Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/27/2010
06:12 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Stuxnet Attack Exposes Inherent Problems In Power Grid Security

Worm sheds light on ongoing targeted attacks against critical infrastructure, and Iranian news reports infections among nuclear power plant's employee machines

Second installment in a two-part series on the Stuxnet attacks

While the Stuxnet worm attack has raised the bar for targeted attacks on the critical infrastructure, it's not the first time the power grid has been in the bull's eye. Attacks against these systems are actually quite common -- it's just that they are mostly kept under wraps and rarely face public scrutiny like Stuxnet has.

Nearly 60 percent of critical infrastructure providers worldwide, including oil and gas, electric, and telecommunications, say they have been targeted by "representatives" of foreign governments, according to a study published earlier this year by The Center for Strategic and International Studies and commissioned by McAfee. More than half of the respondents had experienced a targeted, stealthy attack akin to the Aurora attacks that hit Google, Adobe, and nearly 30 other companies earlier this year. In addition, nearly 90 percent of the respondents said their networks had been infected with malware, and more than 70 percent had been hit with low-level DDoS attacks and vandalism, insider threats, leakage of sensitive data, and phishing or pharming.

As reported last week, Stuxnet has shed light on just how vulnerable their control systems really are, and as the first known malware attack to target power plant and factory floor systems, it has been a wake-up call for the potential damage that could be inflicted on a power plant and the potential consequences to the physical world. Though no one knows for sure who created and launched it (speculation has pointed to nation-state sponsorship) or what the endgame really was, the concentration of infections has mostly been in Iran and India. Nearly 60 percent of Stuxnet infections were located in Iran, according to Symantec.

Speculation that the worm was specifically gunning for Iran's nuclear power plant gained a bit more traction in the past couple of days: Iran's official news agency reported over the weekend that Stuxnet had infected employee machines at the plant, according to an AP report. And some 30,000 IP addresses had been across Iran, according to other reports.

A German security researcher has said the attack was likely aimed at the Iranian nuclear plant. The IRNA news agency said the head of the Bushehr nuclear plant said the malware didn't damage any "major systems of the plant."

But it's just as likely the attackers were casting a wider net and not just targeting the Iranian plant, researchers say. "I think they were targeting multiple similar systems," says Liam O. Murchu, manager of operations for Symantec Security Response, which has performed in-depth analysis of the Stuxnet malware.

Siemens, whose SIMATIC WinCC and PCS 7 programs are what Stuxnet searches for and tries to alter, said in an update to its security advisory on Stuxnet that the malware is "targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications."

The worm was pinpointed in about 15 plants around the globe, according to Siemens, and no actual operations were affected.

PLCs and control systems had been considered relatively insulated from the outside world and attack because they aren't typically Internet-connected. But Stuxnet drove home the worst-kept secret that these systems still are connected to Windows or other machines that can get infected -- in this case, by a USB stick -- and therefore aren't as protected as they had seemed.

"It draws attention to the necessity to understand what's connected to what, what power systems supply that nuclear facility, and what's connected to it," says Phyllis Schneck, vice president and director of threat intelligence for the Americas at McAfee. "This is an example of a very targeted attack. Operation Aurora showed us a lot as the first attack of that level of sophistication to the private sector. We are seeing more and more carefully crafted targeted attacks."

The attackers likely didn't mean for it to spread so widely and go so public. But any time you unleash malware, it's tough to control, notes Dave Marcus, research and communications director for McAfee Labs.

So what does this mean for SCADA and process control systems? That traditional defense-in-depth approaches of firewalls and IDS systems won't catch these application-level attacks, says Eddie Schwartz, CSO for NetWitness, a founding member of the Energy Sec interest group, where power companies swap threat information. "There's no doubt SCADA companies had a rude awakening," Schwartz says.

Power companies and organizations that run these process control systems face challenges securing this traditionally proprietary technology. Many of these products have been known to carry vulnerabilities for years, and typical security tools can't drill down into this often-closed software, Schwartz says. If they are hit with malware, there needs to be a way to catch it, he says.

"A lot of the industry unfortunately is still based on old-style serial interfaces" for communication, he says. The SCADA and power industry will have to follow what retail did with its old POS systems when PCI hit and they needed security. "They suddenly had to implement security ... and some of the interfaces were serial or other types of things that complicated matters," Schwartz says.

Eric Knapp, director of critical infrastructure markets for NitroSecurity, concurs that access to PLCs is needed to secure them properly. "Some utilities are better than others, but there are still a lot of vulnerable control systems out there," Knapp says, pointing to research on SCADA vulnerabilities that was presented this summer at Black Hat USA by Red Tiger Security. "The average age of vulnerability was 311 days for a control system. There were some vulnerabilities over 3 years old."

Meanwhile, downtime from an attack costs critical infrastructure organizations more than $6 million a day, and up to $8 million a day for the oil and gas industries, according to The Center for Strategic and International Studies and McAfee report. Some two-fifths of these organizations said in the report that they expected a major attack in their industry within the next year.

Combating attacks like Stuxnet requires collaboration among victim organizations, the security community, and process control vendors. "It's important to emphasize that the Stuxnet response was a community effort. A variety of public and private entities worked together to understand and assess this issue, and then provide improved protections," said Dave Forstrom, director of Microsoft Trustworthy Computing in a statement. "As the threat landscape evolves, we strongly believe that collaboration is the key to the best possible computer security. After all, in the end we and our competitors share a common goal: protecting customers and maintaining the safety of the computing ecosystem."

But while Stuxnet is a major turning point in critical infrastructure security, it's not a foreshadowing of massive power grid destruction, security experts say. The power grid, like the Internet infrastructure, is highly resilient and difficult to take down en masse, says McAfee's Marcus. "If the power grid was [so] fragile, it wouldn't be up now. It would be going up and down" all the time, Marcus says. "Does Stuxnet expose weaknesses in it? Absolutely. Is it a wake-up call? You're darn right."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34812
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2021-34808
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
CVE-2021-34809
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34810
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34811
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.