- The Washington Times - Sunday, October 10, 2010

Stuxnet, the sophisticated computer worm that attacked industrial control systems over the summer, is a “wake-up call” about the vulnerability of factories and power plants to hackers and other cybersaboteurs, according to security specialists.

Although Stuxnet itself is carefully targeted, probably at just one facility where the attackers have inside knowledge, the worm has served as a “proof of concept” for spies and criminals all over the world, and there’s growing concern that U.S. power stations or chemical plants might be targets of less-discriminate copycat attacks.

“The big fear is that Stuxnet provided a road map for malicious actors who can copycat it to launch similar attacks against other industrial control systems” in the United States, one cybersecurity consultant for the utility industry told The Washington Times.

Researchers have been warning for years about the threat of hacks of computer-controlled industrial systems, but Stuxnet is the first publicly known example of malicious software designed to infect and take over one of the special software programs that run them.

“Stuxnet certainly illuminates what is possible and provides some lessons for would-be attackers,” said Michael Assante, former chief security officer at North American Electric Reliability Corp., a power utility umbrella group.

Mr. Assante told The Times that the worm reveals the vulnerability of industrial control systems (ICS) — computer-driven machinery that is ubiquitous in manufacturing, including pharmaceutical factories, water-treatment facilities, power stations and chemical plants.

Industry, he said “needs to use this as a lessons-learning opportunity. … We need to communicate more effectively about these threats. There are known weaknesses in ICS we have to start addressing in a more organized fashion.”

“This is no longer in the realm of probability or likelihood,” he said. “It’s real, it’s been done.”

Stuxnet has “set a new bar” in security terms, Mr. Assante said, adding that industrial planners and designers will need to use “a different base line” now when deploying ICS. “They need to go back and think it through again.”

The Stuxnet worm was first publicly identified in June, by which time it had infected tens of thousands of computers all over the world, almost two-thirds of them in Iran.

Christopher Campione, former deputy assistant secretary for national security at the Energy Department, attended a conference last week at which one researcher announced new details about the worm, which is so sophisticated in design that it must have been produced by a well-funded professional team, like that which might work for a government.

Ralph Langner told an audience of ICS specialists that the worm was likely targeted at a nuclear facility in Iran, but admitted this was only a theory.

“Ralph’s analysis was extremely thorough and pretty scary,” Mr. Campione told The Times.

He said that Stuxnet propagates itself across a corporate network, concealing its presence and looking for the special kind of ICS software it is programmed to attack. When it finds the software, a package made by the German industrial giant Siemens AG, it uploads blocks of encrypted code, effectively taking over the machinery the system is running.

Although it is still unclear exactly what the worm does in action — to discover that, one would have to build an exact duplicate of the target system, said Alexander Machowetz, Siemens head of media relations — analysts and U.S. officials say it could reprogram machinery to malfunction or even destroy itself.

“The threat has become more real,” Mr. Campione said. “It was kind of hypothetical. It’s like being overweight — you know you are increasing your risk of a heart attack, but that awareness is not likely to change your behavior the way that actually having a heart attack would.”

He said there was a range of responses to the worm within the small community of specialists on ICS.

“It is a wake-up call. … A lot of people are working very hard … [but] there’s still going to be a bit of ‘head in the sand’ from some quarters, people saying, ‘Oh, that’s not how our system works, we don’t run that program, it’s not going to affect us,’” Mr. Campione said.

A detailed analysis from computer security firm Symantec, also released last week, shows that the worm remains dormant on systems where it does not detect the Siemens program, but is capable of updating itself with new programming or orders from its authors.

Liam O Murchu, operations manager for Symantec Security Response and one of the authors of the analysis, said copycats could “take note and analyze Stuxnet’s techniques … for their own purposes.”

He cautioned, however, that “it would take considerably longer than 90 days for someone to create a copycat threat.”

He also pointed out that in order to take over a system the way Stuxnet does, detailed knowledge is required of the way the ICS and the machinery it runs is configured.

“Making an industrial control system execute random code with unknown consequences is vastly different from making an industrial control system perform exact actions that would cause the desired real-world consequences, such as physical damage,” he told The Times.

The kind of “insider knowledge” needed to make copycat attacks effective “is very hard to come by,” he added.

“Copycat threats are possible, even likely, but it will take time and resources to develop them,” he said.

Stewart Baker, a former senior official in the Department of Homeland Security, told The Times that the worm was “both a warning for the future and a danger in the present for” the U.S. power sector.

“They need a plan” to deal with Stuxnet, which has proved able to hide itself even on systems from which it has been scrubbed, he said. “And the country needs a plan” for dealing with potential future attacks, which unlike Stuxnet “could be aimed straight at us.”

If industry does not act on both fronts, he said, Congress might “create new authorities to force greater preparedness.”

Homeland Security spokeswoman Amy Kudwa told The Times that the agency is “continuing to work with our partners across the government and in the private sector,” as it had been since the worm was first identified.

“We’re taking the research” about the worm “and reaching out to share mitigation strategies with the owners and operators” of the nation’s key utilities, Ms. Kudwa said.