November 18, 2010

Stuxnet Threatens Critical Infrastructure: Experts

The Stuxnet virus that breached Iran's nuclear facilities earlier this year presents a threat to critical infrastructure worldwide, including power, water and chemical facilities, warned cybersecurity experts on Wednesday.

Testifying before a Senate committee, Sean McGurk, acting director of the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC), called Stuxnet a "game-changer."

The virus has "significantly changed the landscape of targeted cyberattacks," McGurk said during testimony before the Senate Committee on Homeland Security and Governmental Affairs.

"For us, to use a very overused term, it's a game-changer," he said, referring to the Stuxnet worm that targets computer control systems made by Siemens used to manage power plants, water supplies, oil rigs and other critical infrastructure.

Stuxnet was first detected in July, with sixty percent of its infections having been discovered in Iran, leading some experts to speculate that the virus was meant to sabotage the nuclear facilities there, particularly the Russian-built nuclear plant in Bushehr.

Network security firm Symantec said last week that Stuxnet may have been purposely built to disrupt the motors that power gas centrifuges used to enrich uranium.

The attacks in Iran should be a "wake-up call to critical infrastructure systems around the world," said Dean Turner, director of Symantec's Global Intelligence Network, during testimony before the Senate panel.

"This is the first publicly known threat to target industrial control systems and grants hackers vital control of critical infrastructures such as power plants, dams and chemical facilities," he said.

Stuxnet was so sophisticated that only a "select few attackers" are capable of posing a similar threat.  However, it underscores that "direct-attacks to control critical infrastructure are possible and not necessarily spy novel fictions," he added.

"The real-world implications of Stuxnet are beyond any threat we have seen in the past," Turner cautioned.

In September, the New York Times reported that the Stuxnet code included a reference to the Book of Esther, the Old Testament story in which the Jews obstruct a Persian plot to annihilate them, and could point to a possible clue of Israeli involvement.

However, McGurk declined to speculate about Stuxnet's origins or goals, saying only that the U.S. analysis of the worm "indicates that a specific process was likely targeted."

"While we do not know which process was the intended target, it is important to note that the combination of Windows operating software and Siemens hardware can be used in control systems across critical infrastructure sectors -- from automobile assembly lines to mixing baby formula to processing chemicals," he said.

"The concern for the future of Stuxnet is that the underlying code could be adapted to target a broader range of control systems in any number of critical infrastructure sectors," McGurk said.

"These systems are used to operate physical processes that produce the goods and services that we rely upon, such as electricity, drinking water, and manufacturing."

"Although each of the critical infrastructure industries, from energy though water treatment, is vastly different, they all have one thing in common: they are dependent on control systems to monitor, control, and safeguard their processes."

"A successful cyberattack on a control system could potentially result in physical damage, loss of life, and cascading effects that could disrupt services," he cautioned.

With Stuxnet, "I don't have to break into the front door and actually steal the formula or the intellectual property of what you're manufacturing," he said.

"I can actually go the devices themselves, read the settings and reverse engineer the formula for whatever the process is that's being manufactured."

"In addition, I can make modifications to the physical environment so that you would be unaware of those changes being made."

"In other words, this code can automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product, and indicate to the operator and your anti-virus software that everything is functioning as expected."


On the Net: