Stuxnet was a game changer, but control systems that run the nation's infrastructure are still at risk, reports Deb Radcliff.
For more than 10 years, they saw it coming: SCADA (supervisory control data acquisition) systems managing critical infrastructures would be targeted by cyber terrorists, activists and government-sponsored agents. The results would be catastrophic.
Working groups formed under the North American Electric Reliability Council, the International Society for Automation (ISA), ASIS (American Society of Industrial Security), and Information Sharing and Analysis Centers (ISACs). System operators needed to be educated about cyber risks, best practices needed to be formed and standards needed to be set.
Then, June 2010 came around and news of the Stuxnet worm broke. “Stuxnet immediately became a major concern in our infrastructure meetings,” says Mark Schreiber, vice chair of the critical infrastructure working group for the ASIS, and security system design engineering specialist at Fluor, a Irving, Texas-based company that provides project management to clients around the world.
As a result of Stuxnet, awareness is up at all levels. Operators, vendors, and government officials now “get” the seriousness of the threat. Security standards are maturing, and new security oversight bodies are forming, most recently through the Federal Energy Regulatory Commission (FERC). As well, the Obama administration hopes to issue a cyber security executive order similar to the Cybersecurity Act of 2012, killed by the Senate in August.
The bad news: Stuxnet was just the beginning. More sophisticated malware that includes Stuxnet-derived code is being found in the wild: over the last two years, Flame, Duqu, Madhi, Gauss, Shamoon and Wiper all bare similarities to Stuxnet.
“A growing list of malware is being discovered because organizations are finally stepping up their game in detection,” says Anthony Bargar, executive VP of cyber security solutions at Foreground Security, a Lake Mary, Fla.-based consulting firm to infrastructure operators. “Some of the threats discovered make Stuxnet look like an Atari 2600. Gauss is one example.”