Risk
9/27/2010
12:53 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Stuxnet Pwned Iran. Are We Next?

For the past few weeks rumors had run rampant about the purported targets of the Stuxnet worm. One of those rumors was that the worm was targeting Iran's controversial nuclear sites. Now, according to news reports that hit yesterday, those rumors may very well be right. There's a warning in all of this for the United States.

For the past few weeks rumors had run rampant about the purported targets of the Stuxnet worm. One of those rumors was that the worm was targeting Iran's controversial nuclear sites. Now, according to news reports that hit yesterday, those rumors may very well be right. There's a warning in all of this for the United States.For example, this story Computer Worm Hits Iran Power Plant, which ran in the Wall Street Journal, makes the case that Stuxnet hit Iran hard:

"Studies conducted show some personal computers of the Bushehr nuclear-power plant workers are infected with the virus," the facility's project manager, Mahmoud Jafari, told Iran's official Islamic Republic News Agency. He said the virus hasn't caused major damage and won't affect the scheduled completion of the plant next month.

And on the scope of the attack, from the same story:

The acknowledgment of the infiltration at Bushehr followed another revelation over the weekend that an Iranian investigation found that Stuxnet had infected 30,000 machines involved in running industrial control systems, the director of Iran's Information Technology Council of the Industries and Mines Ministry told another Iranian news agency on Saturday. "An electronic war has been launched against Iran," the director, Mahmoud Liaii, said.

Specialists from Iranian's nuclear agency met last week to discuss how to battle the Stuxnet virus, according to Iranian reports. A cyber attack on Bushehr is dangerous because the worm is capable of reprogramming the systems controlling the plant, but the facility at Bushehr isn't considered to be a significant proliferation risk because it is under U.N. controls.

However, Iran denies that the worm struck its first nuclear plant at Bushehr. From the AFP yesterday:

The malicious Stuxnet computer worm has hit 30,000 industrial computers in Iran, officials said on Sunday, but denied the Islamic republic's first nuclear plant at Bushehr was among those infected.

So far, Stuxnet has infected about 30,000 IP addresses in Iran, Mahmoud Liayi, head of the information technology council at the ministry of industries, was quoted as saying by the government-run newspaper Iran Daily.

While Stuxnet has struck industrial systems around the globe, with confirmations of successful infections of that magnitude in one country, it's certainly lending credibility that Iran's nuclear program was the target of the attack.

We will probably never know exactly where Stuxnet originated, but no doubt suspicions will remain on the U.S. and Israel.

Today, while most attention is on Stuxnet, we are reminded just how vulnerable (as one of the most dependent nations on technology) the United States is to being the victim of such attacks on its own power grid and critical infrastructure. Or, perhaps we've already been hacked and widespread compromises already exist.

From the Wall Street Journal's story Electricity Grid in U.S. Penetrated By Spies:

WASHINGTON -- Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

And, yet, we are still grappling with how we are going to protect our critical infrastructure from such attacks. In InformationWeek's J. Nicholas Hoover's story Cyber Command Director: U.S. Needs To Secure Critical Infrastructure it is clear that this country is still not sure how to go about protecting the electronic infrastructure we so heavily depend:

General Keith Alexander, director of the new U.S. Cyber Command and the National Security Agency, is advocating the creation of a "secure, protected zone" in which critical infrastructure like the financial industry, the power grid and the defense industrial base would operate on the Internet, he said in an interview with select group of reporters Wednesday afternoon ahead of his testimony to the House Armed Services Committee on Thursday morning.

Though Gen. Alexander noted that such a solution was just one that is on the table, he stressed that the federal government, including U.S. Cyber Command, will likely be part of a team approach to helping protect the nation's critical infrastructure from devastating cyber attacks.

The White House, he said, is leading a group to look at cybersecurity policy and at the authorities currently in place to protect the nation's networks, including critical infrastructure networks.

"The question is, how do we do it," Alexander said. "Doing it, technically, is fairly straightforward. Getting everybody satisfied is the harder thing." Any such plan, he said, would leave the commercial Internet, "where our kids might communicate," untouched.

What a troubling state. It's been more than eight years since the first National Strategy To Secure Cyberspace was published, and much attention in those years paid to the security of the nation's critical infrastructure, and still we don't have a functional defense plan in place.

For my security and technology observations throughout the day, consider following me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.