From: National Defense Magazine
By Stew Magnuson
A growing black market for zero-day vulnerabilities is allowing almost anyone with the cash to buy the means to launch destructive cyber-attacks against U.S. industrial control systems, a senior Defense Department official said Feb. 22.
Zero-day vulnerabilities are previously undiscovered security holes in software such as Microsoft products. There has been a black market for those willing to sell knowledge of them for years. That market has now moved into the world of supervisory control and data acquisition (SCADA) systems that run power plants, said Eric Rosenbach, deputy assistant secretary of defense for cyber policy.
The black market for potentially destructive malware is being made easier by Google-like search engines that connect those who have discovered the vulnerability with customers who have the money to buy the knowledge. That may include nation states, terrorist groups or even individuals who want to make their mark on history, he said. They connect on the so-called “darknet,” a loose term for underground communications on the Web.
“That to me is scary,” he said at the Armed Forces Communications and Electronics Association Washington, D.C. chapter cybersecurity symposium.
Zero-day vulnerabilities were famously used in the so-called Stuxnet operation that attacked SCADA systems attached to Iran’s nuclear program. In that case, malware disrupted the normal
operation of centrifuges used to enrich uranium.
Stuxnet brought attention to how industrial control systems can be used to cause physical damage to such facilities as power plants, dams, and other critical infrastructure. This tactic may allow an adversary to cause physical and economic damage to a target country without launching a military operation. They may also be able to do so without being detected.
Attributing such attacks has been a problem in the past, but Rosenbach said that is changing. A recent report by cybersecurity company Mandiant was able to nail down the exact location of a
concerted effort on the part of the Chinese military to steal intellectual property from U.S. corporations.
“Attribution is getting a lot better inside and outside the government,” he said.
SCADA systems were generally designed before cyber-attacks became a problem, and therefore, did not have security features built in. They were made with programs that could be easily changed on purpose, and their coding was once widely shared, he added.