2020 International Conference on Computational Science and Computational Intelligence (CSCI)

Nonproliferation of Cyber Weapons

Dr. Jacob Benjamin Dr. Michael Haney Professional Services Computer Science Dragos, Inc. University of Idaho Hanover, USA Idaho Falls, USA Email: [email protected] Email: [email protected]

Abstract—The Treaty on the Nonproliferation of Nuclear II. EXAMPLES OF CYBER WEAPONS Weapons has been the basis for international cooperation on stopping the spread of nuclear weapons. However, in the last A. Stuxnet twenty years, the world has seen the emergence of a new type of weapon, cyber weapons. The impacts of these attacks in The first and likely the most famous cyberweapon is the physical realm is possible in part to the convergence of Stuxnet. Identified in 2010, it targeted specific industrial con- informational and operational technology. This paper examines trol system (ICS), exploited several zero-day vulnerabilities, examples of cyber weapons and their impacts on critical and succeeded in destroying a large number of centrifuges at infrastructure. Additionally, the paper discusses the differences the Natanz Nuclear Enrichment Facility, in Iran [17]. Stuxnet between nuclear weapons and cyber weapons, identifies the challenges of disarmament, and postulates ways to overcome targets Programmable Logic Controllers (PLCs). The PLCs them. at Natanz, were used to control the centrifuges responsible for separating nuclear material [11]. Once infecting the Keywords -nonproliferation; cyber weapons; critical infras- systems, Stuxnet caused the fast-spinning centrifuges to tear tructure; cyber attack; themselves apart. Experts have since analyzed Stuxnet and documented that it has three modules: a worm that executes all routines related to the main payload of the attack; a link I. INTRODUCTION file that automatically executes the propagated copies of the worm; and a rootkit component responsible for hiding all malicious files and processes, preventing detection of the Since 1970, the Treaty on the Nonproliferation of Nuclear presence of Stuxnet [16]. The facility in Natanz believed Weapons has been the basis for international cooperation on the common ICS myth that their systems were protected stopping the spread of nuclear weapons [14]. However, in from cyber-attacks because the systems were air-gapped, the last twenty years, the world has seen the emergence of a or physically isolated from other networks, including the new type of weapon, cyber weapons. These weapons while internet [2] [4]. It is believed that Stuxnet was introduced to not physical in nature, can and have resulted in physical the Natanz environment via an infected USB drive, thereby damage [17] [13] [9] [3]. Many of these weapons have the jumping its air-gap [2]. Expert analysis determined that ability to contribute to mass destruction, such as the loss once loaded, the worm then propagates across the network, of safety functions in critical infrastructure, or radiological scanning for Siemens Step7 software on computers used for sabotage in nuclear and radiological facilities [9] [17] [13] controlling PLCs [5]. In the event the worm cannot find the [3]. A parallel can be drawn between cyber weapons and software or the PLC, it becomes dormant [5] [2]. If it finds nuclear weapons. The similarities include their unavoidable both the software and PLC, it installs the rootkit module onto inevitable impact on civilian infrastructure and the likelihood the PLC and Step7 software [5] [2]. It also modifies the code of mutually assured destruction in the event of nation states in Step7 to send unexpected commands to the PLC, all while escalating conflicts. The Nuclear Nonproliferation Treaty displaying, a false loop of normal values to the operator’s and its three mutually reinforcing pillars—disarmament, console [7]. U.S. General Keith B. Alexander stated, “he nonproliferation, and peaceful uses of nuclear energy, could and his cyber warriors have already launched their first be applied to cyber weapons, in an effort to deescalate attack. The cyberweapon that came to be known as Stuxnet these cyber-conflicts. This paper examines three examples was created and built by the National Security Agency in of cyber weapons and their impacts on critical infrastructure partnership with the Central Intelligence Agency and Israeli as context to discuss the juxtaposition of nuclear weapons intelligence in the mid-2000s” [1]. Stuxnet, while not the and cyber weapons. The authors identify challenges of cyber first instance of cyberwarfare, was the known first instance weapon disarmament, and postulate ways to overcome them of a cyberweapon. This weapon was used successfully to in the drafting of a cyber weapon non-proliferation treaty. diminish an adversary’s capability of enriching uranium,

