning light etc. They didn’t need email, media players, office applications etc.
Now, many mission critical systems are connected to the Internet in order to allow remote control by operators, and instead of using dedicated circuits that cost 1000s per month, they use the internet.
Of course, they are protected by heavy-duty firewalls, they use encryption and certificates to sign traffic and so on, but you can’t escape the fact that they are physically connected to the internet.
The new breed of malware, viruses, trojans, spyware are unlike the more commonly encountered type that consumers experience. The more common types rely on mass circulation across the world in order to use spam, or to extort from people whose PC’s get infected by hoax anti-spyware programmes that lock up their systems unless they give their credit card details. Most of these threats are detected by security companies and antivirus signatures get updated to clean people’s systems. Nearly all these type of malware advertise themselves.
In contrast, cyber malware doesn’t want to get found. Take this scenario. A piece of malware gets developed in a government’s top-secret labs, installed as a hidden file on a memory stick, branded as new, and exported to the west. It is marketed to a foreign civil service, silently gets installed by a government / utility worker’s computer. It sits there silently, doesn’t advertise itself at all, and on a given date, or upon a signal, bounces into life, perhaps records passwords, makes a database of all computers this user’s computer talks to. It could then launch a denial of service attack, or just start shutting down important devices, if it can penetrate from a soft target inside a government network, to a core target such as a power station control computer.
The Stuxnet worm is one example of a piece of malware that targets industrial systems. It was used to target Iran’s nuclear facilities. It begs the question, who would want to damage Iran’s nuclear programme, but lets avoid politics!
With this type of malware, antivirus is probably useless. The malware is likely to remain undiscovered until it is triggered, eg in the event of war. Security patches and updates are also of limited value, as the authors of these malware will discover their own vulnerabilities and keep them secret. By the time the vulnerability is discovered, it will likely be too late.
What can we do? As consumers, nothing. What can governments/organisations do? Perhaps they are taking the same approach as in the Cold War, preliminary action…will we see the big nations fighting by proxy, by testing their cyber warfare techniques in third world countries or in sensitive parts of the world, such as the Middle East? Perhaps we should be relieved, instead of 1000s of nukes all being launched, they will all be disabled. No, that’s too hopeful.