Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:12 PM
Connect Directly

Stuxnet Attack Exposes Inherent Problems In Power Grid Security

Worm sheds light on ongoing targeted attacks against critical infrastructure, and Iranian news reports infections among nuclear power plant's employee machines

Second installment in a two-part series on the Stuxnet attacks

While the Stuxnet worm attack has raised the bar for targeted attacks on the critical infrastructure, it's not the first time the power grid has been in the bull's eye. Attacks against these systems are actually quite common -- it's just that they are mostly kept under wraps and rarely face public scrutiny like Stuxnet has.

Nearly 60 percent of critical infrastructure providers worldwide, including oil and gas, electric, and telecommunications, say they have been targeted by "representatives" of foreign governments, according to a study published earlier this year by The Center for Strategic and International Studies and commissioned by McAfee. More than half of the respondents had experienced a targeted, stealthy attack akin to the Aurora attacks that hit Google, Adobe, and nearly 30 other companies earlier this year. In addition, nearly 90 percent of the respondents said their networks had been infected with malware, and more than 70 percent had been hit with low-level DDoS attacks and vandalism, insider threats, leakage of sensitive data, and phishing or pharming.

As reported last week, Stuxnet has shed light on just how vulnerable their control systems really are, and as the first known malware attack to target power plant and factory floor systems, it has been a wake-up call for the potential damage that could be inflicted on a power plant and the potential consequences to the physical world. Though no one knows for sure who created and launched it (speculation has pointed to nation-state sponsorship) or what the endgame really was, the concentration of infections has mostly been in Iran and India. Nearly 60 percent of Stuxnet infections were located in Iran, according to Symantec.

Speculation that the worm was specifically gunning for Iran's nuclear power plant gained a bit more traction in the past couple of days: Iran's official news agency reported over the weekend that Stuxnet had infected employee machines at the plant, according to an AP report. And some 30,000 IP addresses had been across Iran, according to other reports.

A German security researcher has said the attack was likely aimed at the Iranian nuclear plant. The IRNA news agency said the head of the Bushehr nuclear plant said the malware didn't damage any "major systems of the plant."

But it's just as likely the attackers were casting a wider net and not just targeting the Iranian plant, researchers say. "I think they were targeting multiple similar systems," says Liam O. Murchu, manager of operations for Symantec Security Response, which has performed in-depth analysis of the Stuxnet malware.

Siemens, whose SIMATIC WinCC and PCS 7 programs are what Stuxnet searches for and tries to alter, said in an update to its security advisory on Stuxnet that the malware is "targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications."

The worm was pinpointed in about 15 plants around the globe, according to Siemens, and no actual operations were affected.

PLCs and control systems had been considered relatively insulated from the outside world and attack because they aren't typically Internet-connected. But Stuxnet drove home the worst-kept secret that these systems still are connected to Windows or other machines that can get infected -- in this case, by a USB stick -- and therefore aren't as protected as they had seemed.

"It draws attention to the necessity to understand what's connected to what, what power systems supply that nuclear facility, and what's connected to it," says Phyllis Schneck, vice president and director of threat intelligence for the Americas at McAfee. "This is an example of a very targeted attack. Operation Aurora showed us a lot as the first attack of that level of sophistication to the private sector. We are seeing more and more carefully crafted targeted attacks."

The attackers likely didn't mean for it to spread so widely and go so public. But any time you unleash malware, it's tough to control, notes Dave Marcus, research and communications director for McAfee Labs.

So what does this mean for SCADA and process control systems? That traditional defense-in-depth approaches of firewalls and IDS systems won't catch these application-level attacks, says Eddie Schwartz, CSO for NetWitness, a founding member of the Energy Sec interest group, where power companies swap threat information. "There's no doubt SCADA companies had a rude awakening," Schwartz says.

Power companies and organizations that run these process control systems face challenges securing this traditionally proprietary technology. Many of these products have been known to carry vulnerabilities for years, and typical security tools can't drill down into this often-closed software, Schwartz says. If they are hit with malware, there needs to be a way to catch it, he says.

"A lot of the industry unfortunately is still based on old-style serial interfaces" for communication, he says. The SCADA and power industry will have to follow what retail did with its old POS systems when PCI hit and they needed security. "They suddenly had to implement security ... and some of the interfaces were serial or other types of things that complicated matters," Schwartz says.

Eric Knapp, director of critical infrastructure markets for NitroSecurity, concurs that access to PLCs is needed to secure them properly. "Some utilities are better than others, but there are still a lot of vulnerable control systems out there," Knapp says, pointing to research on SCADA vulnerabilities that was presented this summer at Black Hat USA by Red Tiger Security. "The average age of vulnerability was 311 days for a control system. There were some vulnerabilities over 3 years old."

Meanwhile, downtime from an attack costs critical infrastructure organizations more than $6 million a day, and up to $8 million a day for the oil and gas industries, according to The Center for Strategic and International Studies and McAfee report. Some two-fifths of these organizations said in the report that they expected a major attack in their industry within the next year.

Combating attacks like Stuxnet requires collaboration among victim organizations, the security community, and process control vendors. "It's important to emphasize that the Stuxnet response was a community effort. A variety of public and private entities worked together to understand and assess this issue, and then provide improved protections," said Dave Forstrom, director of Microsoft Trustworthy Computing in a statement. "As the threat landscape evolves, we strongly believe that collaboration is the key to the best possible computer security. After all, in the end we and our competitors share a common goal: protecting customers and maintaining the safety of the computing ecosystem."

But while Stuxnet is a major turning point in critical infrastructure security, it's not a foreshadowing of massive power grid destruction, security experts say. The power grid, like the Internet infrastructure, is highly resilient and difficult to take down en masse, says McAfee's Marcus. "If the power grid was [so] fragile, it wouldn't be up now. It would be going up and down" all the time, Marcus says. "Does Stuxnet expose weaknesses in it? Absolutely. Is it a wake-up call? You're darn right."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Artist Uses Malware in Installation
Dark Reading Staff 5/17/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-05-20
In GoHttp through 2017-07-25, there is a stack-based buffer over-read via a long User-Agent header.
PUBLISHED: 2019-05-20
eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web r...
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
PUBLISHED: 2019-05-17
Typora (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.