Information security incident- stuxnet virus

Hard to detect quickly, Stuxnet, a 500-kilobyte computer worm exploded in June 2010 with a unprecedentedly skillful 3-phased attack. It marks a turning point in geopolitical conflicts, when the fictitious scenarios once imagined in movies have become finally plausible. The worm can "exploit flaws in Microsoft Windows to spread on stand-alone systems via USB memory sticks" (Economist). The sophistication of the worm has strengthened expert’s belief that the creation for such advanced persistent attacks is rendered possible with sponsorship of nations. Stuxnet is openly acknowledged as a joint U.S-Israel project that reportedly destroyed a fifth of Iran’s nuclear centrifuges by causing them to spin out of control. (Kelly B Michael;, 2013)


                                       How stuxnet worked (David, 2013)

On a global scale, industrial and military facilities use industrial control systems which are dependent on a network of world-wide contractors; hence, enforcing compliance to a uniform set of security standards is difficult to achieve. Computer forensics reveal the nature of the advanced persistent attack which made the first attack undetectable as it did not cause an explicit damage. It set the stage for the next phased attack after 5 years to alter the pressure of the valves and spin the uranium centrifuges out of control.

The issue of ethics and law becomes blurred as it raises the questions of cyber warfare for defensive purposes. The impact of Stuxnet resulted in a successful setback of Iran’s nuclear program by 2 years and forensic evidence cannot definitely link the virus to United states or Israel which it considers as hostile nations. Responsible nations like United States must have coordinated with global security governance if they indeed executed the attack. It would be scary if hackers or people committing cyber crimes would get a handle of the worm since it is so powerful.

FireEye reveals increasing sophistication in attacks targeting US defense organizations by Iran. FireEye has purpose-built, virtual machine –based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber-attacks. Real-time, dynamic threat protection is used to protect organizations across the primary threat vectors and different phases of the attack life-cycle. (Fireeye, 2013)

The Stuxnet had real security clearances that were stolen exposing the security lapses and loopholes in industry standards and regulations. Discrimination in just war-theory requires combatants to identify legitimate targets--terrorism ignores this requirement as it invokes moral condemnation. The principles of attribution which is not only an issue of moral and criminal liability, of the attackers and defenders are not clearly defined due to lack of international agreements.

National cyber policies have to be supported by consistent and effective principles prior to the use of cyber weapons to determine the integrity of attacks or counter-attacks.  The processing and transmission of information according to McCumber Cube model is very critical due to the nature of its sensitivity and impact. (Patrick, et al., 2013) Using the cube model will allow for a better assessment of all of the security risks that need to be considered.

German security expert Langer, who deciphered the stuxnet attack released a proposal for cyber-security framework called Robust ICS Planning and Evaluation, or RIPE.  The risk-based NIST led cyber security framework is notorious for the lack of enforcement of security policies for contractors. NIST cyber security framework lets organizations determine the direction of their adoption of the framework on the basis of the implementation tier they are categorized into, which determines the maturity of the security status. (Kelly, 2013)

An organization can decide the zero category for their target implementation tier which means a completely immature cybersecurity process, and still conform to cyber security framework. RIPE details eight areas of the industrial  plant system that should be documented and measured to determine the security posture: (1) system population, or software and hardware inventory; (2) network architecture, including a network model and diagrams; (3) component interaction, or process flow diagrams; (4) workforce roles and responsibilities; (5) workforce skills and competence development; (6) procedural guidance and standard operating procedures; (7)deliberate design and configuration change and (8) system acquisition or procurement guidelines.

RIPE is a very practical approach with insights from industrial plant floor operators for better locking down the security environment. RIPE has the potential to influence NIST cyber security framework evolvement to its final form. (Kelly, 2013)

Works Cited

David Kushner The real story of stuxnet [Online] // spectrum.ieer.org. - 2013. - http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet.

Fireeye Fireeye reveals advanced threat actvities by Iranian-linked Ajax security team in post stuxnet era [Online] // fireeye.com. - 2013. - http://www.fireeye.com/news-events/press-releases/read/fireeye-reveals-rise-in-advanced-threat-activities-by-iranian-linked-ajax-security-team-in-post-stuxnet-era.

Kelly B Michael; The stuxnet attack on Iran's nuclear plant was 'Far more dangerous' than previously thought [Online] // businessinsider.com. - 2013. - http://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11.

Kelly Higgins Jackson Stuxnet Expert propose new framework of for ICS/SCADA security [Online] // darkreading.com. - 9 4, 2013. - http://www.darkreading.com/stuxnet-expert-proposes-new-framework-for-ics-scada-security/d/d-id/1140411?.

The meaning of Stuxnet. (2010, October 2). The Economist. Retrieved July 30, 2014, from http://www.economist.com/node/17147862/print

Patrick Lin, Fritz Allhoff and Neil Rowe C. Computing ethics [Journal]. - 2013.

Cloud Computing deployment and service models

Cloud Computing can be defined as a large pool of easily accessible and usable virtualized resources such as hardware, development platforms and software services which can be dynamically reconfigured to a variable load for optimization. Cloud computing is most likely to follow the technology adoption cycle of its predecessors, though different national policies and labor market may induce variable speed of adoption. (Federico Etro, 2013)

Cloud Computing Characteristics: (Dialogic, 2013)

• Virtualized infrastructure: - Sharing of physical services, storage and networking capabilities to optimize resources and reduce setup and operating costs
• Dynamic Provisioning: - Automatic re-configuration for expansion and contraction of service capabilities to match current demand requirements.
• Network Access: - Access the internet from a broad range of devices from traditional pcs, laptops and mobile devices.
• Managed Metering: - Metering for managing and optimizing the service and to provide reporting and billing information

Cloud computing deployment models (Victoria Kouyoumjian, 2010)

Cloud Computing Service Models (Victoria Kouyoumjian, 2010)

Comparison of Private, Public and hybrid deployment models (Brian O, 2013)

Private Clouds:

In private clouds, services and infrastructure are maintained on a private network solely designed for a specific organization; therefore offering the greatest level of security and control. Private cloud can be on-site at a customer’s premises or managed by a third party. Organizations like education institutions would choose a private cloud because they would be able to "enjoy the benefits of virtual servers without compromising security policies or overall system flexibility" (Stern, 2014). The added security comes with an added cost. Since the cloud is not shared publicly, the client has to deal with maintenance and operational costs. Before incurring these costs, private cloud usually come with an initial investment. Companies that are small-to-mid-size should compare apples to apples since there are so many costs involved.

The two private cloud deployment models are:
·         On-site private cloud – Applies to private clouds implemented at a customer’s premises

·         Outsourced private cloud- Applies to private clouds where the server side is outsourced to a hosting company

 Examples of private cloud are:
·         Eucalyptus
·         Ubuntu Enterprise cloud- powered by Eucalyptus
·         Amazon virtual private cloud
·         VMware cloud infrastructure suite, Microsoft ECI data center.

Typical characteristics of private cloud are:
·         Control and Security of data and applications are of paramount importance
·         Conformance to strict security and data privacy issues
·         Maintain the software and infrastructure efficiently (Singh, 2011)

Public Clouds:

The cloud infrastructure is made available to the general public or a large industry group and is owned by the organization selling cloud services. A major advantage to a public cloud is the possible cost savings. Instead of have IT on site to maintain a private cloud, a public cloud can be maintained offsite by the service provider. Compared to a private cloud, companies are able to control how much big or small they would like to make their IT infrastructure, usually in a pay-as-you-go option. The IT infrastructure can be controlled in a private cloud as well. However, companies have to place extra funds towards it in order to buy additional software.

Examples of Public Cloud:
·         Google app engine
·         Microsoft windows azure
·         IBM smart cloud
·         Amazon EC2 (Singh, 2011)

Many companies avoid public clouds because they are concerned about the security. In order to lessen the risk, companies can implement systems such as instruction detection and prevention systems (IDPS). These systems are much stronger than usual firewalls and were also created to prevent any attacks. While this can alleviate security concerns, it is the duty of some companies to meet compliance requirements through Sarbanes-Oxley, PCI, and HIPAA (Stern, 2014). Unfortunately, not all companies make a promise to meet these compliance requirements. Therefore, companies need to research cloud vendors and understand what they provide. 

Community clouds:

The cloud infrastructure is shared by several organizations and support a community that has shared concerns about mission, security requirements, policy and compliance considerations like governmental departments, universities and central banks. Community Cloud also has two possible scenarios. Google apps for government is a good example for community cloud;

•        On-site Community Cloud Scenario :- Applies to community clouds implemented on the premises of the customers comprising of the community cloud
•       Outsourced Community Cloud: - Applies to community clouds where the server side is outsourced to a hosting company.

Hybrid Clouds:

This type of cloud infrastructure was created for those were not ready to move to the public cloud. The cloud infrastructure is a composition of two or more clouds (private, community or public) that remain unique entities but are bounded together by common technology to help migrate the data and applications for load balancing. Companies have "concerns over reliability and out-of-the box support for support for custom business-critical applications" (Dover, 2014).  For companies that struggle to choose between their expensive in-house technology systems and cloud systems, they are able to have both. To have a hybrid cloud, a company's ideal situation would be to figure out which applications and data that they will maintain on site. The company would determine other applications to be maintained in the cloud such as analytics or mobile technology (Guido, 2014).  VMware vCloud offers hybrid cloud services.

 

Hybrid cloud (Rackspace.com)

Logistics Clouds- IT strategies across transnational organizations (Logical, 2013)

Logistics businesses of different sizes especially small businesses can reduce their transaction costs of B2B co-operation and compete and collaborate with global players and promote collective and sustainable modes of transport. The challenge is to balance the interests of stakeholders, businesses, policy-makers and consumers and regulate laws and adopting polices for internet usage and international data flows as different countries have approached net neutrality from various angles.

  The transnational internet connectivity market has improved service and offers attractive pricing by encouraging additional investments in backbone and local access networks and internet exchange points (IXPs). Market based policies such as auctions, flexible use, spectrum sharing and spectrum trading have to supplement slow, bureaucratic processes. (ITU, 2013)

Multi-modal infrastructure of the six major central European logistics hubs such as the Airport of Leipzig/Halle the main hub for DHL in Europe, Interporto Bologna, the largest interior freight village of Northern Italy, Port of Koper which is one of the most important sea harbours in the Adriatic sea (Logical, 2013)

•        Infrastructure providers such as sea and inland ports , freight villages and airports are engaged in fierce international competition and creating the best possible framework for business operations is their top priority
•         Logistics operators can use software-as-a-service-offers to increase their IT competitive advantage
•        Local and regional promoters of economic development support logistics hubs as they are majorcontributors to economic growth, tax income and labor market
•         Universal data standards established for cloud computing logistics

Works Cited