978-1-7281-7624-6/20/$31.00 ©2020 IEEE 105 DOI 10.1109/CSCI51800.2020.00025 commonly used for nuclear weapons [17]. of Trisis would be in a production environment. However, alterations to logic on the final control element imply that B. CrashOverride there could be a risk to operational safety [3]. Initially, Since Stuxnet, an alarming number of cyberweapons have Russia was suspected to be responsible for the malware, been developed and released with varying degrees of impact but it was not conclusively determined. However, recently, [9]. Many of these weapons, such as Havex, BlackEnergy, the cybersecurity firm, FireEye, uncovered evidence that and CrashOverride specifically target the energy sector and tracked the origin of the malware to a Russian government- or the electric grid [9]. CrashOverride and Industroyer are owned technical research institute in Moscow [6]. FireEye two names given to the same malware that was employed managed to do this by examining how the attackers may in the December 17th, 2016 cyber-attack on transmission have gained access to critical components needed to build substations in Kiev, Ukraine [18]. The result of the cyber- the Trisis attack framework [6]. Fortunately, Trisis is not attack was an undesired impact to Ukrainian electric grid a highly scalable or easily replicated attack, because each operations, specifically, a loss of power to one fifth of the SIS is unique [3]. However, Trisis does mark another step city of Kiev, for the period of one hour [18]. The malware forward in the evolution of cyberweapon tradecraft, as it was discovered by Slovak internet security company, ESET outlined a success path for adversaries to potentially increase [9]. CrashOverride is unique as it was the first ever malware the damage from their attacks by succeeding in diminishing framework designed and deployed to attack electric grids or destroying the safety protections of a physical process [10]. The malware is a modular framework consisting of an [3]. initial backdoor, a loader module, and several supporting and payload modules [10] [9]. The creators of CrashOverride, III. CYBER WEAPONS VS NUCLEAR WEAPONS perhaps inspired by Stuxnet, chose to understand and codify The authors are interested in using the nonproliferation their knowledge of the industrial process to disrupt opera- approach because of the similarities between nuclear and tions [9]. Analysis by industry experts at Dragos, found that cyber weapons. However, they acknowledge it is not a many of the capabilities of this cyberweapon were not used perfect comparison as there are many stark differences in the attack, indicating that perhaps this particular attack between them. The first of which is that nuclear weapons may have been intended to be more of a proof of concept, are built from materials that can be tracked and detected than outright warfare [9]. The analysis also highlighted that prior to being released, while cyber weapons can be built several characteristics of CrashOverride indicate a significant and tested without detection. Nuclear weapons may only step forward in the evolution of the cyberweapon tradecraft be used a finite number of times. Cyber weapons may [9]. The characteristics include its modularity, scalability, duplicated indefinitely and continue to be effective until and most notably, its codification of tactics learned from a the targeted systems deploy effective mitigations. Defining previous attack on the Ukraine one year prior, in December what constitutes as a nuclear weapon is straight forward 2015 [9]. and has already been achieved. Defining cyber weapons is not easy as many weapons of cyber nature may not be C. Trisis weapons unless used in a specific way. An example of this The evolution of sophisticated cyberweapons deployed is the software known as “nmap”. When used by a network against the energy sector continued to advance after administrator it helps with tasks such as network inventory, CrashOverride, with Trisis. Trisis and Triton are two names managing service upgrade schedules, and monitoring host given to the same malware, that was discovered in November or service uptime. However, that same software used by an 2017, after it was deployed against a petroleum and natural attacker, against an industrial network, may result in severe gas utility in the Middle East [3]. The malware, like Stuxnet, damage and even life-threatening consequences. Equipment was tailored to attack ICS. Specifically, Trisis targets Schnei- on industrial networks are often old and have little or no der Electric’s Triconex Safety Instrumentation System (SIS) exception handling. Nmap’s malformed packets may destroy and it enables the replacement of logic in the final control the equipment or place it in an unsafe or unanalyzed state elements [3]. A SIS, like these Triconex, are responsible for [19]. maintaining safe conditions, in the event other equipment or process failures occur [3]. They often operate independently IV. DISARMAMENT CHALLENGES of normal process control logic systems and are focused There are many challenges to the disarmament of cyber on detecting and preventing dangerous physical events [3]. weapons using the approach pioneered by nuclear nonpro- Examples of uses may include stopping rotating machinery liferation. The first identified challenge is to define cyber when a dangerous condition is detected or stopping inflow or weapon in such a way that it is clear and defendable in a heating of gasses when a dangerous temperature, pressure, or court of law. The second challenge is to determine the best other potentially life-threatening condition exists [3]. Experts way to identify, attribute, and track cyber weapons. The third do not currently know what the specific safety implications challenge and possibly the most difficult to accomplish, is

