India is a Sitting Duck in the Cyber Battlefield

WHEN THE Stuxnet cyber attack temporarily took down the Iranian nuclear facility at Natanz in 2010, it made few waves in India. However, shocking details have now emerged that barely a few months after the computer worm created problems in Iran, critical infrastructure in India too was infected by the tactical cyber weapon developed in Israeli laboratories.

In June 2010, ONGC oil rigs using SCADA (Supervisory Control and Data Acquisition) industrial systems were found to be infected by the same worm. The oil major, whose control systems are run by ABB, didn’t face an immediate threat because the worm was programmed to target Siemens systems. However, with 247 onshore production facilities, 11 offshore processing complexes, 74 drilling rigs and 7,000 wells, all run by a centralised control system, an attack could have taken out India’s entire oil production for days, if not weeks.

Just a few weeks after that shocking discovery, Indian investigators also stumbled upon massive infections in a mega power project in Gujarat using SCADA systems controlling the generation and transmission network in western India. Investigators pieced together the evidence and launched a probe into other vulnerable systems that revealed facts that were too sensitive and complex to be made public. They discovered that the same attack was perfectly capable of knocking off signal and control systems on Delhi Metro’s crucial links, throwing the capital’s most used public transport system into chaos.

Earlier, cyber security investigative researcher Jeffrey Karr had shocked ISRO when he proved that India’s INSAT 4B satellite was taken down by Stuxnet to serve Chinese business interests. On 7 July 2010, INSAT 4B’s power glitch forced India’s leading DTH providers such as Sun Direct, Doordarshan and Tata Teleservices to shift to ASIASAT-5, a satellite owned by the Chinese government. INSAT 4B was using the same Siemens software that was responsible for activating Stuxnet to make the Iranian nuclear facility go haywire.

Despite the fact that cyber security is being breached every day, there seems to be little urgency in devising a National Cyber Security Policy that could provide not just a security blanket against future attacks but also a framework for offensive capabilities that enables India to retaliate and launch attacks against enemy nations.

A draft policy formulated by India’s Cyber Emergency Response Team (CERT-IN), which should have gone to the Cabinet for ratification in May, is yet to see the light of day. “We are still in the process of getting comments from stakeholders. It takes time to get new policies passed by the government,” says CERT-IN Director Dr Gulshan Rai, dismissing the urgency of having a framework against the new threat.

What is stuxnet?

MUCH OF the malware today is designed to steal information and money from bank accounts. However, Stuxnet went well beyond that. Its purpose was to reprogram industrial control systems — computer programs used to manage power plants, oil refineries and gas pipelines. Its goal was to manipulate the physical equipment attached to specific industrial control systems so the equipment acted in a manner programmed by the attacker. Such an outcome could have several underlying goals, but sabotage, destruction, and cyber warfare were the most obvious. Although the first use of this was against Iran, many computers across the world were infected too. The complexity of the worm indicated that only a nation state could make it with fingers pointing towards an Israeli-American joint operation to hit Iran without collateral damage. There have been reports of a new attack on Iran’s systems. This time, the worm has been dubbed DuQu and is known to steal system design information so as to prepare the ground for a customised attack.

Source: Symantec
 
The National Security Council Secretariat (NSCS) is well briefed about the existing and potential threats to India’s cyber security. NSCS officials refused to comment on record but have told TEHELKA that “all issues and transgressions of the recent past have been factored in by the government” in protecting India’s critical infrastructure from debilitating cyber attacks.

The National Security Council (NSC), which is headed by the PM, bore the brunt of an attack when close to 14 documents, including two that were marked ‘secret’, were exfiltrated — all the NSC documents pertained to India’s security assessments in Assam, Manipur, Nagaland and Tripura. Documents also included strategies to deal with the Maoist threat across India.

Strategic analysts believe that the absence of a nodal agency that serves as a one-stop shop for setting up defences and launching attacks to gather intelligence is hurting India. Despite the IT (Amendment) Act, 2008, proclaiming CERT-IN as the nodal agency, it is still struggling with shortage of skilled manpower and lacks the expertise to launch cyber attacks and share crucial information with other agencies.

“We are defensive in nature and end up looking at civilian threats. Doubling the manpower at CERT-IN would enable us to intercept threats at the object core level and reverse engineer them to build future defences against cyber attacks,” says ASA Krishnan, a scientist with the outfit.

The responsibility of scouring for intelligence through cyber offensives is also done by the National Technical Research Organisation (NTRO) mostly through private individuals who have been hired as Officers on Special Duty (OSD). NTRO has been involved mainly in tapping phones and surveillance and was recently in the news for all the wrong reasons trying to film women using the toilet in its New Delhi office.

An attempt at remoulding the NTRO was made by former National Security Adviser MK Narayanan after the 26/11 Mumbai terror attacks, which came as a rude shock to the Indian intelligence set-up. Insiders told TEHELKA that Narayanan was so desperate to revamp India’s cyber warfare capabilities that he had personally called up ethical hackers, asking them to come on board as special officers. Many young IT professionals, some barely out of college, joined the NTRO and found themselves in a situation where they could function without any rules or boundaries.

“There were no charters or rulebook spelling out what to do. We had freedom in choosing our targets, attacking them and passing on the information to superiors. We were a young team engaged purely in tactical work and almost every day we were snooping into systems of unfriendly nations and gathering valuable information,” says, an OSD with NTRO.

NARAYANAN WAS happy with the work of many of the youngsters. But the team soon started coming up against the red tape that has been the bane of India’s intelligence agencies. In the absence of a nodal agency, the information gathered that could be used as actionable inputs got mired in delays. The NTRO hackers found out that while the documents they were snooping were mammoth and consequential, the information flow was too rigid to make a difference to India’s national security.

After the Stuxnet attack, NTRO hackers actively used ‘sink holing’ to trace massive infections in India. But NTRO bigwigs prematurely declared the detection as complete despite being warned by the professionals that some critical controls and commands that had been infected with Stuxnet had not been completely neutralised. “That poses a grave danger to critical infrastructure in the near future. NTRO officials did no in-depth checks on Stuxnet, which means the worm is still dormant in many important systems in the country,” says ethical hacker Ginish Venkataraman.

There had been reports that Prime Minister Manmohan Singh had approved the formation of a National Cyber Command on the lines of the USCYBERCOM. But that too has not yet seen the light of day even though the gravity of attacks this year has seen an increase in intensity and frequency. Moreover, even the draft Cyber Security Policy has been dismissed as being too focussed on doing a clean-up job rather than preparing India to gain a decisive edge in the emerging field of cyber warfare.

The entire thrust of the draft is on “rapid identification, information exchange, and remediation” to thwart destabilising and malicious cyber attacks while ignoring the need to build up a credible deterrent that prevents enemies from tinkering with India’s national security.

“It is like the race for nuclear warheads. Those who started early had the advantage of dictating the rules of nuclear warfare and early starters like US and Russia still hold the world’s biggest nuclear arsenals,” says Sreeram Chaulia, dean of Jindal School of International Affairs. “In the age of cyber warfare, those nations who start developing attack capabilities early will be in a position to prevent others from making much headway in cyber warfare. The time has come to have a cyber war doctrine with a specialised cadre that is capable of making sense of the information gathered from the servers of other nations and outfits. We need to have a two-tier structure — a group of hackers who are the foot soldiers reporting to tech-savvy bureaucrats who can think beyond a territorial mindset and know how to make sense of the intelligence provided.”

The armed forces too have their own Cyber Emergency Response Teams (CERTs) but the presence of the Defence Intelligence Agency again raises the question of where the buck stops and just who is responsible for collecting and acting on virtual data. The CERTs have been unable to thwart some mind-boggling attacks on its infrastructure, according to a Canadian investigation into defence hacking titled Shadows in the Cloud.

Documents pertaining to the deployment of the 21 Artillery Brigade in Assam were exfiltrated by hackers backed by the Chinese government along with sensitive documents detailing aircraft deployment at the Indian Air Force base in Vadodara apart from sensitive details from the Air Force Station in New Delhi.

But the real shocker came when the army realised that important documents relating to Project Shakti were stolen. Project Shakti is a $300 million effort by the army to link all its artillery guns to a central command — exactly the kind of centralised operating playground that was exploited by the powers behind Stuxnet. Security experts say that details of the network would enable enemies to devise a worm or virus that would circumvent security and be used to induce malfunctions in the artillery system. Moreover, details about the Pechora missile system were stolen, apart from files relating to India’s observations on the Iron Dome missile shield, which it is planning to buy from Israel.

IF INTERNAL security and the armed forces face a high risk of sabotage, India’s diplomatic missions have already borne the brunt of some debilitating attacks. The Indian Embassy in Moscow was hacked by Italy and documents relating to the supply of helicopter parts from a Russian firm named Aviazapchast were accessed by hackers. Other significant correspondence between aircraft engine maker NPO Saturn and Ilyushin with the Air Force HQ in Delhi were also hacked. Indian missions have been the favourite targets of State-sponsored hackers, with embassies in the US, UK, Cyprus, Germany, Serbia, Belgium and Kuwait facing routine attacks.

“I’m surprised by the government’s priorities,” says Chaulia. “The home minister often says that Maoists are the biggest internal security threat. Nobody in the government seems to realise the impact a rogue cyber attack from an enemy nation can have on electricity, transportation, water supply and other infrastructure. It could bring the whole nation to a complete halt, given the reliance of our systems on centralised command and controls.”

Given the imminent threat, there is an urgent need to establish an agency for cyber warfare that deals not just with security but can also retaliate and initiate attacks on others. India has established itself as an IT superpower whose software firms have been instrumental in helping global corporations cut costs using cheap and skilled labour.

Tragically, India finds itself unable to get enough talented people to fill the void in its intelligence and offensive set-up in cyberspace. The failure to leverage this headstart to secure our strategic interests might only prove costly in an age where State-sponsored cyber attacks can achieve mass destruction without directly taking lives.

Sai Manish is a Correspondent with Tehelka

Courtesy: Tehelka.com

http://www.tehelka.com/story_main51.asp?filename=Ne261111India.asp#