Notes from the Consultant's Jungle

In my classes at the university, I sometimes give students a project to create a malware pet shop or malware zoo.¬† The purpose is to make the students more aware of the “biodiversity” that really exists out there in the malware world.¬† We also often talk about the increasing use of malware and other network-based attacks by governments against other governments or industries within a country.¬† Then of course there is the extension of that in the form of cyber terrorism.

Over the past few weeks there has been a lot of press for the Stuxnet (Trojan) worm.¬† What is interesting to share with you about this malware du jour is that rather than targeting personal information or productivity on a person’s PC, this critter is designed specifically to target control systems commonly used in manufacturing plants and other industrial facilities including critical public utility infrastructure.

Stuxnet exploits a previously undisclosed vulnerability in Windows to access management software for Siemens SCADA (Supervisory Control and Data Acquisition) systems that are commonly found in manufacturing, industrial, and utility systems.¬† These types of systems are typically not connected to the Internet, but the malware travels by USB device (e.g., a thumb drive).¬† Once the malware discovers the Siemens application software, it copies project files to an external web site.¬† Other actions are not yet reported, but it’s clear that with access to key control systems, serious disruption could be accomplished even beyond theft of manufacturing process information.¬† Stuxnet has the ability to upload code to programmable logic controllers (PLCs) in SCADA systems.¬† The PLCs determine how industrial systems operate.

Microsoft has published a security advisory, explaining how to diminish chances the worm will spread on local networks, once infected.  Changes to the Siemens software appear to be more complex though, to prevent the worm as currently crafted, from infecting systems without disrupting operations on a wider scale.

So where did this Stuxnet malware come from?

Aside from the detailed knowledge of how Siemens control systems are architected, the level of sophistication leads some to believe that this was truly created by a nation-state.  Who could that have been?

Iran has been hit the hardest so far, along with India and Indonesia.¬† It’s difficult to know if any of these countries were targets or if they happened to be infected because of the traffic of engineers between those countries.¬† Other Middle Eastern and Southeast Asian countries also experienced attacks, but so did Ecuador and the United States.

At any rate, the interesting point here is that we have an example of malware that can truly be used as a weapon to disrupt critical infrastructure for public safety as well as industry and economy.¬† Furthermore, the attack vector need not involve the public Internet.¬† In the US, President Obama has recognized the investment deficit in cyber security and has announced what is called a Comprehensive National Cybersecurity Initiative.¬†¬†¬† It’s long been known that the US has fallen behind countries like Russian and China in the areas of cyber warfare and cyber security.

We have entered a new era in information system security.