106 convincing nations to agree to the treaty and submit their existing partnerships through the UN or the IAEA to draft arsenals of cyber weapons for inspection. The last identified a treaty or resolution for the nonproliferation of cyber challenge is ensuring the protection of all of the data the weapons. international committee would compile regarding known cyber weapons. A central repository of cyber weapons would VI. CONCLUSION undoubtedly become a high-profile target for adversaries. The recent emergence of cyber weapons has led to a cyber arms race. Multiple nations have been developing, V. I MPLEMENTATION OF NONPROLIFERATION OF CYBER collecting, and using cyber weapons against each other. WEAPONS The Nuclear Nonproliferation Treaty has been successful Addressing the first identified challenge, the authors pro- in reducing the nuclear arms race. Principles and lessons pose the following definition to be used for a cyber weapon. learned from nuclear nonproliferation can be used to prevent A cyber weapon is not simply a stockpile of exploits used the similar issue of cyber weapons. Challenges to cyber in cyber warfare campaigns. The authors acknowledge that weapon disarmament were identified and resolutions pro- most exploits, malware frameworks, and offensive cyber posed. It is imperative that something be done to limit or tools can technically be used as weapons in cyber operations deter the proliferation of cyber weapons before they result in or conflicts. However, the authors propose the following or contribute to mass destruction, such as the loss of critical definition for cyber weapons, based loosely on the existing infrastructure. definition for Weapons of Mass Destruction [15]. A cyber weapon is any of the following: a) software, hardware, or REFERENCES firmware used to exploit or target critical infrastructure; b) [1] J. Bamford, NSA Snooping Was Only the Beginning. Meet the software, hardware, or firmware designed to cause death Spy Chief Leading Us Into Cyberwar. Wired. https://www.wi or serious injury; c) software, hardware, or firmware that red.com/2013/06/general-keith-alexander-cyberwar, 2013. contributes to the release of toxic or poisonous chemicals, biological agents, or radioactive material. For identifying, [2] M. Chapple Malware Jumps the Air Gap. http://www.gocertif y.com/articles/security-matters-malware-jumps-the-air-gap.ht attributing, and tracking cyber weapons, the authors suggest ml, 2015. that nations submit their cyber weapons to an international committee or association similar to the International Atomic [3] Dragos, TrisisMalware: Analysis of Safety System Targeted Energy Agency (IAEA) or United Nations (UN). This com- Malware. dragos.com/wp-content/uploads/TRISIS-01.pdf, mittee, would be responsible for documenting known cyber 2017. weapons, maintaining the code repository, and perform- [4] Dragos, Top 5 ICS Cybersecurity Myths. https://dragos.com/b ing forensic analysis of suspected nation-state level cyber- log/industry-news/top-5-ics-cybersecurity-myths-whats-prev attacks. The source files in the repository could be utilized enting-your-organization-from-reducing-risk/, 2020. in conjunction with approximate matching algorithms to aid in determining if any known cyber weapons were used [5] N. Falliere, Stuxnet Infection of Step 7 Projects. https://www.sy in a cyber-attack. Approximate matching algorithms such mantec.com/connect/blogs/stuxnet-infection-step-7-projects, 2010. as “ssdeep” are often used in forensic investigations. They can, “match inputs that have homologies. Such inputs have [6] FireEye Intelligence, Triton Attribution: Russian Government- sequences of identical bytes in the same order, although owned Lab Most Likely Built Custom Intrustion Tools For bytes in between these sequences may be different in both Triton Attackers. https://www.fireeye.com/blog/threat-resea content and length” [8]. The use of these algorithms or rch/2018/10/triton-attribution-russian-government-owned-lab- most-likely-built-tools.htm, 2018. similar forensic tools would ensure countries do not simply make trivial changes to the code in order to avoid attri- [7] M. Gross, A Declaration of Cyber-war. https://www.vanityfa bution. Nations found guilty of conducting unauthorized ir.com/news/2011/03/stuxnet-201104, 2011. cyber-attacks would face fines and sanctions. In order to incentivize nations to submit their cyber weapons, heavy [8] J. Kornblum, Identifying Almost Identical Files Using Context sanctions would be placed on any nation found to have Triggered Piecewise Hashing. Digital Investigation, 91-96, 2006. hidden cyber weapon from the international committee. The heavy sanctions would have the added effect of helping [9] R. Lee, CrashOverride: Analysis of the Threat to Electric Grid ensure nations protect their own cyber weapon repositories. Operations. https://www.dragos.com/wp-content/uploads/Cras While theft of materials and false attribution are possible, it hOverride-01.pdf, 2017. is the responsibility of the creators of the cyber weapons [10] A. Lipovsky, Industroyer: Biggest Threat to Industrial Control to ensure they are not stolen, realized, or used without Systems since Stuxnet. https://www.welivesecurity.com/2017/ authorization. The third identified challenge must be solved 06/12/industroyer-biggest-threat-industrial-control-systems-si by diplomacy, not technology. Countries should leverage nce-stuxnet/, 2017.

