McAfee Plans Emergency Response To Cyber Warfare Threats

DW : We recently saw the damage Stuxnet caused in Iran. The bug also managed to infect Indian systems. How does that happen? What was the damage to India?

Rakesh Kharwal: Stuxnet worm infected power plant installations in Iran and Indonesia and India was the third largest infected nation. This is how it worked; Centrifuge machines at the Bushehr plant were being controlled by standalone systems running SCADA. There are evidences that indicate that the Stuxnet worm found its way into the Bushehr nuclear plant through the infected laptops of maintenance engineers. To elaborate, maintenance engineers using Microsoft windows were the first target. They took their infected pen drives to the plant (after a virus scan which was unable to spot Stuxnet) for running routine diagnostics on the control systems. Once inside SCADA, it took control of all the systems. But, most interestingly, Stuxnet only targeted a system if it had Siemens software. When it entered SCADA, Stuxnet did not make the control systems go haywire or stop the machines abruptly. Instead it tweaked the controls so as to make the centrifuge yield very little without going defunct. Subsequently, the centrifuge machines, during the productive period, worked so inefficiently that they hardly enriched any uranium quantity before going out of order. Vulnerabilities in critical infrastructure were introduced over time as the antiquated systems of, for example, power companies were connected up to the Internet for such capabilities as remote management and reporting purposes. While these capabilities make the power companies more efficient, they also provide entry points for cyber attackers.

DW : Can you name other worms that work in the same manner and elaborate on the damage it could cause?

Rakesh Kharwal: Duqu- It is a stuxnet like worm that creates files with the file-name prefix DQ. It has general remote access capabilities which help attackers to gather intelligence from a private entity to aid future attacks on a third party. Flame-It is a virus for targeted cyber espionage in Middle Eastern countries. When the virus enters the systems, it can release back-door programs, and cover all major possibilities to gather intelligence, including keyboard, screen, microphone, storage devices, networks, Wi-Fi, USB and system processes.

DW : What happens in cases where cyber attacks are launched by countries- as in the case of the Stuxnet virus which was launched by the US and Israel to cripple Iran's nuclear infrastructure? How can McAfee help in this context?

Rakesh Kharwal: McAfee's policy is to not speculate on attribution, or to comment on speculation of attribution to a particular country or countries. Threats come from all over the world. It’s not any single country. Our goal is to try to block those threats, regardless of where they come from. McAfee is a unique position because of our broad portfolio and expert knowledge of critical infrastructure. We leverage endpoint; network and data security technologies tailored for SCADA and industrial control environments.

DW : Could you identify bugs that have been specifically designed to bring down India’s infrastructure?

Rakesh Kharwal: We do not know of any India specific attacks as such. However cybercrime has no boundaries. Stuxnet is a prime example. It was designed for a specific purpose, for a specific country and it also impacted other countries, including India. Critical infrastructure will always get targeted in most countries and India is no exception to this. There is a thriving cyber crime industry, sometimes also state sponsored. Hence, all organisations & governments need to adopt appropriate counter measures to protect their infrastructure.

DW : How effective would the CERT-IN (Computer Emergency Response Team India) be in case of such an attack?

Rakesh Kharwal: CERT –In is doing its best to keep a close watch on the emerging threat landscape and provide appropriate policy guidance and preventive counter measures to Federal government, state governments, PSUs and the industry in general. It very closely works with all the major security companies including McAfee and also CERTs across the globe to share and exchange notes on the emerging threat landscape and preventive counter measures. However CERT-In alone cannot prevent such attacks from taking place. Security is everybody’s business. All organisations, govt institutes, must be proactive about addressing the security challenges individually as well as collectively.

DW : Wouldn’t the creation of the National Critical Information Infrastructure Protection Centre (NCIPC) and quickly respond to possible attacks?

Rakesh Kharwal: At this point of time we are not clear on the role and responsibilities of NCIPC. However any institute dedicated fulltime to protecting critical infrastructure will always help in proactively addressing the challenges from the emerging threat landscape.

DW : What is the Supervisory Control and Data Acquisition (SCADA) system?

Rakesh Kharwal: SCADA or Supervisory Control And Data Acquisition is a large scale control system for automated industrial processes like municipal water supplies, power generation, steel manufacturing, gas and oil pipelines etc. SCADA also has applications in large scale experimental facilities like those used in nuclear fusion. SCADA systems monitor and control these operations by gathering data from sensors at the facility or remote station and then sending it to a central computer system that manages the operations using this information. The sheer size of the operations demands that the control system be equally elaborate to handle the requirements. This is where SCADA scores. The SCADA system is equipped to manage anything from a few thousands to a million input/output channels. The technology is still evolving and we can expect an expansion of the market for SCADA. A full-fledged SCADA system is made up of signal hardware for input/ output, networks, control equipment, user interface (sometimes called the Human-Machine Interface or HMI), communication equipment and the software to go with it all. And here we are talking about the central command system of SCADA. The central system is often miles away from where the operations take place. Thus the system also needs on-site sensors to collect and monitor data.

DW : What is the Smart Grid Cyber Security?

Rakesh Kharwal: McAfee in conjunction with the Pacific Northwest National Laboratory (PNNL) conducted a survey to assess the vulnerabilities of smart grids. According to this report, the biggest challenge for critical infrastructure and energy sector owners and operators is how to effectively secure their control systems within their governance and technical domains in an active and capable advanced persistent threat environment. As information and communication technology advances and becomes integrated into power system operations and planning functions, smart grids are created, which yield greater visibility into the state of the system and advancements in control to enhance system efficiencies. Despite the significant benefits of the dynamic nature of the power grid, it was not designed keeping cyber security in mind. In India, many critical infrastructures are public sector undertakings and hence are owned by the government. Because of their inherent economic importance, such assets make strong targets for political sabotage, data infiltration and extortion. The standard perimeter security solutions today cannot protect against the advanced persistent threats directly targeting government establishments and national critical assets. One needs to look at security more pro actively, build more layers of security including database protection, critical server protection, and protection for SCADA systems with centralized integrated risk management & monitoring solutions.