More damaging to Iran's nuclear facilities than bombs, Stuxnet worm demonstrates cyber warfare is next big threat More information about Stuxnet continues to dribble out, and each new fact and rumor never fails to astound me. As covered by InfoWorld’s Robert Lemos, the New York Times reported that a U.S.-Israeli team accessed inside information in creating Stuxnet to wreak havoc on Iran. Most of the report was anonymously sourced, so it’s impossible to tell how much of it’s true. Still, the tone doesn’t seem overly speculative — and suggests Stuxnet is a revealing study in the future of cyber warfare, with potentially greater damaging force than a heavy bomb attack.Stuxnet was easily the world’s most successful cyber warfare attack to date and an incredible study in the future of the field. If the Times article is correct, the programming code of Stuxnet was more effective than any bomb run could have been. While the Stuxnet worm was purportedly spinning the Iranian nuclear facility’s centrifuges to the point of damage, it was simultaneously sending false “Everything is OK” signals to the control equipment, and the engineers sat by (at least initially) as the destruction occurred.Most nuclear facilities are air-gapped, meaning that it’s relatively difficult to get the destructive worm into its target site or sites. To counter these protective measures, it seems that the original Stuxnet coders either had trusted insiders initiating the worm’s spread or relied upon compromised USB keys or management computers.A lot of readers have commented on how a U.S. laboratory worked with Siemens (the vendor of the centrifuges’ control equipment) to find exploits not known by the general public. Although this might seem alarming at first, we have to assume cyber warfare groups have been doing the same with general-purpose operating systems, applications, and war-specific equipment. Most cyber warfare groups are likely to be sitting on dozens to hundreds to thousands of nonpublic exploits, ready to use when needed. Heck, it would be negligent for a cyber warfare team not to have such inventory. I know for sure the United States was doing similar research at least five years ago, when a friend began working for a military subcontractor and described to me his general role. Other countries have probably been doing this for a long time, along with most crimeware organizations. It’s the world we’ve been living in for a while.How can end-users and vendors fight back? The obvious answer is to work hard (or harder) at finding vulnerabilities and closing them before they can be used against a general populace. Vendors of general OSes and apps are continually updating their wares, including making them more secure; the vendors of firmware and SCADA (supervisory control and data acquisition) software really need to get started on fixing vulnerabilities. Until now, these vendors haven’t had a significant incentive to proactively find and eliminate vulnerabilities. But now that their products are under attack, they need to realize they’re involved in what has previously been a very asymmetric battle. Stronger products with fewer vulnerabilities help everyone. The city/state-funded cyber warfare gangs will always find and securely store found vulnerabilities; I’d like to make it a little harder for the professional criminals and less restrained attackers to cause large problems.With the announcement of the purported success of Stuxnet, the next-generation arms race is on. Ironically, while Stuxnet has possibly slowed down the international proliferation of nuclear arms, it’s also officially launched the next big weapons battle. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe