Stuxnet: A Disaster Waiting to Happen
Probable but not provable analyses indicate that the Israeli and American intelligence community created and deployed Stuxnet, a significant effort requiring about two dozen people over a six-month period, to inhibit or stall Iranian nuclear-weapon ambitions. On Aug. 2, 2011, in a House of Representatives hearing, two witnesses from the Office of Cybersecurity and Communications (Roberta Stempfley and Sean McGurk) gave an explanation: “This code can automatically enter a system, steal the formula for the product being manufactured, alter the ingredients being mixed, and indicate to the operator and antivirus software that everything is functioning normally.”
What is now known is that Stuxnet is malware that subverts the programmable logic controller (PLC) rootkit in supervisory control and data acquisition (SCADA) systems with the original targets being those made by Siemens and used in the Natanz plant. The Siemens equipment was embargoed and procured illegally by Iran for use at this enrichment site. This is the first and only malware that targets industrial control systems and is now in the process of being extended to other SCADA devices used worldwide by industry, pipelines and electric distribution grids. It has already breached security at thousands of facilities – over 30,000 in Iran alone where 58.85% of computers are infected. Other nations are affected: 18.22% in Indonesia, 8.31% in India and 1.56% in America are compromised. Other evaluators of this evolving problem say that about 100,000 sites worldwide have been infected as a test of this cyber-weapon.
While Stuxnet does little harm to computers or networks not meeting specific configurations, there is concern expressed by some that Siemens’ SCADA antivirus is embedded with the codes that update Stuxnet instead of eradicating it. Siemens has released a detection and removal tool for Stuxnet. There is also concern by some that Stuxnet will not erase itself on June 24, 2012, as alleged. It is believed that the worm uses a layered attack against three different systems: Windows operation system; Siemens PCS-7, WinCC and STEP7 industrial software; and one or more Siemens S7 PLCs.
This matter is of extraordinary importance to readers of this journal because essentially all companies in materials fabrication and processing facilities are reliant on SCADA systems. Further, adjustments made to Stuxnet malware is a terrible liability in the offing brought by terrorists and industrial predators “reissuing it in a new form.”
As the National Institute of Standards and Technology in Gaithersburg, Md., recommends, common sense must carry the day. Restrict access to the network and its devices*; deploy security patches; disable unused ports and services; restrict user privileges to what is required; monitor audit trails; use antivirus software; maintain functionality in adverse conditions such as cascading events; and have an incident response plan. Then there are processes of “whitelisting,” which use only pre-approved executable files in methods that segment SCADA operations into discrete increments. Computer experts believe that whitelisting is the antivirus of the future.
It is highly recommended that IH readers obtain qualified guidance to enhance computer security in this vital area. Several industry organizations, professional societies and federal offices have released standards and best-practices guides. None of the following are specifically recommended but provide readers a place to start in seeking aid.
a.) Andrew Ginter, chief security officer, or Walt Sikora, VP of security solutions, Industrial Defender Inc.; www.industrialdefender.com, 508-718-6700
b.) J.T. Keating, VP of marketing, CoreTrace Corp.; www.coretrace.com, 512-592-4100
c.) Tom Flowers, Flowers Control Center Solutions LLC; 936-894-3649
d.) Carl Stabb, Emerson Process Management; www.emersonprocess.com, 512-835-2190
e.) North American Electric Reliability Corp.; 202-383-2622
f.) Dave Graham, vice president, Owl Computing Technologies; www.owlcti.com, 203-894-9344
g.) Dr. Richard Piggin, consultant; email@example.com