- The Washington Times - Sunday, October 10, 2010

Stuxnet, the sophisticated computer worm that attacked industrial control systems over the summer, is a “wake-up call” about the vulnerability of factories and power plants to hackers and other cybersaboteurs, according to security specialists.

Although Stuxnet itself is carefully targeted, probably at just one facility where the attackers have inside knowledge, the worm has served as a “proof of concept” for spies and criminals all over the world, and there’s growing concern that U.S. power stations or chemical plants might be targets of less-discriminate copycat attacks.

“The big fear is that Stuxnet provided a road map for malicious actors who can copycat it to launch similar attacks against other industrial control systems” in the United States, one cybersecurity consultant for the utility industry told The Washington Times.

Researchers have been warning for years about the threat of hacks of computer-controlled industrial systems, but Stuxnet is the first publicly known example of malicious software designed to infect and take over one of the special software programs that run them.

“Stuxnet certainly illuminates what is possible and provides some lessons for would-be attackers,” said Michael Assante, former chief security officer at North American Electric Reliability Corp., a power utility umbrella group.

Mr. Assante told The Times that the worm reveals the vulnerability of industrial control systems (ICS) — computer-driven machinery that is ubiquitous in manufacturing, including pharmaceutical factories, water-treatment facilities, power stations and chemical plants.

Industry, he said “needs to use this as a lessons-learning opportunity. … We need to communicate more effectively about these threats. There are known weaknesses in ICS we have to start addressing in a more organized fashion.”

“This is no longer in the realm of probability or likelihood,” he said. “It’s real, it’s been done.”

Stuxnet has “set a new bar” in security terms, Mr. Assante said, adding that industrial planners and designers will need to use “a different base line” now when deploying ICS. “They need to go back and think it through again.”

The Stuxnet worm was first publicly identified in June, by which time it had infected tens of thousands of computers all over the world, almost two-thirds of them in Iran.

Christopher Campione, former deputy assistant secretary for national security at the Energy Department, attended a conference last week at which one researcher announced new details about the worm, which is so sophisticated in design that it must have been produced by a well-funded professional team, like that which might work for a government.

Ralph Langner told an audience of ICS specialists that the worm was likely targeted at a nuclear facility in Iran, but admitted this was only a theory.

“Ralph’s analysis was extremely thorough and pretty scary,” Mr. Campione told The Times.

He said that Stuxnet propagates itself across a corporate network, concealing its presence and looking for the special kind of ICS software it is programmed to attack. When it finds the software, a package made by the German industrial giant Siemens AG, it uploads blocks of encrypted code, effectively taking over the machinery the system is running.

Although it is still unclear exactly what the worm does in action — to discover that, one would have to build an exact duplicate of the target system, said Alexander Machowetz, Siemens head of media relations — analysts and U.S. officials say it could reprogram machinery to malfunction or even destroy itself.

Story Continues →