Stuxnet and the Enterprise: ZapThink Calls Another Crisis Point

No sooner had ZapThink predicted the Fall of Enterprise Frameworks in our ZapThink 2020 vision when a mere couple of weeks later, the Zachman organization fell apart, signaling the beginning of a period of reevaluation of many Enterprise Architecture programs around the globe. Now, another current event has raised another one of ZapThink’s Crisis Point predictions to the level of timely prescience. This time, it’s the Cyberwar Crisis Point. And the precipitating even is the Stuxnet worm.

The news about Stuxnet is chilling. Leveraging an unprecedented four zero-day Windows bugs, Stuxnet targets the control systems in specific industrial equipment, apparently as a way to target Iran’s nuclear power infrastructure. This worm is so sophisticated it’s in a class by itself. No product of a lone, geeky Xtr3m H4x0r (that’s “extreme hacker” to the n00bs in the room), indications are that Stuxnet is the product of a professional, well-funded covert organization, perhaps from Israel.

James Bond meets William Gibson? Or perhaps Spielberg’s Munich for the twenty-first century? On the contrary, the Stuxnet story is not a typical spy story set in a post-9/11 world. No, Stuxnet is a warning call, not just for the global political sphere, but for private enterprises as well. The same warning call as ZapThink’s Cyberwar Crisis Point.

Stuxnet Thought Experiments

Lest you think that Stuxnet isn’t relevant to the day-to-day in your own IT department, let’s present several questions to mull over. Answer these questions as truthfully as you can.

Q: Is the expertise that Stuxnet required so difficult to assemble that it’s unlikely any other covert organization would be able to create another attack of the same or greater level of sophistication?

A: Not on your life. Now that we know such sophistication is possible, anybody with a sufficient bankroll could gather the expertise needed to create a similar attack—or a better one.

Q: Does the fact that Stuxnet targeted a specific type of industrial control system mean that my mission-critical applications aren’t likely to be a target?

A: If anything, Stuxnet’s apparent political motivation is more than the exception than the norm, as money wasn’t the goal of the attack. However, banking systems, credit card processing systems, and other technologies that deal directly with money are far more obvious and lucrative targets.

Q: Stuxnet’s use of four zero-day Windows attacks was unprecedented. Is it likely then that another attack that leverages multiple zero-day attacks would be impossible?

A: We’re talking about Windows here, right?

Q: Fair enough. That’s why our critical infrastructure is Windows-free. Is our Unix/Linux/Mainframe/Apple/“anything else not Microsoft” technology immune to sophisticated attacks like Stuxnet?

A: Remember, Stuxnet leveraged Windows but targeted proprietary SCADA software from Siemens, which means that the Stuxnet team had to possess systems that ran that software in order to develop and test the worm. Getting a copy of Unix or even a mainframe is quite a bit easier.

Q: Now that Stuxnet has been neutralized, are the anti-malware organizations able to prevent attacks of similar levels of sophistication?

A: Perhaps to some extent, but who’s to say the next attack won’t be even more sophisticated?

The bottom line: there’s no reason to believe Stuxnet is unique, either in its sophistication or its target. The global Cyberwar has just reached a new level, so you had better be prepared.

Enterprise Response to Stuxnet

Even for those enterprises who take Stuxnet-type threats seriously, there is still the question as to what they should do better or differently now that they know that Stuxnet-type attacks are feasible. After all, you’re already doing everything practical to secure your systems and networks, right? What else should you do?

There is no easy answer, of course, but the ZapThink 2020 vision helps organizations address such issues within the context of all the forces of change impacting organizations today. In the ZapThink 2020 context, Cyberwar (or the threat of Cyberwar) drives a realignment of IT governance initiatives, leading to what we call “Next-Generation Governance.” Next-Generation Governance repositions governance as the primary mechanism for ensuring that IT meets changing business needs, while conforming to dynamic policies that are important to the organization. This shift away from today’s integration-centric IT environments to governance-centric approaches is all part of the Complex Systems Engineering Supertrend.

The threat of Cyberwar is not a specific risk, but rather the realization that there is an always-changing set of risks facing the enterprise. Taking the “find a vulnerability fix a vulnerability” approach, while still necessary, becomes only one facet of a more dynamic approach to security. In other words, security must leverage the business agility benefit that Complex Systems provide where traditional, integration centric systems cannot.

The ZapThink Take

“Cyberwar” is a catchy term to say the least, but don’t let its science fiction flavor fool you. The stakes are as high as with any war, even though there are fundamental differences between Cyberwar and conventional warfare. First and foremost, it can be difficult to identify the participants, either the aggressor or the target. Secondly, the participants are more likely to be corporations than governments (even though Stuxnet appears to be government-related). And finally, the weapons are inherently dynamic. In many cases, the aggressor can only use a particular weapon once, so building defenses against all known weapons is inherently inadequate.

Even with Stuxnet’s obvious sophistication, it appears that it has a particular aggressor with a specific target. There is no reason to expect that pattern to be generally true. You might find your organization is a target, not because of any specific desire on the part of the aggressor, but simply because you were caught in the crossfire of a shotgun attack.

And finally, Cyberwar is likely to be asymmetric, where the target is unlikely to mount a cyberattack against the aggressor, or at least, a retaliatory response would be quite different from the original attack. In this way Cyberwar follows the pattern of terrorism, where a small group of fanatics attacks much larger organizations than their own, and the aggressors are generally immune to similar counterattacks.

Getting ahead of the problem, therefore, is quite difficult, just as it is with terrorism. If you stick with traditional security approaches, expect the next ten years to be filled with surprise attacks, difficult remediations, frantic adjustments of security protocols, followed once again by surprise attacks. The only way to get out of this vicious cycle is to think differently about how to deal with this inherently dynamic and unpredictable set of challenges and take a Complex Systems approach instead.