|Stuxnet – a cool look at fact versus fiction
No-one could have missed the media blitz about the Stuxnet worm in late 2010, but the IT industry is well-known for hyping such events; just think Y2K ‘bug’. So what’s the real story with Stuxnet? Is it an isolated threat to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS), or a much broader threat to organisations that manage critical infrastructure? In this paper, we examine:
• The actual threat that Stuxnet poses to critical infrastructure and industrial plants;
• Why Industrial Control Systems (ICS) are vulnerable to cyber attacks;
• The parallels between Stuxnet in ICS and targeted Trojans in other IT networks; and
• How best to protect your enterprise against these emerging threats.
NOT AN ISOLATED THREAT
Stuxnet isn’t last year’s threat. ‘It was merely the first volley in what may amount to a cyber arms race,’ security consultant Eric Byres explained at AusCERT 2011. Others agree that Stuxnet could serve as a ‘deployment platform for follow-on worms.’ Indeed, a new worm clearly related to Stuxnet was reported in April 2011 and given the name STAR.
We’ve seen how quickly new threats are adopted by cyber criminals against cyber security. ‘Although Stuxnet was designed to penetrate SCADA systems, those who don’t manage critical infrastructure can’t be complacent,’ says Michael Davis of Dark Reading. ‘They must understand how Stuxnet works and the potential damage this type of malware can do in more broad-based attacks on IT networks.’
A TICKING TIME BOMB?
First, some background: Stuxnet is malware specifically designed to target SCADA systems built by Siemens and running Simatic WinCC software, usually in combination with Siemens’ PCS 7 control system. Stuxnet was discovered in mid 2009, and its ability to exploit un-patched Windows systems was soon demonstrated. As more was revealed about the worm, questions were raised about the vulnerability of National Critical Infrastructure (CNI) to Stuxnet. In July 2010, the Black Hat Security Conference in Las Vegas spawned headlines that warned of ‘a ticking time bomb’.
Stuxnet contained a number of carefully crafted components – including a Trojan and a rootkit - which experts said required insider knowledge, stolen design documents and security certificates for its development. German security researcher Ralph Langner wrote that Stuxnet had been ‘assembled by a highly qualified team of experts’ and suggested that ‘the resources needed to stage this attack pointed to a nation state.
Soon after, the BBC confirmed that Stuxnet had hit computers at Iran’s Bushehr nuclear plant, and repeated that the worm could only have been created by a ‘nation state’. Security guru Eugene Kaspersky said of Stuxnet, ‘….this is the turning point; this piece of malware was designed to sabotage plants, to damage industrial systems. I am afraid this is the beginning of a new world ... a new era of cyberwars and cyberterrorism.’