Reliable Security Information

Cyber Attack: Stuxnet Worm

During the past week there was been much speculation about a cyber attack in the form of the Stuxnet worm. It is remarkable for a number of reasons. It is the first known worm to target exclusively industrial control systems that are used in factories, power plants, chemical facilities, and other large systems. In the most dramatic scenario, the worm could give hackers control of a power plant to blackmail its owners or cause a catastrophic failure. Since I haven't read about any power plants exploding or dams bursting, I assume Stuxnet was not used for the nightmare scenario. Only the attacker knows what it wanted to achieve and whether it did.

Second, the worm is very sophisticated. For technical details, click here. While some are speculating that the sophisticated worm must be the product of a government, Symantec estimates that fewer than ten people in six months could produce the worm. Attribution in a cyber attack is extremely difficult, so the origins may never be known. It could have been a cyber militia acting in the interest of a state or a hacker group raising awareness of SCADA vulnerabilities. I can't comment on the level required to code such a worm, but I would just point out that governments and intelligence services are not the source of technological innovation today. Cyber expertise resides in commercial entities or organized criminal enterprises.

Third, the worm is not new. In contrast to media interest during the last week, the worm was first publicly discussed in June by a Belarus-based company and in July the US government Cyber Emergency Response Team issued an advisory. Forensic analysis suggests that it was developed in 2009, which should dispel rumors that the worm was released to retaliate against President Ahmadinejad's comments at the United Nations.

At this point, it appears that the preponderance of infections is in Iran, which has fueled speculation that Stuxnet must have been designed to target its nuclear facilities (this ignores that in July, the preponderance were in India). It is unlikely that definitive proof would be uncovered to support this guess, but a more interesting part of the story for me is the 40 percent of infections that occurred outside of Iran. Simply, a cyber attack that exploits vulnerabilities in Microsoft Windows and Siemans industrial control systems (like Stuxnet did) dramatically improves the likelihood of fratricide. If a future war were to include a Stuxnet-like attack, a level of care resembling a biological device would have to be exercised.

Stuxnet is likely to be the most studied worm in cyber history, so much is to be learned both from a technical perspective and a national security perspective over the next several months. However, it does represent another call to action to improve cybersecurity, but balance must be found between technical security and human behavior (the worm likely moved by a USB flash drive). If a non-state actor (state-sponsored or not) is implicated, then Stuxnet represents one of the many non-state challenges that can bring the world's government's together.

Subscribe to SitRep: SitRep RSS Feed SitRep ATOM Feed