For the last few months, a sophisticated computer worm has wriggled its way between some of the most critical control systems in the world.
The timing of the worm’s release, combined with several clues buried in its code, has led some experts to speculate that the worm, dubbed Stuxnet, was originally designed to sabotage an Iranian nuclear facility, possibly the enrichment plant in Natanz, roughly 180 miles south of Tehran. This week, officials in Iran confirmed that Stuxnet had been found on systems inside the plant, although they denied that it had caused any harm.
But Stuxnet has since spread to hundreds more industrial systems within Iran and around the world. Experts say this highlights a worrisome weak spot in critical infrastructure that could become a new focus for saboteurs and malicious hackers.
Stuxnet infects computers by using previously unseen flaws in Microsoft’s Windows operating system. It has most likely spread via hand-carried USB flash drives. From an infected Windows computer, it targets a specialized type of computer known as a programmable logic controller, or PLC. These computers are widely used in critical infrastructure, including manufacturing, water processing, power generation, and transportation. PLCs connect to, and control, devices used to perform many tasks, from opening a door to increasing the flow of fuel inside a power plant.
Stuxnet is the first example of attackers targeting the specialized computers that control industrial operations, security experts say. “It goes down into the embedded device, inserts itself, and starts doing command-and-control,” says Walter Sikora, vice president of security solutions for Industrial Defender, a security consultancy that focuses on critical infrastructure. “This is an area that was unprecedented in terms of a virus or a worm or any other kind of malware.”
The worm’s code focuses on a type of PLC made by Siemens. A pattern in the code–designed to match that of a specific application–suggests that the worm’s authors had a specific facility in mind. On the target system, the program would inhabit a privileged place where it could monitor and control many devices.
“The ability to not only target a certain type of system but to surgically and elaborately get whatever you want from a machine to which we will never be able to attribute back to you–that’s scary,” says Phyllis Schneck, vice president and chief technology officer for security firm McAfee’s public sector group.
Security experts say that critical infrastructure firms need to respond quickly in order to protect their systems from Stuxnet, and warn that its spread may mark the beginning of increased cyber espionage and sabotage.
Dale Peterson, CEO of Digital Bond, a consultancy specializing in industrial security, says others will attempt to replicate and improve on the Stuxnet attack. “Before, it was just a theory–it was the geeky guys who knew control systems that said you could do these things,” Peterson says. “Now they have a real example to point to as a technical demonstration.”
Unfortunately, most industrial companies may not be quick to react. Manufacturers and utilities have an installed base of controllers that are normally upgraded only every 10 or 15 years, and sometimes less frequently. Most PLCs allow unauthenticated uploads–anyone who can connect to the network is considered an administrator. “If you can ping the PLC, you can do whatever you want to it,” Peterson says.
System manufacturers and utilities have always considered low cost, reliability, and safety to be the most important aspects of their control systems. Security has amounted to limiting physical and Internet access to control devices, and many systems do not have the most recent security patches. Some systems cannot be patched because they are running older operating systems that are no longer supported, says Sikora.
“Microsoft released a security patch for the vulnerability used by Stuxnet, but they didn’t release it for Windows NT,” he says.
The embedded controllers that monitor, and sometimes control, power in households as part of the U.S. smart grid initiatives are actually more secure than the programmable logic controllers. Security researchers and hackers have already tested many smart grid devices, showing manufacturers some significant flaws. By the time these devices are widely installed in homes, they should be far more secure.
But a lack of regulations and security expertise is slowing efforts to secure industrial systems, Sikora says. At a recent conference, he asked technical managers responsible for critical infrastructure systems if they had heard of Stuxnet. Few had. “From what I see, nothing is going to change, even though everything should,” he says.