Stuxnet: Future of warfare? Or just lax security?

Stuxnet: Future of warfare? Or just lax security?

Summary: The Stuxnet worm has hit the big time after Iranian officials confirmed that the malicious code was wreaking havoc at its first nuclear power station. Stuxnet chatter that started in July boiled over three months later.

SHARE:
TOPICS: Security, Malware
33

The Stuxnet worm has hit the big time after Iranian officials confirmed that the malicious code was wreaking havoc at the country's first nuclear power station.

This malware, which surfaced back in July, can take over industrial operating systems---known as SCADA---and control plants. Roughly 15 systems have been infected globally. The first reaction to the Iran malware woes is that it couldn't have happened to a nicer country. But then you realize that Stuxnet could really just be the start of cyberwarfare and key infrastructure is at risk.

Questions abound about Stuxnet? Did Israel plant the virus? How about the U.S.? Or is Iran just behind the Stuxnet like the other countries that have seen the virus? These questions have been brewing for weeks and came to a boil over the weekend. In any case, every utility company and the Department of Homeland Security are looking out for it. The Pentagon is supposed to have a Cyber Command ready next month. Other agencies remain vulnerable.

Needless to say there have been a bevy of Stuxnet headlines:

Here's the Google Trend data for Stuxnet.

What we may be seeing is the precursor to the new age air attack---viruses hitting key infrastructure like electric grids, plans and other key systems. In addition, Stuxnet is rather elegant so perhaps it was state sponsored. Sophos notes:

Stuxnet is a highly sophisticated piece of malware, which used a number of techniques which hadn't been seen before (for instance, exploiting zero day vulnerabilities in Microsoft's code).

Ryan Naraine noted earlier this month:

The attackers behind the recent Stuxnet worm attack used four different zero-day security vulnerabilities to burrow into — and spread around — Microsoft’s Windows operating system.

The other key thread here focuses on the preparation for Stuxnet.

Also see: Should a targeted country strike back at the cyber attackers?

Siemens equipment has been front and center of these malware attacks and the company has a pretty big knowledge base on the virus and patching instructions. Stuxnet hits Microsoft computers. Siemens details in its product update from Sept. 17:

1. The virus has been isolated on a test system in order to carry out more extensive investigations. Previously analyzed properties and the behavior of the virus in the software environment of the test system suggest that we are not dealing with the random development of one hacker, but with the product of a team of experts who must have IT expertise as well as specific know-how about industrial controls, their deployment in industrial production processes and corresponding engineering knowledge. 2. As far as we know at the moment, industrial controls from Siemens are affected. The Trojan is activated whenever WinCC or PCS7 software from Siemens is installed. 3. Further investigations have shown that the virus can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data. This means that the malware is able, under certain boundary conditions, to influence the processing of operations in the control system . However, this behavior has not yet been verified in tests or in practice. 4. The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks. 5. This means that Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications. 6. This conclusion also coincides with the number of cases known to Siemens where the virus was detected but had not been activated, and could be removed without any damage being done up to now. This kind of specific plant was not among the cases that we know about.

However, Sophos notes that Siemens' advice isn't perfect.

Stuxnet knows the default password used by the Siemens SCADA software, but - astonishingly - Siemens advised power plants and manufacturing facilities not to change their default password. That's despite it being public knowledge on the web for some years.

In any case, Microsoft Patch KB2347290 has been successfully tested on Siemens SCADA systems. Add it up and all this spy vs. spy talk may just be a case of lax patching procedures. Microsoft shipped an emergency patch and then an official one, but could have squashed Stuxnet earlier. See:

Related:

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • Tip of the iceberg.

    As surely as roads and highways became targets in past wars, its digital counter part will be the target of choice in the future.
    No_Ax_to_Grind
  • "Windows", just read the word.

    "Windows" was designed to have windows everywhere....no wonder the French government said bye to Redmond products when they discover that NSA key in Windows NT, back to 96'.
    Windows is designed to be exploited.
    neeeko
    • Can you provide a reference to this?

      @neeeko: [i]"Windows" was designed to have windows everywhere....no wonder the French government said bye to Redmond products when they discover that NSA key in Windows NT, back to 96'.
      Windows is designed to be exploited.[/i]

      I'm not aware of any such key (whatever that means).
      ye
      • Part of the tin-hat society mantra...

        @ye

        http://articles.cnn.com/1999-09-03/tech/9909_03_windows.nsa.02_1_national-security-agency-cryptography-windows-nt4?_s=PM:TECH

        Of course, if was true, then all parties would deny it. Trouble with being paranoid. Sometimes they are out to get you;-)
        Bruizer
      • Thanks for the link Bruizer.

        @Bruizer: A very weak case for the existence of such a key so I'll have to ask neeeko again for a supporting link.
        ye
      • RE: Stuxnet: Future of warfare? Or just lax security?

        @ye I'm with you. I read that article, and I see a report by someone who doesn't understand PKI. The embedded key is simply the public portion of the key. The article's author is looking for a conspiracy.
        William_P
      • RE: Stuxnet: Future of warfare? Or just lax security?

        @ye <a href="http://www.riseuniversity.com/schools-majors/nursing/">Nursing degree</a>
        <a href="http://www.riseuniversity.com/schools-majors/occupational-safety-and-fire-sciences/">fire science school</a>
        rainnwilson94
    • RE: Stuxnet: Future of warfare? Or just lax security?

      @neeeko

      I remember the good old days when people refused to use Windows in industrial control because of its unreliability -- and this was before viruses, worms and trojan horses were so common.

      Besides: doesn't Windows still have a clause in the license agreement disallowing use in nuclear power plants? If Iran simply ignored this, then they deserve what they got.

      Then again, the article makes it sound like it was Siemens that integrated Windows into their control software: but Siemens really should have known better.
      mejohnsn
  • lax patching procedures are not MS fault and happen to all os's

    better to have windows than have the 10x more security vulnerabilities of linux that the Chicoms all loving exploiting without a hint of a patch coming ever...
    Johnny Vegas
    • RE: Stuxnet: Future of warfare? Or just lax security?

      yeah good thing atm's are starting to use windows OS. the dumbest thing ever thought up but ok'd by u. Next according to you ALL routers and switches should be changed to windows from its outstanding stability and lack of being a resource hog and well of course its minial exploits. I mean according to you all routers switches etc are being exploited hardcore dude to they are running unix and its worse than windows. grats u should put that outstanding knowledge base u have to good work some where
      bspurloc
    • I am a Windows guy

      @Johnny Vegas

      through and through. But operations that support national security systems I firmly believe should not be based on a publicly based commercial product. The government should start with OpenBSD and build their systems on top of it. The idea that Windows PCs (or Mac, or Linux) are running a Nuclear reactor AND is somehow attached to the public internet is completely insane to me.

      If it was planted locally using espionage then that's somewhat better, but why would you want a system that other people knew how to code exploits for? Especially in that type of environment? It's insanity. The amount of money governments, ours and others, spend on their systems should more than cover these proprietary, in-house designs. And why it's connected to the 'net at some point is something I can't even fathom.
      LiquidLearner
      • RE: Stuxnet: Future of warfare? Or just lax security?

        @LiquidLearner

        I agree with you! 100%! Spot on!!!!


        Randy A. Stiles, Linux Advocate
        stilesalaska
  • RE: Stuxnet: Future of warfare? Or just lax security?

    Larry, patching a controls system, such as in this accout, and nuclear plant, involves an extreme amount of testing. It is not like an IT system, where if something goes wrong, you lose access to that system. With a controls system, or as an extension of them, their SCADA system, something doesn't act as expected or cause some form of problem, you may end up with a system, that will not allow you to shut it down, and end up with death on a mass scale. It may explode, or the response time be delayed long enough that you could not get a safety in place before it was too late. There is definitely a need for better testing, but it is not as easy. The password being a default is one of the real factors here.
    ozynet@...
  • This is what you call lax security............

    This bloke has just had his email database published for all to see a la MediaDefender.

    http://www.zdnet.co.uk/news/security-threats/2010/09/27/privacy-group-takes-on-acslaw-over-porn-data-breach-40090288/
    Alan Smithie
  • ECM, ECCM on steroids

    The tactic goes back to the 50s and 60s with increasing levels of sophistication in jamming and countermeasures. A little encrypted multiplexing in missile systems overcame potential interference in controls in air defense systems in my time. The glorious Islamic Terrorist Republic is probably a little lean on military grade security measures. I expect most of it is on a "no sell" list. If they're running any standard OS on their infrastructure then, well...

    Dave Keys @davekeys
    davekeys
  • Why is it exposed to the Intenet in the first place?

    It seems to me they are asking for trouble with an Internet connection. I know of many companies that don't allow it even in non-lethal situations.
    ron.cleaver@...
    • Deleted

      DOH!!!! Wrong spot.
      Hallowed are the Ori
    • USB memory sticks

      @ron.cleaver@... These systems are being infected by USB sticks, not internet connections. Far as I know....
      snberk341
      • RE: Stuxnet: Future of warfare? Or just lax security?

        @snberk341
        Re: usb stick virus transfer
        I spoke to a manufacture of usb sticks in London uk at trade show last week about why usb sticks do not as I suggested have physical write protect switches on them to prevent virus transfer when used on many computers. He said words to the effect there was no call for them...there is now take note!
        ronangel
      • Maybe...

        @snberk341

        But why are you allowing USB flash drives on systems like this? Take the OS out of the equation... I would NOT allow that. If you had data that HAD to be transferred to the system that way then you could control the media itself, and make sure it's only used where it needed to be. The idea that someone brought a USB drive from home and infected a nuclear reactor is the very definition of reckless.
        LiquidLearner