The Direct Impact of Stuxnet on the SEC and Investment Advisers

Now that Alex Gibney’s remarkable documentary about the proliferation of the Stuxnet malware is available on Amazon, a wider audience and modest infosec professionals can enjoy the slow motion train wreck that has all investment advisers discussing cybersecurity.

If you are not a moviegoer, have no time for entertainment, aren’t attempting to catch Pokemon this weekend, but are the Chief Compliance or Information Security Officer of an RIA or BD, there is value in awareness gained through “Zero Days” as the highest level of cyber warfare is knocking at your door.

Why You Should Care?

“Slow motion” is a relative term as it seems that in short order the financial services space, which includes advisers and broker-dealers, has been turned upside down by a new regime of IT security expectations and regulatory requirements. It is really in the wake of the Stuxnet disaster that the Executive Order (13636), the Presidential Policy Directive (PPD-21), the NIST Cybersecurity Framework, and multiple SEC directives have been jammed in place. There is something remedial about the speed at which we have all had to swallow cybersecurity, and “Zero Days” provides this context which has changed the lives of CCOs and CISOs.

Just as a reminder, Investment Advisers and Broker-dealers are a subset of the financial services space and defined as “Critical Infrastructure Providers” by PPD-21. The Department of Homeland Security has informed financial services firms that we are perhaps the most prominent target as evidenced by the attacks of 9-11, and certainly reinforced by the bungling proliferation of Stuxnet, the development of a whole new method of warfare, and the rush to get defenses into place.

Without rehashing the entire documentary or spoiling the learning experience, I suggest that you schedule an IT Security Awareness training which includes the Information Security Committee and perhaps a glass of wine – and watch “Zero Days” as there are numerous important issues highlighted which relate to current regulatory expectations and developing requirements.

Stuxnet is a complex malware which was designed collaboratively by U.S. and Israeli agencies including the NSA, CIA, and Unit 8200[i], contained four zero-day exploits, targeted specific infrastructure at the Natanz nuclear facility in Iran, and was released into the wild spreading to systems all over the world. In short, Stuxnet was sophisticated software designed to destroy centrifuges by adjusting speed settings in programmable logic controllers. If this sounds like the familiar foreign language of technology or IT security, take heart as “Zero Days” performs a tangible service by explaining the construction of code and malware concepts through well-designed graphics and expert testimony. In our experience at registered investment advisers, few of the personnel, sometimes including IT staff, understand how malware is constructed and distributed. “Zero Days” will raise awareness and understanding of these concepts.

Five critical concepts from “Zero Days,” which are relevant to Investment Advisers and Broker-Dealers:

  1. Vendor Management is the number one takeaway, as the primary means of infecting even an “air-gapped” network (one isolated from the internet) is by ferreting out vendors who will work with the company or facility, connect to the network onsite, and assist with infrastructure. Five vendors were identified at Natanz who were developing the nuclear facility and were targeted by Israeli agencies. One expert refers to basic vendors such as electrical and piping contractors, which immediately raises thoughts of the HVAC vendor leveraged in the Target breach. The vendors to Natanz also worked with other companies, who worked with other companies, triggering the exponential global spread of Stuxnet. For investment advisers, this brings home the notion that, despite all of your security efforts, you can still be compromised by third parties. This reinforces the SEC’s focus in the 2015 Cybersecurity Examination Initiative as “Vendor Management” is one of the six areas of consideration.
  2. Physical Security plays a critical role in the development of Stuxnet as the theft of software certificates required breaking and entering into two tech companies. One security expert speculates that after-hours cleaning hires or other physical staff must have been involved in this process. Keep in mind that reasonable physical security measures are required by Regulation S-P and referenced in subcategories of the NIST Cybersecurity Framework. This is familiar subject matter discussed with all clients during the Information Security Assessment process.
  3. Antivirus/Antimalware vendors from Symantec and Kaspersky are an important link to understanding Stuxnet but, more importantly, are plugged into global networks of security companies and experts who are working 24/7 to identify new malware and variants. This massive private sector effort offers a ray of hope and reminds us that alignment with solid antivirus and patching resources and practices is the basic blocking and tackling of IT security. There is a great deal of discussion in the security geeksphere about the “failures of AV,” especially signature-based applications, but one cannot help appreciate the efforts of this community revealed in “Zero Days.”
  4. Threats and Vulnerabilities or the analysis and understanding of these issues pertinent to your business model have been emphasized from day one of the NIST Framework. The assessment of Threats and Vulnerabilities is regular business of the Information Security Committee and early awareness, a principle of Operational Security is better understood through Alex Gibney’s lens. We have mentioned threats specific to the investment community, groups such as “FIN 4,” which targeted over 100 financial information services companies regarding corporate acquisitions/mergers and transactions. This is information about which advisers/investment managers should be aware.
  5. Ransomware is probably one of the biggest concerns in the current marketplace, especially as recent variants have displayed new characteristics for propagation to multiple systems, attached storage devices including cloud-based services, and the ability to create greater disruption at firms. The US-CERT has done a respectable job describing the current state of affairs, resources, and response concepts in the whitepaper referenced below which is more fodder for the Information Security Committee. Stuxnet apparently had multiple versions as part of the joint development but also has future variants described as “Nitro Zeus” aimed more broadly at Iranian critical infrastructure outside of the nuclear sphere. Let’s just hope it’s not sent back in our direction in refined form.

In sum and while it might seem trite to discuss or recommend popular documentaries and forms of entertainment in the confines of the Security Blog, “Zero Days” provides a layman’s explanation on several technical issues which may be helpful at your business. It is also a sobering reminder of the international forces, bots and so forth, knocking on the firewall at night and good reasons to mitigate vulnerabilities. Tech geeks and security people also tend to be sci-fi and hacker TV and movie fans. Why not, as everybody likes to see their work territory popularized and made cool to the masses? Investment advisers, broker-dealers, and CCOs are now part of this culture and movement. We are not recommending that everyone run home and watch “Mr. Robot” for IT security best practices, but there is no question that cybersecurity is big in popular culture and certainly the real-life experience, impact, and intrigue of Stuxnet is a crucial part of the landscape.

“Zero Days” is written and directed by Alex Gibney and is rated PG-13 (Parents strongly cautioned) for some strong language. Running time: 1 hour 56 minutes. You can rent it on Amazon here:


US CERT’s Whitepaper on Ransomware

[i] Unit 8200 is an Israeli Intelligence Corps unit responsible for, among other things, collecting signal intelligence and code decryption.