Read Our Final Invention: Artificial Intelligence and the End of the Human Era Hardcover Online
Authors: James Barrat
Processing water and pumping it to most homes and businesses takes juice. Without power, sewage goes nowhere. In a blackout, communication with affected areas won’t occur except for a limited time, with emergency personnel using batteries or generators running, of course, on fuel. Putting aside unfortunate souls trapped in elevators, at the greatest risk are patients with critical care issues and infants. Based on the analysis of hypothetical disasters that knock out large swaths of the national energy grid, a couple of harrowing facts jump out. If energy stays out for more than two weeks, most infants under age one will die of starvation because of their need for formula. If energy remains down for a year, about nine out of ten people of all ages will die from a variety of causes, mainly hunger and disease.
Contrary to what you might think, America’s military does not have an independent source of fuel and energy, so in the case of a large-scale, prolonged blackout, it won’t be riding to the rescue. Ninety-nine percent of the military’s energy needs come from civilian sources and 90 percent of their communications are carried across private networks, like everyone else’s. You’ve probably seen soldiers in airports—that’s because the military relies on our shared transportation infrastructure. As Lynn said in a 2011 speech, this is another reason besides loss of life why attacking the energy infrastructure crosses the hot-war threshold; it threatens the military’s ability to protect the nation.
“Significant disruptions in any one of these sectors could impact defense operations. A cyberattack against more than one could be devastating. The integrity of the networks that undergird critical infrastructure must be considered as we assess our ability to carry out national security missions.”
As far as anyone I’ve spoken with knows, only once in the short life of the Internet have hackers “taken down” an electrical grid. In Brazil, between 2005 and 2007, a series of cyberattacks darkened the homes of more than three million people in dozens of cities and knocked the world’s largest iron ore plants offline. No one knows who did it, and once it began authorities were powerless to stop it. Power grid experts have learned that electrical grids are “tightly coupled” in the strictest sense; a failure in a small part can “cascade” into a network-wide collapse. The United States’ 2003 Northeast Power blackout took just
seven minutes
to sweep across Ontario and eight U.S. states, and turn out the lights for fifty million people for two days. It cost the region between $4 and $6 billion. And that grid failure wasn’t intentional—all it took was a tree branch falling on wires. The quick recovery was just as unplanned as the failure. Many industrial generators and transformers on our national grid are built overseas. If critical components are damaged as a consequence of blackouts, emergency replacement can take months rather than days. During the Northeast Power blackout, no major generators or transformers were destroyed.
In 2007, to explore the cyberdestruction of critical hardware, the Department of Homeland Security put a turbine generator online at the Idaho National Laboratory, a nuclear research facility. Then they hacked it and changed the settings. DHS hackers wanted to see if they could make the $1 million turbine, similar to many on the electrical grid, malfunction. As an eyewitness described, they succeeded:
Buzzing from the generator’s fans grew steadily louder before a grinding snap from within the 27-ton steel giant rippled through its frame, shaking it like a hunk of plastic. The buzz grew louder and another snap echoed through the room. A hiss of white smoke began pouring out, followed by a billowing black cloud as the turbine tore itself apart from the inside.
The vulnerability investigators sought to explore is endemic in North America’s electrical grid—the habit of attaching the controlling hardware of critical machinery to the Internet so it can be remotely operated, and “protecting” it with passwords, firewalls, encryption, and other safeguards that crooks routinely cut through like hot knives through butter. The device that controlled DHS’ tortured generator is present throughout our national energy network. It is known as a supervisory control and data acquisition, or SCADA, system.
SCADA systems don’t just control devices in the electrical grid, but all manner of modern hardware, including traffic lights, nuclear power plants, oil and gas pipelines, water treatment facilities, and factory assembly lines. SCADA has become almost a household acronym because of the phenomenon called Stuxnet. Stuxnet, and its cousins Duqu and Flame, have convinced even the most hardened skeptics that the energy grid can be attacked.