107 [11] R. Naraine, Stuxnet Attackers Used 4 Windows Zero-day Exploits. https://www.zdnet.com/article/stuxnet-attackers- used-4-windows-zero-day-exploits, 2010.

[12] L. Newman, The Leaked NSA Spy Tool That Hacked the World. https://www.wired.com/story/eternalblue-leaked-n sa-spy-tool-hacked-world/, 2018.

[13] R. Lee, ICS Defense Use Case. ics.sans.org/media/ics-cppe- case-Study-2-German-Steelworks-Facility.pdf, 2014.

[14] United States, Treaty on the Non-Proliferation of Nuclear Weapons. www.un.org/disarmament/wmd/nuclear/npt, 1995.

[15] United States, United States Criminal Code Title 18. https: //www.govinfo.gov/content/pkg/USCODE-2010-title18/pdf/ USCODE-2010-title18-partI-chap113B-sec2332a.pdf, 2010.

[16] D. Veluz, Stuxnet Malware Targets Scada Systems. https:// www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack /54/stuxnet-malware-targets-scada-systems, 2010.

[17] K. Zetter, An Unprecedented Look at Stuxnet, the World’s First Digital Weapon. www.wired.com/2014/11/countdown-to -zero-day-stuxnet, 2014.

[18] K. Zetter, The Ukranian Power Grid Was Hacked Again.ht tps://www.vice.com/en us/article/bmvkn4/ukrainian-power-sta tion-hacking-december-2016-report, 2017.

[19] Kyle Coffey, Richard Smith, Leandros Maglaras, Helge Janicke, ”Vulnerability Analysis of Network Scanning on SCADA Systems”, Security and Communication Net- works, vol. 2018, Article ID 3794603, 21 pages, 2018. https://doi.org/10.1155/2018/3794603

108