Project 'Cyber Storm III' Simulates Attack On U.S.

For the first time, the U.S. government is launching a coordinated cyber attack simulation in an effort to test the nation's defenses in the event of an all out cyber war.

Dubbed Cyber Storm III, the project's launch on Monday signaled the beginning of a three-day effort to bombard the nation's infrastructure with security threats, with the aim of testing the strength of the U.S. defenses and detecting yet unknown security vulnerabilities.

Cyber Storm III, initiated by the Department of Homeland Security, will pummel the U.S. networks with more than 1,500 different events, some large-scale, and will involve thousands of government and industry players to examine the preparedness of personnel involved in the cyber defense effort, including their ability to make correct decisions and disseminate information appropriately. Those involved include White House officials, intelligence agencies, 11 state agencies, 12 international partners and 60 private sector partners.

The effort, according to a DHS Cyber Storm III fact sheet, "reflects the increased sophistication of our adversaries, who have moved beyond more familiar Web page defacements and Denial of Service (DOS) attacks in favor of advanced, targeted attacks that use the Internet's fundamental elements against itself -- with the goal of compromising trusted transactions and relationships."

Sponsored post

If all goes according to plan, the project will be the necessary tool for a newly-developed national Cyber Incident Response Plan, which will be the blueprint for U.S. cybersecurity response going forward.

"Securing America's cyberinfrastructure requires close coordination with our federal, state, international and private sector partners," said DHS Secretary Janel Napolitano in a statement.

The coordinated effort was partly in response to news that the Stuxnet worm had targeted and successfully infected computers at Iran's Bushehr nuclear power plant, although it had not yet affected critical infrastructure that could potentially disrupt or shut down operations there.

The notorious Stuxnet virus made headlines earlier this month when researchers found that traces of code on Siemens industrial software systems that operate Iran's Bushehr nuclear reactor.

The worm is programmed with "search and destroy" code designed to target industrial facilities such as chemical manufacturing and power plants using Supervisory Control and Data Acquisition (SCADA) systems.

Next: Security Experts Speculate About Stuxnet's Intent

Security experts contend that the incident marked the beginning of an age in which the Internet was regularly used in attacks against critical infrastructure and government systems -- a technique that could ultimately replace traditional warfare.

"It really signals the emergence of a new era, where you could literally have an impact on a nation state with ones and zeros," said Jim Butterworth, senior director of cybersecurity for Guidance Software.

That projection is underscored by the fact that the Stuxnet worm possesses the ability to modify Programmable Logic Controllers, devices that control the machines at power plants.

The attack on Bushehr, however, was first launched with infected USB devices, indicating the presence of insider knowledge, experts say.

Meanwhile, security experts speculate that, in light of Stuxnet's complexity, the malware might have originated from a nation-state or highly developed underground organization.

Gerry Egan, Symantec director of security response, said that Stuxnet used four zero-day vulnerabilities to propagate, while also employing several rootkits to cover its tracks and evade detection. Its complexity was further compounded by its ability to target both software and hardware on industrial control systems, he said.

"This is a very sophisticated piece of code. We don't think any one person has the skills to put this together," Egan said. "From what we've seen, the average hacker would not have the wherewithal to create this."

Thus far, the worm has targeted systems in Iran, as well as India and Indonesia, possibly because "the security posture of many of these countries is a little lower," Egan said.

Going forward, experts speculate that the emergence and proliferation of Stuxnet might herald a paradigm in which security is inherent in critical systems such as electrical operations, traffic lights and heating and cooling systems.

"For the average person this is completely out of our hands. These targeted attacks are on networks that are privately owned or part of government infrastructure. The problem is on a whole new level now," said Anthony Di Bello, product manager of compliance and cyber security solutions for Guidance Software. "Previously the systems that didn’t require security in the past will require security going forward."

If anything, Egan said, the recent attack on Bushehr should be a sharp reminder to government and businesses alike to beef up security protections to defend themselves from a possible attack.

"It's a watershed event," Egan said. "Perhaps this is a kind of wakeup call. Cybercriminals are notorious copycats. The very fact that someone has done this is a sign that this is doable and will cause more to follow suit."