Stuxnet is to malware what the atomic bomb is to bullets. It’s the computer virus IT people refer to in hushed tones as a “digital warhead” and the “first military grade cyber weapon.” But the virus isn’t just smarter than any other, it has completely different goals. While other malware campaigns stole credit card numbers and jet fighter plans, Stuxnet was created to destroy machinery. Specifically, it was built to kill industrial machines connected to a Siemens S7-300 logic controller, a component of a SCADA system. Its point of entry—the virus-prone PC computer and Windows operating system running the controller. It was looking for S7-300s working in the gas centrifuge nuclear fuel enrichment program facility in Natanz, Iran, as well as three other locations in the country.
In Iran, one or more spies carried flash drives infected with three versions of Stuxnet into secure plants. Stuxnet can travel across the Internet (though at a half megabyte of code it’s much larger than most malware) but in this case it did not, initially. Typically, in the plants, one computer was attached to one controller and an “air gap” separated the computer from the Internet. But one flash drive could infect multiple PCs, or infest an entire local area network (LAN) by plugging into one node.
At the Natanz plant PCs were running software that permits users to visualize, monitor, and control plant operations from their computers. Once Stuxnet got access to one computer, phase one of its invasion began. It used four zero day vulnerabilities in the Microsoft Windows operating system to take control of that computer and search for others.
Zero day vulnerabilities are holes in the computer’s operating software that no one has discovered yet, holes that permit unauthorized access to the computer. Hackers covet zero day vulnerabilities—their specs can sell for as much as $500,000 on the open market. Using four at the same time was extravagant, but it greatly enhanced the virus’s chances of success. That’s because in between Stuxnet’s deployment and when the attacks took place, one or more of the exploits could have been discovered and patched.
For phase two of the invasion, two digital signatures stolen from legitimate companies came into play. These signatures told the computers that Stuxnet was approved by Microsoft to probe and alter the system software at its root level. Now Stuxnet unpacked and installed the program it carried inside it, the malware payload that targeted S7-300 controllers running gas centrifuges.
The PCs running the plant and their operators didn’t sense anything wrong as Stuxnet reprogrammed the SCADA controllers to periodically speed up and slow down the centrifuges. Stuxnet hid the instructions from monitoring software, so the visual representation of the plant operations showing on the PCs looked normal. As the centrifuges began burning out, one after another, the Iranians blamed the machines. The invasion went on for ten months. When a newer version of Stuxnet encountered an older version, it updated it. At Natanz, Stuxnet crippled between 1,000 and 2,000 centrifuges, and allegedly set back Iran’s nuclear weapons development program two years.
The consensus of experts and self-congratulatory remarks made by intelligence officials in the United States and Israel left little doubt that the two countries jointly created Stuxnet, and that Iran’s nuclear development program was its target.
Then, in the spring of 2012, a White House source leaked to
The New York Times
that Stuxnet and related malware named Duqu and Flame were indeed part of a joint U.S.-Israel cyberwar campaign against Iran called Olympic Games. Its builders were the United States’ National Security Agency (NSA) and a secret organization in Israel. Its goal was indeed to delay Iran’s development of nuclear weapons, and avoid or forestall a conventional attack by Israel against Iran’s nuclear capabilities.
Until their creation was pinned on the Bush and Obama administrations, Stuxnet and its kin might have seemed to be a resounding success for military intelligence. They are not. Olympic Games is a blunder of catastrophic proportions, the equivalent of dropping atomic bombs along with their blueprints in the 1940s. Malware doesn’t just go away. Thousands of copies were distributed when the virus accidentally escaped from the Natanz plant. It infected PCs around the world, but never attacked another SCADA unit because it never again found its target—the Siemens S7-300 logic controller. A clever programmer could acquire Stuxnet, disable its suicide code, and customize it for use against virtually any industrial process.
I have no doubt that operation is underway right now in the laboratories of both friends and enemies of the United States, and that Stuxnet-grade malware will soon be available for purchase on the Internet.
It’s become clear that Duqu and Flame are reconnaissance viruses—instead of destructive payloads, the worms collect information and send it home to NSA headquarters at Fort Meade, Maryland. Both may have been released before Stuxnet, and used to help Olympic Games get the layout of sensitive facilities in Iran and throughout the Middle East. Duqu can record user keystrokes and allow someone continents away to remotely control the invaded computer. Flame can record and send home data from a computer’s camera, microphone, and e-mail accounts. Like Stuxnet, Duqu and Flame can also be captured in the wild, and turned against their makers.
Was Olympic Games necessary? It was at best a temporary hindrance to Iran’s nuclear ambitions. But it’s all too typical of the short-term outlook that mars decisions about technology. No one planning Olympic Games thought beyond a couple of years down the road, or about the “normal accident” that ultimately befell the campaign—the virus’s escape. Why take such enormous risks for such a modest payoff?
On a March 2012 episode of CBS’
60 Minutes
, Sean McGurk, the former head of cyberdefense at DHS, was asked if he would have built Stuxnet. Here’s the exchange between McGurk and correspondent Steve Kroft:
M
CGURK:
[Stuxnet’s creators] opened up the box. They demonstrated the capability. They showed the ability and the desire to do so. And it’s not something that can be put back.
K
ROFT:
If somebody in the government had come to you and said, “Look, we’re thinking about doing this. What do you think?” What would you have told them?
M
C
G
URK:
I would have strongly cautioned them against it because of the unintended consequences of releasing such a code.
K
ROFT:
Meaning that other people could use it against you?
M
C
G
URK:
Yes.
The segment ends with German industrial control systems expert Ralph Langner. Langner “discovered” Stuxnet by taking it apart in his lab and testing its payload. He tells
60 Minutes
that Stuxnet dramatically lowered the dollar cost of a terrorist attack on the U.S. electrical grid to about a million dollars. Elsewhere, Langner warned about the mass casualties that could result from unprotected control systems throughout America, in “important facilities like power, water, and chemical facilities that process poisonous gases.”
“What’s really worrying are the concepts that Stuxnet gives hackers,” said Langner. “Before, a Stuxnet-type attack could have been created by maybe five people. Now it’s more like five hundred who could do this. The skill set that’s out there right now, and the level required to make this kind of thing, has dropped considerably simply because you can copy so much from Stuxnet.”
According to
The New York Times,
Stuxnet escaped because, after early successes destroying Iran’s centrifuges, Stuxnet’s makers grew lax.
… the good luck did not last. In the summer of 2010, shortly after a new variant of the worm had been sent into Natanz, it became clear that the worm, which was never supposed to leave the Natanz machines, had broken free, like a zoo animal that found the keys to the cage.… An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.
This wasn’t merely a programming mistake that led to an accident with dire national security implications. This is a Busy Child test case, and people operating within the highest circle of government, with the highest security clearance and greatest technical competence, failed it miserably. We do not know the downstream implications of delivering this powerful technology into the hands of our enemies. How bad could it get? An attack on elements of the U.S. power grid, for starters. Also, attacks against nuclear power plants, nuclear waste storage facilities, chemical facilities, trains and airlines. In short, pretty bad. How the White House reacts and plans now, in the aftermath, is very important. My fear is that while the White House should be hardening systems made more vulnerable by Stuxnet, nothing productive is happening.
Tellingly, the
Times
reporter implies that the virus is intelligent. He blames Stuxnet for a cognitive mistake: it “failed to recognize” that it wasn’t in Natanz anymore. Later in the piece, Vice President Joe Biden blames Israelis for the programming mistake. Certainly there’s plenty of blame to go around. But the reckless misuse of intelligent technology is both breathtaking and predictable. Stuxnet is the first in a series of “accidents” that we’ll be helpless against without strenuous preparation.