Thoughts about Threats by „Virtual Bombs“
The German Federal Minister of the Interior, Hans-Peter Friedrich, has warned „that it is only a question of time until criminal gangs and terrorists have virtual bombs at their disposal“. While the term „virtual bomb“ is very vague by itself, the minister mentioned „malware“ as well. This is no surprise for security researchers. Malicious software has already been used for attacking companies. The infrastructure of whole countries has been attacked as well. Logic bombs have been used in the past, but they have never been used to wage warfare. They have been used for revenge by disgruntled employees or for blackmailing someone (as the ransomware malware also does). Tools like this are used for very specific purposes (such as espionage or targeted destruction), but never for an all-out assault. Even a (D)DoS often has a very specific purpose and is not that useful all by itself. In addition logic bombs lack the effects terrorists want to achieve: „The Internet is down!“ carries a lot less effect than dead bodies, blood and destruction.
So, where’s the threat then? Maybe the secondary effects of logic bombs can be amplified or aimed at specific parts of infrastructure which in turn causes the desired effects. The cancelled talk of Dillon Beresford, security researcher at NSS Labs, is a hint. After a review from ICS-CERT and Siemens the talk was removed from the schedule of TakedownCon, citing „serious consequences it may have to human lives and the world at large“. The content of Beresford’s talk was about SCADA vulnerabilities. SCADA systems are computer systems that monitor and control industrial processes, infrastructure, or facility processes. These systems have become an interesting target for security researchers and attackers alike since the new generations of SCADA controllers have learned to access networks. It comes as no surprise that once you put something on a network and make it accessible, then you have to address the security aspects of exposed systems. SCADA is only one example of components being „freshly on the Net“ or on networks.
If you are a SCADA developer, rely on SCADA, sell SCADA, are a member of a government, worry about infrastructure, have found critical bugs affecting crucial infrastructure please let us know. We need to talk.