Updated Wednesday, Sept. 29, 2010 at 12:20 p.m. EST
Experts say that the Stuxnet worm should serve as a wake-up call that cyberwarfare against critical infrastructure systems is a reality.
“Up until now, the discussions have been scenario-based,” Dave Marcus, director of security research at McAfee Avert Labs, told SCMagazineUS.com on Tuesday. “Here is an actual, real-world example. It's not conceptual anymore.”
Stuxnet is a sophisticated worm that was designed to target industrial control systems software manufactured by Siemens, Andy Hayter, anti-malcode manager at security solutions tester ICSA Labs, wrote in a blog post late last week.
The worm is spreading by exploiting an unprecedented four vulnerabilities, two of which are unpatched, in the Windows operating system to automatically execute in vulnerable systems. The malware was customized to search for Siemens supervisory control and data acquisition (SCADA) software, which is used to manage operations at industrial plants, such as power suppliers and gas and oil refineries.
Once a targeted SCADA system is located, the malware uploads its own code to programmable logic controllers (PLCs), which are connected to SCADA systems and used to control the automation of processes, Marcus said. The purpose of the attack is to flood the PLC with commands, causing a damaging physical response.
The majority of infections have occurred in Iran. Infections also have been identified in Germany, India, Indonesia and Pakistan, experts said. The worm did not have a significant impact in the United States.
Stuxnet, first detected in June by Belarus-based security firm VirusBlokAda, has not resulted in physical destruction, but it has taken affected facilities offline, Marcus said. Moreover, because of its sophistication, researchers are concerned that the malware may still be present and hiding on targeted systems – in effect, acting like a ticking time bomb, even if an organization believes it has eradicated the infection.
At a private SCADA conference last week, German security researcher Ralph Langner, who has analyzed Stuxnet, said the complexity of the attack and the use of four zero-day flaws indicates it was the work of a well-resourced team with control system expertise.
“To me, it seems that the resources needed to stage this attack point to a nation state,” Langer wrote in a blog post earlier this month.
Others conclude that it is not clear who is behind the attack, though some speculate a group of governments, including the United States, conspired to create Stuxnet to sabotage Iran's industrial control systems.
What do you think? Take our poll.
Jimmy Sorrells, senior vice president of Integrity, a company that provides IT security solutions to government, military and commercial enterprises, said that other actors, such as terrorist groups, should not be ruled out.
Wieland Simon, a Siemens spokesman told SCMagazineUS.com on Wednesday that industrial plans plants running Siemens software in Germany, India and Indonesia have been affected by Stuxnet. Approximately one-third of the 15 cases of infection reported to Siemens have occurred in Germany. Siemens has not received any reports of infection at industrial plans in Iran, he said.
“In all cases the virus did not cause any damage,” he said. “Also in all cases the virus has been removed.”
Those behind Stuxnet had a deep knowledge of industrial control systems and production processes, Simon said. Additionally, the attackers were familiar with Siemens' own plant operation and engineering processes, though Siemens was not affected internally by the malware, he said.
Analysis by Siemens has confirmed that Stuxnet is able, under certain conditions, to influence the processing of a control system's operations, Simon said. It is clear that the malware was targeting a specific plant and was only activated in plants with a certain configuration.
Most plants where Stuxnet was discovered were not affected because the malware did not find the patterns it needed, and thus did not activate, he said.
“We have not finished our analysis about Stuxnet — we are still working on it, it's a very complicated and complex virus,” Simon said.
Since September, no new cases of infection have been reported at industrial control plants, Simon said. Also, Siemens in July released a tool to detect and remove the virus without impacting plant operations.
Unlike traditional cybercrime, which is often financially motivated, the Stuxnet attack was an act of cyberwarfare, experts said.
“This isn't just another virus, this was a weapon — an internet weapon that was released,” Sorrells told SCMagazineUS.com on Tuesday.
The attack should serve as a wake-up call to critical infrastructure organizations, SCADA manufacturers and lawmakers that acts of cyberwarfare, long warned about within the information security community, are no longer hypothetical, experts said.
“Other people with different SCADA systems need to start securing their cyber resources,” McAfee's Marcus said. “Other governments need to look at this as an example of what can happen, and start looking at countermeasures.”