The dust may have settled over the Stuxnet virus but experts caution that such worms portend the beginnings of sophisticated cyberwars
When the Stuxnet worm was recently reported to have infected industrial control systems in many countries, especially Iran, Indonesia and India, industry observers and security experts were caught unawares.
As of September 29, 2010, Symantec data revealed around 100,000 infected hosts. While nearly 59 per cent infections were reported in Iran, around 10 per cent infections were found in India (incidentally, the Commonwealth Games 2010 being hosted in India use SCADA systems and there was speculations on Internet that the failure of the INSAT 4B satellite this July was due to the worm, perhaps because ISRO is a customer of Siemens).
Siemens has since supplied customers with software tools to detect and remove the virus while Microsoft has offered upgrades. “While infection rates will likely drop as users patch their computers against the vulnerabilities used for propagation, worms of this nature (similar to Stuxnet) typically continue to be able to propagate via unsecured and unpatched computers,” notes a Symantec report, released late September 2010.
The Stuxnet virus was injected via a universal serial bus (USB) stick and used a security breach in certain Microsoft Windows operating systems to breach Siemens control systems. It is the first discovered worm that spies on and reprograms industrial systems. It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems, which industries use for water management, electric power, traffic signals, mass transit, environmental control and in manufacturing (for automation). For the most part, a SCADA system is controlled by Remote Terminal Units (RTUs) which consist of a programmable logic converter (PLC). Stuxnet hides modified code on PLCs.
German IACS security researcher Ralph Langner, on his website, notes “…Stuxnet’s bullet is fired and hit its designated target. Stuxnet as such will do no more harm. However, Stuxnet will live on, it will be the zombie of our nightmares — for those who are responsible for industrial control systems that run something of any value. …It provides a blueprint for aggressive attacks on control systems that can be applied generically…”
A reason for the apprehension is that power grids are becoming increasingly automated and smarter. As a smart grid, they also make use of smart meters in homes and businesses that can communicate with the utility about things like energy consumption and power outages. From a security point of view, the design of a smart grid can open up millions of unsecured end points (via smart meters, etc.) putting the entire grid under threat, caution security experts.
Langner, however, believes that strategic high-value targets are least at risk, because they can be easily identified and are fewer in number but …”the greatest risk is with medium- and low-value targets, with the majority of such targets in the private sector, including production facilities as well as low-tech automated systems such as traffic lights, elevators, etc…”
Even Microsoft CEO Steve Ballmer appears to be worried. “We need legal approaches, we need prosecutions, we need education that make sure we get the same protection, whether it’s personal assets or corporate assets or national asset that people expect,” he recently told a London School of Economics audience while acknowledging that the advent of sophisticated new malware such as Stuxnet could hamper the development of cloud computing initiatives.
Kaspersky Lab’s experts believe that Stuxnet manifests the beginning of the new age of cyber-warfare. Kaspersky Lab has not seen enough evidence to identify the attackers or the intended target “but we can confirm that this is a one-of-a-kind, sophisticated malware attack backed by a well-funded, highly skilled attack team with intimate knowledge of SCADA technology…I think that this is the turning point, this is the time when we got to a really new world, because in the past there were just cybercriminals, now I am afraid it is the time of cyberterrorism, cyberweapons and cyberwars,” opines Eugene Kaspersky, co-founder and chief executive officer of Kaspersky Lab.
Companies are being targeted by specific political attacks, and the attacks are becoming increasingly frequent and costly, concurs Symantec’s ‘Critical Infrastructure Protection Study’ published this month.
Symantec found that 53 per cent of all firms surveyed, “said they suspected or were pretty sure they had experienced an attack waged with a specific political goal in mind. In fact, of those hit, the typical company reported being hit 10 times in the past five years. Banking and finance were most likely to report they had been attacked and expect to be hit by politically-minded attacks in the future, while IT was the least likely…”
