Malware accounts for close to one-third of all real-world industrial control system security incidents recorded in the Security Incidents Organization's Repository of Industrial Security Incidents (RISI) database, according to a new report published by the SIO. But while malware incidents showed a marked decline since 2003 among the 60 incidents chronicled in the report, the advent of Stuxnet is expected to change all of that.

Eric Byres, author of the 2011 "Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems Resulting from Malware Infections" report and CTO with Byres Security, says the reason for the overall decline in malware-borne attacks and infections on power plants and other industrial control systems is that "noisy" malware is out -- and stealthy, targeted malware is in. Many process control firms learned the hard way after SQL Slammer, Sasser, and Blaster hit the industry hard, and finally started instituting anti-malware, intrusion detection, network segmentation, and other security measures, according to the report.

While many of the process control system incidents included in the report -- which provides a rare inside look at this traditionally cloistered industry -- were from old-school SQL Slammer and other high-profile attacks, these incidents were mostly inadvertent and definitely not money-making. "The stuff made a heck of a racket and was wide-scale destructive. But there was no money to be made," Byres says. "The money-making [attacks] are focused on advanced persistent threats ... We are starting to see very quiet, subtle attacks like Stuxnet, Ghostnet, and Night Dragon," which are more effective and lucrative, he says.

"Now they are stealing stuff and selling it," he adds.

All that is mostly thanks to the discovery of Stuxnet, which was a well-financed operation that most security experts attribute to a nation-state. Stuxnet expert Ralph Langer last week told attendees at the TED Conference that he has concluded the U.S. and Israel were behind Stuxnet, which targeted Iran's nuclear program.

One large, unnamed U.S. power company that runs the same Siemens PLC equipment that Stuxnet targeted was caught in the crossfire of Stuxnet in July 2010, with 43 operator and programming stations infected by the worm, Byres says. "It did minor, accidental changes to their process and modified their configuration files. It wasn't meant to be destructive -- but it was enough to cause them trouble," he says, and it took them a month to fully clean up their systems.

Byres says he and other security experts worry that Stuxnet will provide future attackers with a model payload for targeting other process control systems. And it's not the four Windows exploits it used, nor the USB method of propagation. "If you look at Stuxnet, it was a textbook case on how to destroy a process ... That payload of how to mess up a PLC was very unique, clever, and completely reusable," he says.

Major oil companies and big names like Boeing are preparing for APT and other targeted attacks to rise, he says. "Boeing has a whole team looking at the APT," he says. "But there are other companies that are only just waking up. Some have asked us, 'What's Stuxnet?'" Byres says.

Meanwhile, the report says that 22 percent of the industrial control system malware attacks cost the victims $10,000 or more, while one incident cost the victim organization $10 million in damages.

Byres says while physical threats have traditionally been a bigger threat than malware-borne ones, the pendulum is swinging. "Even just a few years ago, there was definitely more physical risks with someone climbing over with a sledgehammer and smashing things, particularly for small-scale destruction," he says. "But that's starting to change, especially with things like the huge clampdown since 9/11" on sensitive facilities, he says.

The most malware-borne incidents occurred in 2003 during the SQL Slammer epidemic, with 24 reported incidents, followed by 2004 with 16. Petroleum companies account for the most malware attacks, followed by power and utilities (12 incidents), water and waste water, transportation, chemical, and food/beverage, each with five incidents apiece reported in the RISI database, which logs private incident reports and gathers data from publicly disclosed ones.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.