In Countdown to Zero Day, investigative journalist Kim Zetter recounts the story of the discovery and shocking origins of the Stuxnet virus, which attacked uranium enrichment facilities in Iran, effectively crippling their nuclear capabilities.
The first part of the book reads like a high-octane thriller, following the employees of a very small technology security firm as they try to unravel the puzzle of a strange new “zero day” exploit – a new and unique virus that has had no security patches created for it yet – which means there has been zero protection. She also covers the thriving and lucrative “gray market” for zero day exploits, in which our government is apparently a high bidder.
In the middle third of the book, Zetter delves into many examples of vulnerable US and worldwide infrastructures, their reliance on computer technology, and the dire consequences when that technology fails. Critical systems can be easily unbalanced by “an autonomous worm delivered via USB flash dive or via the project files …”
Examples are taken from real life failures, like this one in 2008:
“Disabled protective relays played a role in a large outage in February 2008, when nearly 600,000 people in Florida lost power after a field engineer with Florida Power and Light turned off the protective relays at a substation while investigating a malfunctioning switch. The result was a cascading outage that spread to thirty-eight substations, including one that fed electricity to a nuclear plant, causing the plant to go into automatic shutdown.”
And this one, also in 2008:
“In Poland in 2008 a fourteen-year-old boy in Lodz caused several trains to derail when he used the infra-red port of a modified TV remote control to hijack the railway’s signaling system and switch the tram tracks. Four trams derailed, and twelve people were injured.”
After convincing the reader of the fragility of our national utilities and infrastructures, Zetter reveals some of the white hat hacking performed on the same systems, exposing even more vulnerabilities and lapses of common sense security measures.
In the latter third of the book, Zetter returns to the story of the small Belarus firm that accidentally discovered Stuxnet, but lacked the skill and experience to tackle the threat, and the people and firms who eventually untangled it. She interviews them on the precarious balance between trying to help people – ordinary folk like you and me – and the political pressures created by national security.
The entire book is thoroughly researched, and includes excerpts from interviews with the key players, plus footnotes for intrepid readers who may want to read more on a topic.