A Stuxnet Comeback?

It's been more than a year since Stuxnet was first discovered wriggling its way through Windows machines around the world and U.S. officials now worry that copycat attacks based on the worm's complex model ultimately could emerge that go after more process control equipment than the Siemens equipment it targeted.

Sean McGurk, director of the DHS National Cybersecurity and Communications Integration Center, said in his testimony to the House Subcommittee on Oversight and Investigations yesterday that attackers could create variants of Stuxnet that go after more PLCs. "Looking ahead, the Department is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems," he said in House hearing on "Cybersecurity: An Overview of Risks to Critical Infrastructure.” "Copies of the Stuxnet code, in various different iterations, have been publicly available for some time now."

But security experts have mostly been skeptical of the possibility of a "son-of-Stuxnet" emerging. The malware is a highly sophisticated, layered attack that spread via USB drives and fileshares, exploiting flaws in Windows including a print spooler bug and two others that escalate user privileges to first infect a Windows machine running Siemens software to manage control systems. It then looks for a Siemens S7 PLC, which it attacks and changes its programming by injecting code into it.

It was a highly coordinated attack that required various types and levels of skill, including someone with know-how of PLCs, and another with know-how of USB drive infections -- and that is a rare combination. As the first known malware attack to target power plant and factory floor systems, it has been a wake-up call for the potential damage that could be inflicted on a power plant and the potential consequences to the physical world.

Tom Parker, director of security consulting services at Securicon, says Stuxnet could conceivably be retooled to hit other industrial control-type facilities, but that would be a nontrivial undertaking, he says.

"You can download schematics within patent filings for nuclear centrifuges, too, but that doesn't mean everyone is going to go build themselves one. The PLC-specific portions of Stuxnet required a significant control-systems engineering talent to create, and similar levels of skills would be required to re-engineer it against other installations," Parker says.

ICS-CERT, meanwhile, has been analyzing and alerting government and industry about Stuxnet's makeup over the past year. "ICS-CERT’s purpose in conducting the Stuxnet analysis was to ensure that DHS understood the extent of the risks so that they could be mitigated. After conducting in-depth malware analysis and developing mitigation steps, we were able to release actionable information that benefited our private sector partners," DHS's McGurk said in his testimony.

DHS will continue to watch out for and analyze and mitigate any variants of Stuxnet that may emerge, he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.