Stuxnet Attack Exposes Inherent Problems In Power Grid SecurityWorm sheds light on ongoing targeted attacks against critical infrastructure, and Iranian news reports infections among nuclear power plant's employee machines
Second installment in a two-part series on the Stuxnet attacks
While the Stuxnet worm attack has raised the bar for targeted attacks on the critical infrastructure, it's not the first time the power grid has been in the bull's eye. Attacks against these systems are actually quite common -- it's just that they are mostly kept under wraps and rarely face public scrutiny like Stuxnet has.
Nearly 60 percent of critical infrastructure providers worldwide, including oil and gas, electric, and telecommunications, say they have been targeted by "representatives" of foreign governments, according to a study published earlier this year by The Center for Strategic and International Studies and commissioned by McAfee. More than half of the respondents had experienced a targeted, stealthy attack akin to the Aurora attacks that hit Google, Adobe, and nearly 30 other companies earlier this year. In addition, nearly 90 percent of the respondents said their networks had been infected with malware, and more than 70 percent had been hit with low-level DDoS attacks and vandalism, insider threats, leakage of sensitive data, and phishing or pharming.
As reported last week, Stuxnet has shed light on just how vulnerable their control systems really are, and as the first known malware attack to target power plant and factory floor systems, it has been a wake-up call for the potential damage that could be inflicted on a power plant and the potential consequences to the physical world. Though no one knows for sure who created and launched it (speculation has pointed to nation-state sponsorship) or what the endgame really was, the concentration of infections has mostly been in Iran and India. Nearly 60 percent of Stuxnet infections were located in Iran, according to Symantec.
Speculation that the worm was specifically gunning for Iran's nuclear power plant gained a bit more traction in the past couple of days: Iran's official news agency reported over the weekend that Stuxnet had infected employee machines at the plant, according to an AP report. And some 30,000 IP addresses had been across Iran, according to other reports.
A German security researcher has said the attack was likely aimed at the Iranian nuclear plant. The IRNA news agency said the head of the Bushehr nuclear plant said the malware didn't damage any "major systems of the plant."
But it's just as likely the attackers were casting a wider net and not just targeting the Iranian plant, researchers say. "I think they were targeting multiple similar systems," says Liam O. Murchu, manager of operations for Symantec Security Response, which has performed in-depth analysis of the Stuxnet malware.
SIMATIC WinCC and PCS 7 programs are what Stuxnet searches for and tries to alter, said in an update to its security advisory on Stuxnet that the malware is "targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications."
The worm was pinpointed in about 15 plants around the globe, according to Siemens, and no actual operations were affected.
PLCs and control systems had been considered relatively insulated from the outside world and attack because they aren't typically Internet-connected. But Stuxnet drove home the worst-kept secret that these systems still are connected to Windows or other machines that can get infected -- in this case, by a USB stick -- and therefore aren't as protected as they had seemed.
"It draws attention to the necessity to understand what's connected to what, what power systems supply that nuclear facility, and what's connected to it," says Phyllis Schneck, vice president and director of threat intelligence for the Americas at McAfee. "This is an example of a very targeted attack. Operation Aurora showed us a lot as the first attack of that level of sophistication to the private sector. We are seeing more and more carefully crafted targeted attacks."
The attackers likely didn't mean for it to spread so widely and go so public. But any time you unleash malware, it's tough to control, notes Dave Marcus, research and communications director for McAfee Labs.
So what does this mean for SCADA and process control systems? That traditional defense-in-depth approaches of firewalls and IDS systems won't catch these application-level attacks, says Eddie Schwartz, CSO for NetWitness, a founding member of the Energy Sec interest group, where power companies swap threat information. "There's no doubt SCADA companies had a rude awakening," Schwartz says.
Power companies and organizations that run these process control systems face challenges securing this traditionally proprietary technology. Many of these products have been known to carry vulnerabilities for years, and typical security tools can't drill down into this often-closed software, Schwartz says. If they are hit with malware, there needs to be a way to catch it, he says.
"A lot of the industry unfortunately is still based on old-style serial interfaces" for communication, he says. The SCADA and power industry will have to follow what retail did with its old POS systems when PCI hit and they needed security. "They suddenly had to implement security ... and some of the interfaces were serial or other types of things that complicated matters," Schwartz says.
Eric Knapp, director of critical infrastructure markets for NitroSecurity, concurs that access to PLCs is needed to secure them properly. "Some utilities are better than others, but there are still a lot of vulnerable control systems out there," Knapp says, pointing to research on SCADA vulnerabilities that was presented this summer at Black Hat USA by Red Tiger Security. "The average age of vulnerability was 311 days for a control system. There were some vulnerabilities over 3 years old."
Meanwhile, downtime from an attack costs critical infrastructure organizations more than $6 million a day, and up to $8 million a day for the oil and gas industries, according to The Center for Strategic and International Studies and McAfee report. Some two-fifths of these organizations said in the report that they expected a major attack in their industry within the next year.
Combating attacks like Stuxnet requires collaboration among victim organizations, the security community, and process control vendors. "It's important to emphasize that the Stuxnet response was a community effort. A variety of public and private entities worked together to understand and assess this issue, and then provide improved protections," said Dave Forstrom, director of Microsoft Trustworthy Computing in a statement. "As the threat landscape evolves, we strongly believe that collaboration is the key to the best possible computer security. After all, in the end we and our competitors share a common goal: protecting customers and maintaining the safety of the computing ecosystem."
But while Stuxnet is a major turning point in critical infrastructure security, it's not a foreshadowing of massive power grid destruction, security experts say. The power grid, like the Internet infrastructure, is highly resilient and difficult to take down en masse, says McAfee's Marcus. "If the power grid was [so] fragile, it wouldn't be up now. It would be going up and down" all the time, Marcus says. "Does Stuxnet expose weaknesses in it? Absolutely. Is it a wake-up call? You're darn right."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio