First true SCADA-specific malware detected

Back in 1999, when I ran then-governor Jeb Bush's statewide Y2K awareness and remediation effort, I first happened to learn about SCADA systems. What is SCADA, you ask? SCADA stands for Supervisory Control and Data Acquisition. SCADA systems basically are remotely-activated and remotely-operated devices that perform certain specialized functions. SCADA systems are used, for example, to monitor, open and close freshwater pumps; operate wastewater pumping systems; perform routine functions in power plants; perform functions in manufacturing plants, refineries, and other facilities; and monitor the next-generation electric "smart grid" that is becoming so popular these days.

Stuxnet News

Microsoft issues tool to repel Windows shortcut attacks

IT Blogwatch: Critical Windows vuln. in .LNK files = Stuxnet (and IE IV)

In short, SCADA systems have become a vital component of the nation's critical infrastructure, since so many SCADA functions deal with water, power, and heavy manufacturing processes. This, naturally, makes them an ideal target for terrorists and naughty nation-states.

The first SCADA devices were radio-controlled, which minimized but did not eliminate their vulnerabilities. Back during Y2K remediation, we worried that the "embedded systems" within those SCADA devices would fail come 1/1/2000. They did not, which was a decidedly good thing.

But today's SCADA systems are almost all connected to some version of an internet, whether it be a private, sealed IP network or the greater Internet itself.

From Wikipedia:

SCADA systems are used to control and monitor physical processes, examples of which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society. The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source. How security will affect legacy SCADA and new deployments remains to be seen.

Now, taking over a single SCADA device or two is not necessarily a problem. But if an attacker were to gain access to the servers controlling SCADA systems -- now that's an appealing target. And Israeli security company C4 was able to do just that, in 2008. In fact, the company has a Powerpoint slideshow available for downloading at SCADA Security - "Generic Electric Grid Malware Design".

That "smart grid" meter your local utility just installed in place of your old-fashioned meter is not secure. Sure, there is a "firewall of inconvenience," but not true, bulletproof security. A determined hacker can infiltrate and disrupt such systems. Of course, the first thought one gives to hacking a smart-meter is to reset it or cause it to report less electricity than what is actually being consumed. But other, nefarious schemes will abound.

Back to the topic at hand, namely this first SCADA-specific virus, called W32.Stuxnet. It is engineered to be spread via removable media, such as USB drives. But it can also be spread by local network shares. It is designed to interrogate and obtain information from these SCADA systems. It goes after Windows-powered systems, of course, by exploiting the .lnk files. And so far, it is specific to Siemens SCADA systems. CNET has a nice description of the virus and it can be found here.

This should serve (but of course, it won't) as a major wake-up call to the entire industry that manufactures and supports the hardware and software for SCADA systems. We need better SCADA security and we need it yesterday.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies