Stuxnet. A War Among Nations – Why Should IT Managers Care?

It is the first time in history that a virus has been turned into a military missile. It infected over 100,000 computers worldwide and yet caused damage to only computers inside Iranian Nuclear facilities in Natanz and Bushehr. Better than a bomb, it was sabotaging the Iranian nuclear program for more a year and half without notice, nor explanation for the stalled progress. In fact, Stuxnet virus is still causing damage to that program as evidenced by a total halt in operations for a week during a month of November 2010.

Why should we, private citizens and businesses, care if a suspected conglomerate of intelligence agencies from the West got together to build the most complicated virus ever created with 15,000 lines of code that estimated by experts to have taken 10,000 man hours to build? Why should IT firms be concerned with the exploits of a unique weapon that can’t be adapted to anything other than the Iranian nuclear equipment?
What this virus has done is the equivalent of a tactical conventional strike on the Iranian nuclear program, less the human loss of life, less the open war, less the disruption of oil supplies, and plus the open ended situation to which Iranian experts still have not foreseeable solution. Most new weapons are created by states and subsequently become adapted for use among the general industry and population. The genie has been let out of the bottle and now it is up us to plan and foresee the future of our operations, our infrastructure, and our data. While Stuxnet itself is not coming to the computer near you, and even if it does you will not know it nor will it ever do any damage, this is the just opening salvo among nations, private enterprise, and hackers. Future attacks will not be aimed just at slowing your network Down, nor just at stealing data. The concept of targeting equipment, while masking its misuse has been validated and is the most dangerous threat to date because the breach is continuous and not detectable.

It is not just for public corporations. Businesses of all types have to plan for various kinds of business interruption events that could cause a disaster. Business interruption can be caused by fires, earthquakes, sabotage, regular viruses, and planned intrusion attacks, among others. Setting up on-site and off -site backups is not all that companies need to do. To weather the storm, businesses need to create a comprehensive plan to continue functioning, regardless of the interruption. Some things to consider are alternative office space, PCs, desks, chairs, transition process, data migration, PC and server imaging image retention.

Having backups in today’s competitive and technology dependent environment, where many documents are never converted into hard copy form, is not only a prerequisite to a minimal business continuity, it is flat out insufficient. A prudent IT Manager usually considers such as the frequency of backups to ensure that any data loss would not cause a serious loss of data. Also, a not to be overlooked is the issue of a period of retention of backups. Many online/offsite backup solutions offer extended backup periods. This is highly important because we see it all the time; some subset of data was corrupted, erased, or sabotaged only to be discovered after the backups have been erased. Speaking of subbotage, disgrunteled or incompetent employees erasing data is an enormous risk and a vulnerability because they know best the weaknesses of the system. Companies with poor internal IT controls  usually have very little ability to mitigate this risk and even less recourse after the fact. Therefore, it is critical for IT Managers to setup and enforce very detailed access levels, password security, and logging of activity.

A critical aspect of today’s operating environment is business owners’ recognition that maintaining control, security, and integrity of their business technology infrastructure is not a hopeless task. Business continuity planning and IT process optimization could be a source of a competitive advantage, when approached with serious understanding of the potential benefits that they can bring to any organization’s effectiveness. The converse of that approach is the increased exposure to either intentional or happenstance subversion of the organization’s process, as the Iranians have so unwillingly demonstrated to us