Stuxnet was a weapon and its spin offs will continue to hit the critical infrastructure for years to come.
In an effort to leave no stone unturned in this important topic, the editors at ISSSource.com decided to take a look at McAfee’s second annual critical infrastructure protection report entitled “In the Dark, Crucial Industries Confront Cyberattacks” written with the Center for Strategic and International Studies (CSIS).
The lengthy report talked about quite a few security issues confronting the industry, this week we excerpted the section on Stuxnet:
Stuxnet had two characteristics that demonstrated the growing threat of cyber attacks.
First, Stuxnet had no obvious criminal payoff. It was pure sabotage.
Stuxnet infects computer systems by exploiting a number of vulnerabilities on Microsoft Windows. Uploaded to the computer through, among other things, a USB drive, shared network files, or SQL databases, Stuxnet targets a specific Siemens SCADA program.
If this software is running, Stuxnet looks for a particular configuration of industrial equipment and then launches an attack designed to manipulate certain microcontrollers to perform erratically while reporting normal functioning to operators of the system.
Second, Stuxnet was an extraordinary advance in sophistication over the type of malware used by the criminal underground. The Belarusian security firm that initially identified Stuxnet at first believed it to be a backdoor for hackers. But closer inspection revealed the complex nature of the virus. It featured multiple Zero Day exploits, has Microsoft Windows driver modules signed using genuine cryptographic certificates stolen from respectable companies, contains about 4,000 functions, and uses advanced anti-analysis techniques to render reverse engineering difficult. It is almost certainly the work of a government, not a criminal gang.
Stuxnet is a weapon.
It is a concrete demonstration that governments will develop malware to sabotage their adversaries’ IT systems and critical infrastructure. It also shows that hostile governments can easily target the SCADA systems on which a nation’s power, gas, oil, water and sewage systems depend, defeating the defenses upon which most companies rely.
According to one expert, most critical infrastructure systems were not designed with cyber security in mind. Within the electric sector, for example, the primary concern has always been maintaining a steady supply of power and an efficient system.
Even today, electric companies still use vendor default passwords because they allow easy access in times of crisis or for maintenance and repair.
Recent power grid modernization efforts are in the same tradition. They have increased efficiency, and they have created new security holes.
Cyber attacks seem probable. All major world powers have acquired or are in the process of acquiring cyber attack capabilities, and critical infrastructure remains a key target.
We asked industries dependent on SCADA systems whether Stuxnet had affected their operations. The answers are striking. Two-fifths of all respondents, and 46 percent of those in the electric industry, said they had found Stuxnet on their systems.
In fact, the electric sector had the highest occurrence of Stuxnet among the critical infrastructure sectors surveyed. More than half of all respondents reported having to take action against Stuxnet.
Three-quarters of respondents that found Stuxnet were confident they removed the malware from their systems. However, action to neutralize Stuxnet varied widely from one country to another, and some of the countries with the higher rates of infection, India, France, and Spain, reported relatively low rates of countermeasure implementation.
Given the global distribution of our survey, these answers are remarkable. While quite possibly targeted at a single facility, Stuxnet chose a roundabout route to reach its target, essentially infecting everyone and then lying dormant if the system it infected did not have the particular configuration it was looking for. Perhaps for this reason, nearly three-quarters of respondents that encountered Stuxnet were confident or very confident they removed or neutralized the malware.
There is no doubt that the awareness of foreign government threats is high. Over half of executives believe foreign governments have been involved in network probes against their domestic critical infrastructure.
On one front, 57 percent of survey respondents said they launched special security audits because of concerns about Stuxnet.
Other than that though, the discovery of Stuxnet on systems did not seem to galvanize companies to action. The highest levels of counter-Stuxnet security measures were in the United Arab Emirates, Italy, and Japan, where rates of Stuxnet infiltration were low. In contrast, countries such as India, where Stuxnet infiltration rates were high, exhibited comparatively low implementation of counter-Stuxnet measures.
There are some that think denial remains part of the industry’s response to Stuxnet.
According to one expert, companies remain focused on resiliency in the event of a denial-of-service cyber attack, rather than a high-end attack intended to sabotage equipment, even though such an attack is fast becoming the leading threat to power and similar sectors.
“Stuxnet was a game-changer, but it will not change the direction in which U.S. cyber security legislation is moving,” one source said. Policymakers have already recognized this threat; the larger problem lies in getting industry to recognize the changing nature of this threat.