Attacks/Breaches
9/27/2010
06:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Stuxnet Attack Exposes Inherent Problems In Power Grid Security

Worm sheds light on ongoing targeted attacks against critical infrastructure, and Iranian news reports infections among nuclear power plant's employee machines

Second installment in a two-part series on the Stuxnet attacks

While the Stuxnet worm attack has raised the bar for targeted attacks on the critical infrastructure, it's not the first time the power grid has been in the bull's eye. Attacks against these systems are actually quite common -- it's just that they are mostly kept under wraps and rarely face public scrutiny like Stuxnet has.

Nearly 60 percent of critical infrastructure providers worldwide, including oil and gas, electric, and telecommunications, say they have been targeted by "representatives" of foreign governments, according to a study published earlier this year by The Center for Strategic and International Studies and commissioned by McAfee. More than half of the respondents had experienced a targeted, stealthy attack akin to the Aurora attacks that hit Google, Adobe, and nearly 30 other companies earlier this year. In addition, nearly 90 percent of the respondents said their networks had been infected with malware, and more than 70 percent had been hit with low-level DDoS attacks and vandalism, insider threats, leakage of sensitive data, and phishing or pharming.

As reported last week, Stuxnet has shed light on just how vulnerable their control systems really are, and as the first known malware attack to target power plant and factory floor systems, it has been a wake-up call for the potential damage that could be inflicted on a power plant and the potential consequences to the physical world. Though no one knows for sure who created and launched it (speculation has pointed to nation-state sponsorship) or what the endgame really was, the concentration of infections has mostly been in Iran and India. Nearly 60 percent of Stuxnet infections were located in Iran, according to Symantec.

Speculation that the worm was specifically gunning for Iran's nuclear power plant gained a bit more traction in the past couple of days: Iran's official news agency reported over the weekend that Stuxnet had infected employee machines at the plant, according to an AP report. And some 30,000 IP addresses had been across Iran, according to other reports.

A German security researcher has said the attack was likely aimed at the Iranian nuclear plant. The IRNA news agency said the head of the Bushehr nuclear plant said the malware didn't damage any "major systems of the plant."

But it's just as likely the attackers were casting a wider net and not just targeting the Iranian plant, researchers say. "I think they were targeting multiple similar systems," says Liam O. Murchu, manager of operations for Symantec Security Response, which has performed in-depth analysis of the Stuxnet malware.

Siemens, whose SIMATIC WinCC and PCS 7 programs are what Stuxnet searches for and tries to alter, said in an update to its security advisory on Stuxnet that the malware is "targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications."

The worm was pinpointed in about 15 plants around the globe, according to Siemens, and no actual operations were affected.

PLCs and control systems had been considered relatively insulated from the outside world and attack because they aren't typically Internet-connected. But Stuxnet drove home the worst-kept secret that these systems still are connected to Windows or other machines that can get infected -- in this case, by a USB stick -- and therefore aren't as protected as they had seemed.

"It draws attention to the necessity to understand what's connected to what, what power systems supply that nuclear facility, and what's connected to it," says Phyllis Schneck, vice president and director of threat intelligence for the Americas at McAfee. "This is an example of a very targeted attack. Operation Aurora showed us a lot as the first attack of that level of sophistication to the private sector. We are seeing more and more carefully crafted targeted attacks."

The attackers likely didn't mean for it to spread so widely and go so public. But any time you unleash malware, it's tough to control, notes Dave Marcus, research and communications director for McAfee Labs.

So what does this mean for SCADA and process control systems? That traditional defense-in-depth approaches of firewalls and IDS systems won't catch these application-level attacks, says Eddie Schwartz, CSO for NetWitness, a founding member of the Energy Sec interest group, where power companies swap threat information. "There's no doubt SCADA companies had a rude awakening," Schwartz says.

Power companies and organizations that run these process control systems face challenges securing this traditionally proprietary technology. Many of these products have been known to carry vulnerabilities for years, and typical security tools can't drill down into this often-closed software, Schwartz says. If they are hit with malware, there needs to be a way to catch it, he says.

"A lot of the industry unfortunately is still based on old-style serial interfaces" for communication, he says. The SCADA and power industry will have to follow what retail did with its old POS systems when PCI hit and they needed security. "They suddenly had to implement security ... and some of the interfaces were serial or other types of things that complicated matters," Schwartz says.

Eric Knapp, director of critical infrastructure markets for NitroSecurity, concurs that access to PLCs is needed to secure them properly. "Some utilities are better than others, but there are still a lot of vulnerable control systems out there," Knapp says, pointing to research on SCADA vulnerabilities that was presented this summer at Black Hat USA by Red Tiger Security. "The average age of vulnerability was 311 days for a control system. There were some vulnerabilities over 3 years old."

Meanwhile, downtime from an attack costs critical infrastructure organizations more than $6 million a day, and up to $8 million a day for the oil and gas industries, according to The Center for Strategic and International Studies and McAfee report. Some two-fifths of these organizations said in the report that they expected a major attack in their industry within the next year.

Combating attacks like Stuxnet requires collaboration among victim organizations, the security community, and process control vendors. "It's important to emphasize that the Stuxnet response was a community effort. A variety of public and private entities worked together to understand and assess this issue, and then provide improved protections," said Dave Forstrom, director of Microsoft Trustworthy Computing in a statement. "As the threat landscape evolves, we strongly believe that collaboration is the key to the best possible computer security. After all, in the end we and our competitors share a common goal: protecting customers and maintaining the safety of the computing ecosystem."

But while Stuxnet is a major turning point in critical infrastructure security, it's not a foreshadowing of massive power grid destruction, security experts say. The power grid, like the Internet infrastructure, is highly resilient and difficult to take down en masse, says McAfee's Marcus. "If the power grid was [so] fragile, it wouldn't be up now. It would be going up and down" all the time, Marcus says. "Does Stuxnet expose weaknesses in it? Absolutely. Is it a wake-up call? You're darn right."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.