Platt Perspective on Business and Technology

Stuxnet and the evolution of vulnerabilities emergent to system complexity

Posted in business and convergent technologies by Timothy Platt on October 29, 2010

This is my fifth posting in a developing series on cyber conflict, that I started writing and posting here in response to the release of the Stuxnet computer worm as a weapon of cyber warfare. I have posted the preceding four installments to this at Ubiquitous Computing and Communications – everywhere all the time as postings 58 through 60 and 62. I also write this posting as a direct continuation of part four of this series: Stuxnet and the Evolution of System Vulnerabilities and as a continuation of a discussion I started there on a list of seven vulnerability categories I outlined.

I touched in at least some detail on the first six risk categories in that posting and left the final one, number seven for this posting. I chose to discuss that point separately as it in fact constitutes a new and still emerging category of threat that has not generally been considered in standard information and online security assessments or in due diligence remediations and responses. Repeating the core idea of that point here, I will be focusing today on:

• Complex systems and systems of components that cannot be fully mapped and understood for potential risks and vulnerabilities at a piece by piece, component by component or simple subsystem level.

This definitely includes emerging system nonlinearities where the properties and behavior of the entire system cannot be fully, or perhaps even significantly captured by simple, linearly scalable models based on system subsets. A term often brought up for this type of discussion is emergent behavior and I raise it here, with a link to information on this type of system per se.

For the purpose of this discussion I would approach the concept of computing and information processing and sharing systems per se in two distinct but important ways that I will distinguish between by proposing two new terms.

• An elemental system is an information processing system of hardware, software and business process rules that is set up to meet the needs and to carry out the processes of a single organization or of an intended association. This may be locally organized and cut off from the internet by air gaps as would be the case with a secure SCADA system that is set up completely isolated from normal direct online connection for security purposes. It can, alternatively also be a system that is explicitly connected into and accessible through conventional online mechanisms and protocols, as would be the case with an IT system that intentionally supports extranet and/or intranet/internet functionality.
• A complex system is a higher level system consisting of two or more at least potentially interacting elemental systems, that each also carries individual identity as separate systems in their own right. The primary working example of this that I would cite here is the combination of attacked/targeted elemental system and attacking elemental system – yes, the two together constitute a nontrivially defined single system for purposes of cyber security and in defining and understanding cyber conflict. Any third and further elemental systems that enter in here would by conventional warfare terms be designated as having received collateral damage so these systems should in general also be considered here too.

I would start at this point in outlining the application of this approach by citing a very real world example where a failure to recognize emergent system properties or behavior leads directly to increased risk and vulnerabilities. And I recount something of a conversation I had with a ranking government official – I will not say which government, about the critical information infrastructure they were specifically tasked to protect and safeguard. This was about two years ago, so any risk assessment disagreements I expressed that I may hint at here have already been addressed. And the topic of conversation focused in significant part on denial of service attacks. I add that this conversation took place not long after a low level but eye opening event that involved this form of attack.

Right now, today to offer a scale benchmark, it is believed that upwards of 90% of all emails sent worldwide on any given day constitute intentional spam. The real and legitimate data flow moving through the internet is a minority within the overall volume of data sent. Spam blocking and filtering tools and a host of other online resources struggle to limit the effect of all of this background noise in this largest of all possible complex systems, but targeted efforts to block those filtering and screening resources can and do work in overwhelming targeted elemental systems and even networks of such systems.

In a cyber warfare context, I am of course describing what might be considered a classic denial of service attack, where shear volume of meaningless and spurious data packets overwhelms targeted systems by taking up and monopolizing all available bandwidth in. This type of brute force attack can, to a substantial degree be completely described at a simple level but even here I would argue that there are essentially important nonlinearities in the complex system of attacker plus attacked that come from differences in ease and cost in identifying and blocking bad packets, relative to the costs and complexities of simply sending them out to targeted IP addresses.

The person I was talking with in this conversation was thinking entirely in terms of simple linearly scalable models and in terms of finding magic bullets from packet authentication and a few other low level approaches. The system he envisioned, I argued, could be readily overcome and if for no other reason than because it could not be scaled on the defender side with anything like the technology or cost-efficiency that an attacker could deploy – even just a loosely organized but serious non-governmental attacker as I discuss here in part 3 of this series: Stuxnet and the Democratization of Warfare.

I left this conversation with a very uncomfortable feeling and I have been thinking about some of the basic issues raised since then.

I am going to continue discussion of these and related complex systems and of risk assessment and remediation for this risk category in my next installment in this series.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: