It sounds like the title of a wonderfully bad sci-fi B-movie, but it’s actually happened: the Internation Space Station is infected with a computer virus. Not only is it infected, it’s infected with a famous virus, Stuxnet, which was used to cripple (allegedly) Iran’s nuclear weapons program. Originally designed specifically for infecting Iranian nuclear power plant systems, Stuxnet has since “gone rogue” and is now doing its dirty work around the globe. The virus was designed to be spread not only via network connections, but through flash drives and disk drives as well, primarily because many nuclear power plant control systems are too old to be connected to the internet, which is a scary thought on its own. In the case of the ISS, Stuxnet stowed away on a USB thumb drive brought on board by an astronaut.
What this means for you:
As the story above illustrates, humans continue to be the weakest link in the chain of security. You can spend tons of money on securing your technology, but it can all be blown away by a $10 thumb drive and 30 seconds of careless behavior. A big part of security is training your people not only on what NOT to do, but also on how to be vigilant and careful. As a society, we are starting to understand just how pervasive malware has become, but there are still a surprising number of people who continue to be caught off guard and impacted negatively. Given how this paradoxical, and very human behavior isn’t limited to just technology risks (think about drugs, alcohol, tobacco, base jumping, junk food, etc.) it’s no wonder malware has continued to thrive despite its destructive nature.
In August of this year, one of the world’s largest oil producers, Saudi Aramco, was targeted in a cyberattack that crippled tens of thousands of its computers. Despite the apparent success of the attack and the impact this would have had on the company’s operations, oil production did not falter, and the global economy continued its drunken flirtation with failure instead of rushing into an oil-shortage-fueled orgy of self-destruction. Saudi Aramco has not been forthcoming on the details of the attack, or how they managed to survive it relatively unscathed, but in the eyes of security analysts and even our own Secretary of Defense, Leon Panetta, this attack was “probably the most destructive attack that the private sector has seen to date.”
There are conflicting reports about the motivation behind the attack. The hacktivist group “Cutting Sword of Justice” has claimed responsibility, citing the act as a strike at the House of Saud, the ruling body of Saudi Arabia, refuting claims by security analysts who believe the attack to be a state or government-sponsored reprisal for the Stuxnet attacks that crippled the Iranian Nuclear Program. Intended to cripple oil-dependent economies like the US, government-backed cyberattacks on companies like Saudi Aramco can also gain proprietary geological survey data that could be extremely profitable for other, competing state-sponsored oil companies.
What this means for you:
Information is power, and there are very few companies that don’t store their most valuable data on computers and servers that are somehow connected to a network, if not the internet itself. Even if they had the best security known to man, it’s believed that at least one individual inside Saudi Aramco provided the means for attackers to compromise a company that produces 12% of the world’s oil. You should never rely 100% on technology alone for security – humans will always be more fallible than computers. Additionally, it’s important to provide some level of separation in your core business operations so that if a segment of your business is paralyzed, the entire operation doesn’t grind to a halt because the computers are offline getting repaired.