Stuxnet renews power grid security concerns

First known SCADA malware program to target control systems prompts new questions about security of U.S. power grid

Last week's disclosure of a sophisticated malware program targeting control system software from Siemens AG has renewed long-standing concerns about whether the U.S power grid can withstand targeted cyberattacks.

The malware program, called Stuxnet, is designed to exploit a Windows Zero Day flaw to find and steal industrial data from Supervisory Control And Data Acquisition (SCADA) systems running Siemens' Simatic WinCC or PCS 7 software.

Stuxnet is the first publicly-known malicious software program written specifically to exploit vulnerabilities in a SCADA system.

"It could be a proof-of-concept to show control systems can be attacked" in a deliberate fashion, said Eric Knapp, director of critical infrastructure markets at NitroSecurity Inc. a Portsmouth, N.H.-based security vendor.

SCADA systems are used to control critical equipment at power companies, manufacturing facilities, water treatment plants and nuclear power operations. Typically, the systems run on segmented networks that are not directly connected to the Internet, making them external access difficult.

But analysts for long have warned that SCADA systems -- especially older ones -- have several exploitable vulnerabilities.

One example was demonstrated by researchers at the Idaho National Laboratory three years ago. In a dramatic experiment , codenamed Aurora, researchers there demonstrated how a hacker could simply use a dial-up modem to exploit a SCADA vulnerability that could physically destroy a massive power turbine.

The potential for such attacks has risen sharply in recent years as many SCADA systems, including those at some very large public power companies, are increasingly integrated with networks with direct links to the Internet. In a high-profile story last year, theWall Street Journal reported that cyberspies in Russia, China and other countries had already taken advantage of such vulnerabilities to deeply penetrate the U.S electrical grid.

The Stuxnet program appears to have been created for industrial theft more than anything else, Knapp said. However, he added, the Trojan could just as easily have been designed to sabotage a SCADA system. In fact, it is quite possible that the creators of the worm may have more tricks up their sleeve, he said

Ryan Permeh, manager of product security at McAfee, noted that the Stuxnet development effort was likely quite time-consuming, making the goal of the developers especially worrisome. In addition, he said that the malicious code was digitally signed using valid digital certificates, which allows Stuxnet to evade security software.

The digital certificates used in Stuxnet were originally issued to two companies based in Taiwan. Perme said the creators of Stuxnet had to either directly steal the certificates from the companies or purchase from someone else that had previously stolen the certificates. The cost for such certificates can reach as high as $500,000 in such an underground market, Permeh added.

Those behind Stuxnet also needed to have had a reasonable amount of knowledge about Siemens SCADA systems, he said.

The emergence of threats like Stuxnet drives home the need for more federal oversight of cybersecurity matters in the utilities sector, said Joseph Weiss, managing partner at Applied Control Solutions, LLC.

So far there have been at least 170 known cyber-related outages in the US, including three that caused widespread regional outages, Weiss said. It's hard to know with certainty whether any of the 170 outages stemmed from a targeted cyberattack because of the relative lack of forensics-gathering capabilities in the utility business, he added.

"There has been almost minimal progress on securing control systems," said Weiss, author of the book, Protecting Industrial Control Systems from Electronic Threats, that was published earlier this year. He said progress is slowed largely due to a lack of understanding of the specific challenges associated with securing industrial control systems against cyber-threats, he said.

Currently, all bulk power system owners and operators are required to comply with reliability and security standards mandated by the North American Electric Reliability Corp. (NERC), an independent regulatory organization. NERC's mandated controls are based on a risk management framework created by the federal government's National Institute of Standards and Technology (NIST).

That framework, Weiss said, that is designed more for commercial IT systems than for industrial control systems. As a result, many of the prescribed controls are inadequate and do not cover all SCADA systems, he said.

NERC's requirements, for instance, apply only to cyberassets that use routable protocols or are dial-up accessible. The rules do not address the large number of vulnerable SCADA systems that use non-routable protocols, Weiss said. Importantly, NERC's rules do not apply to power distributors or to operators of emerging smart-grids, he added.

"Hacking a control system does not take rocket science," Weiss said. "Protecting one does."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2010 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon