I have spoken recently quite a few times about the possibility of cyber attacks on SCADA systems. Well, now we have had a very high profile one. The Stuxnet worm has infected a large number of PCs involved in industrial control systems. Everything I have read, and all the “smart guys” to whom I have talked, agree about a few things.
One, Stuxnet has been around for a while (months, not years). Two, it is a very sophisticated piece of malware. It not only attacks the Siemens’ control system software through a vulnerability but also goes after four different Windows vulnerabilities that were all previously unknown zero days.
Three, it was not made by some random hacker or hacker organization. Pretty much everyone agrees that it was a nation-state product, (remember, we’ve thought this before and been wrong). In this case, I agree with the bulk of the commentators.
Four, (this is where I diverge) there seems to be a rush to report that it is specifically designed to go after the Iranian nuke plant. Frankly, this does not make sense to me. Control system attacks are normally customized because they need to be. This one might be effective against the Iranian control systems (as reported by the Iranians themselves), but it is also pretty good against anyone/any installation using the Siemens software package. I don’t know if all the pointing to Iran as a target is meant to give folks some kind of comfort or to just scare Iran.
What I do know is that this shows that the so-called experts who have discounted control system attacks as low in likelihood (because they are not fully hooked to the net and because the systems are idiosyncratic) are wrong. It takes a better weapon, and more care to emplace it, but it can be done, and indeed has been. The tendency/trend to network control systems (at least to each other), and to try to use more uniform software, is building vulnerabilities right along with all the (very real) benefits of those actions.
Clearly, this situation requires further investigation. The sophistication of the Stuxnet worm is a harbinger of things to come. Greater care must be taken to avoid introduction of malware through thumb drives and other external media, and the vulnerabilities must be patched. Presently, our industrial control systems are at risk. If an enemy is skilled enough, and has the time to do the recon/research, they will likely do us harm.
We must admit the control systems are vulnerable and work to protect them.