Stuxnet attack exposes chinks in India's critical infrastructure

The world first heard about a computer worm called Stuxnet in the summer of 2010. Early reports were sketchy but what was certain is that Stuxnet had destroyed 2,000 centrifuges at an Iranian facility in Natanz, grinding the country's nuclear program to a halt. "It was the cyber equivalent of a cruise missile," says Shantanu Ghosh, vice-president for product operations at anti-virus firm Symantec's India branch. The company was the first to decode Stuxnet.

Just days after the news went public, a team of cybersecurity experts at the National Technical Research Organisation (NTRO), India's technical intelligence agency, began drafting a report. Their findings would send shockwaves through the security establishment. Since then, Indian authorities have been scrambling to plug gaps in the country's cyber-security. Many remain.

It is now known that Stuxnet was jointly programmed by US and Israeli intelligence as part of a project called Olympic Games. It spread from computer to computer, hunting down the exact one that controlled Natanz's centrifuges. But a flaw in Stuxnet's code caused it to spread further than planned, infecting more than one lakh other machines worldwide. In mid-July 2010, NTRO obtained a list of infected Indian computers from Symantec. Two days later, a preliminary analysis was ready.

A government official, privy to NTRO's analysis and speaking on condition of anonymity, told India Today that of the 10,000 infected Indian computers at the time, 15 were located at what are called 'critical infrastructure' facilities. These included the Gujarat and Haryana electricity boards and an ONGC offshore oil rig. While the flaw caused Stuxnet to reach these computers, thankfully, it did not activate itself on them. In other words, India was only a few flawed lines of code away from having its power and oil sectors crippled.

Stuxnet woke the government up to India's vulnerability to cyber attacks. "The entire economies of some countries have been paralysed by viruses from across the border. We have to make ourselves more resilient," Sachin Pilot, Minister of State for Communications and Information Technology, told India Today, "Power, telecom, defence; these areas are on top of our agenda."

These actions may already be too late to protect some sensitive areas. Indian government networks have fallen victim to countless, sophisticated hacks over the years. "We once sat down to check the Delhi [Internet] backbone. We found thousands of systems compromised. All were government's systems," says a cybersecurity professional working with one of India's intelligence agencies. "Research and Analysis Wing, Intelligence Bureau, Military Intelligence... we don't realise how much damage has already happened."

Such attacks have larger implications than just the immediate loss of secrets. A senior cybersecurity expert, currently with the Ministry of Home Affairs, says they hit at what he calls 'speed of trust'. "They make us distrust our own systems. We are no longer sure if the information we are getting is legitimate," he says. "We are forced to install more security and to check everything. This slows down the speed at which we operate."

Worse, cyber attacks that destroy critical infrastructure are getting easier to carry out. In March, Digital Bond, an American computer security firm, showed how a Stuxnet-like attack can be carried out using hacking tools downloaded from the Internet. Some of the vulnerabilities they found are present in hundreds of Indian factories and facilities. Chinese or Pakistani hackers, constantly hunting for Indian targets, could easily use these findings to launch their own Stuxnet-like operation against India.

"When everything, including power grids, e-commerce, e-governance and banking, runs on foreign-made equipment, you're talking about a horror story," says the cybersecurity expert working with Indian intelligence. He refers to equipment from China's telecom giant Huawei. Its president Ren Zhengfei was once a senior scientist with the Chinese army. Allegedly, he still maintains those ties. Huawei calls the allegations "ill-founded" and "ungrounded". That hasn't stopped countries like the US and Australia from banning Huawei equipment in critical infrastructure. In 2010, India's home ministry also warned telecom companies against using Chinese equipment. That year alone, Huawei's India revenues totaled $880 million (Rs.4,400 crore). "Cyber attacks have become an increased threat in proportion to local dependence on technology infrastructure," says R. Srikanth, cyber strategies researcher at the strategic affairs think-tank Takshashila Institution. At last count, India had 950 million mobile subscribers. The math is frightening.

Realistically, India's critical infrastructure cannot be secured overnight. "Telecom, power, ports and airports are increasingly going in private hands," says Kamlesh Bajaj, the first head of the Government's Computer Emergency Response Team (CERT-In). Bajaj, currently CEO of the Data Security Council of India, advocates sector-specific CERTs for industries like power, telecom, banking, railways and energy. Cherian Samuel, an associate fellow at the Institute for Defence Studies and Analyses, says these sector CERTs should ideally report to a central agency, jointly-staffed by the private and government sectors and the military.

It appears such an agency has taken shape. Following the alarming reports, the Prime Minister designated NTRO as the agency responsible for protecting critical infrastructure. This January, it formed the National Critical Infrastructure Protection Centre with a senior IPS officer who has a background in computer engineering, as its head. His team includes a number of private-sector experts who were absorbed as officers on special duty. Quality clearly isn't a problem, numbers are. In an interview in 2011 to the UK's Channel 4, British intelligence analyst Glenmore Trenear-Harvey estimated China had "literally thousands of hackers". To bridge this gap, the Communications and Information Technology Ministry set up the National Security Database last year. This is a network of private-sector cybersecurity experts whom the Government verifies, gives security clearances and can approach for help.

This March, Sachin Pilot also announced plans for a secure pan-India network for government organisations and agencies. More recently India gave teeth to its cybersecurity plans by instructing the Defence Intelligence Agency and NTRO to conduct offensive cyber operations against India's enemies. The ideas are progressing, but are not foolproof. Pilot's secure network, for example, may be inaccessible from the outside, but it is vulnerable to moles working within.
India's critical infrastructure will always remain vulnerable to cyber attacks, as is the case with all countries. At best, the Government can only play catch-up with the bad guys. "This is an area where technology evolves every two weeks," Sachin Pilot told India Today. "We need to constantly review and assess the threats and our capabilities."


Popular posts from this blog

How a cyber attack hampered Hong Kong protesters

‘Not Hospital, Al-Shifa is Hamas Hideout & HQ in Gaza’: Israel Releases ‘Terrorists’ Confessions’ | Exclusive

Former FARC guerrilla, Colombian cop pose naked together to promote peace deal