While official U.S. response has been comparatively mild, the European Union's cybersecurity agency says Stuxnet represents a "paradigm shift" in critical infrastructure threats and that current defense philosophies need to be reconsidered.
In a statement released yesterday, Udo Helmbrecht, the executive director of ENISA (European Network and Information Security Agency), said that as a "new class and dimension of malware," Stuxnet represents a "paradigm shift."
"The attackers have invested a substantial amount of time and money to build such a complex attack tool," he said. "The fact that perpetrators activated such an attack tool can be considered as the 'first strike,' i.e. one of the first organized, well prepared attacks against major industrial resources. This has tremendous effect on how to protect national" infrastructure in the future.
"After Stuxnet, the currently prevailing philosophies on CIIP (Critical Information Infrastructure Protection) will have to be reconsidered," Helmbrecht continued. "They should be developed to withstand these new types of sophisticated attack methods."
And he warned of problems in the future. "Now that Stuxnet and its implemented principles have become public, we may see more of these kinds of attacks," he said.
Stuxnet is indeed a marvel of modern malware creation. It spreads via USB devices, four zero-day Windows vulnerabilities (two have been recently patched), and an older one that was previously patched. Like typical malware, it reports the name and Internet Protocol address of the victim computer back to command-and-control servers on the Internet and can be updated via peer-to-peer networks. It uses two stolen and forged digital certificates for authentication and targets specific Siemens Simatic software that is used to create programs used in industrial control and critical infrastructure environments like utilities. It hides code in a rootkit on infected systems and exploits knowledge of a database server password hardcoded into the Siemens software. Stuxnet also uploads an encrypted program and modifies code on the Siemens programmable logic controllers (PLCs) that are used to control automation and operations at target environments. The malware is designed to use Windows computers to spread, but saves its payload for the computers running the Siemens-based systems that are connected to the machinery in plants.
U.S. response more tepid
Despite the sophistication of Stuxnet and the fact that it is aimed at critical infrastructure, U.S. cybersecurity officials seem to be treating it like any ordinary malware, an industry watcher told CNET and experts complained to The Christian Science Monitor.
Through US-CERT (Computer Emergency Readiness Team), the Department of Homeland Security issues advisories and alerts about computer vulnerabilities and attacks. Searches for "Stuxnet" and for "Siemens Simatic" revealed a handful of warnings, with the earliest dating back to July when Stuxnet was first publicized. These include updates to prior advisories as more was learned in mid-August about the PLC code injection aspect of the malware, which meant it was not just for espionage but could be used for sabotage.
"The question is where the heck is DHS?" Joe Weiss, a critical infrastructure security expert, said in an interview with CNET today. "There is no real guidance being given. There is nothing going out to the utilities or other end users talking about the actual compromise of the controller itself" and how to detect and remove the malware from infected PLCs.
U.S. officials seem oddly disinterested in something that other countries appear to be taking extremely seriously--the first malware known to specifically target critical infrastructure, Weiss suggested. As an example, he said the acting director of control systems for the DHS gave a talk two weeks ago at the Applied Control Solutions' Industrial Control Cyber Security conference run by Weiss and didn't mention Stuxnet.
Stuxnet was the talk of the conference after German researcher Ralph Langner discussed his theory at the event that the malware was written to target a nuclear plant in Iran. Since then, Symantec has released information about words and numbers discovered in the Stuxnet code that could be interpreted as referring to Jewish biblical incidents or people. The fact that most of the infections were in Iran--along with the complexity of the code, some anecdotal events related to a report of an accident at an Iranian nuclear plant, the delay of another plant there, the resignation of the country's atomic energy agency, and the possible biblical clues--have led to speculation that Israel, or even the United States is behind the creation of the malware. However, there is no public evidence related to the origin or motivation behind Stuxnet.
In an interview with CNET today, Sean McGurk, director for DHS' national cybersecurity communications and integration center, dismissed criticism that the agency is not providing adequate information about the threat.
"We have been working with sectors impacted (by Stuxnet) to develop mitigation strategies," he said, adding that the work has been challenging because measures that need to be taken will be different depending on whether the environment is a chemical plant or a commercial manufacturing plant, for instance.
Of the 15 industrial control facilities that Siemens reported being affected by Stuxnet, none were identified as being in the U.S. and none of the industry partners in the U.S. have reported any impacts of the malware, McGurk said.
McGurk declined to comment on who might be behind the creation of Stuxnet, saying "we leave that to law enforcement and intelligence communities." (The Christian Science Monitor article reports on speculation that the U.S. government's lack of interest in providing information on Stuxnet could be a sign that officials aren't eager to divulge information that could help Iran's nuclear agency clean up its computer networks.)
Asked if the U.S. was considering changing any strategies or philosophies for critical infrastructure protection as a result of Stuxnet, McGurk talked about what the agency does now in response to threats and did not mention any specific modification or addition to existing procedures and policy.
"We take an all-hazards approach for reducing risk, so we're not just chasing the next malcode released by the bad guys," he said. "We weigh the impacts and consequences (on multiple industries) and focus not on trying to fix Stuxnet, but on building resiliency in the systems."
Meanwhile, an executive at the North American Electric Reliability Corp. (NERC) says Stuxnet points to the need for software to be more securely designed and built.
"We're still seeing products that come out that are susceptible to vulnerabilities that quite frankly have been in the wild for quite some time," NERC Chief Security Officer Mark Weatherford is quoted as saying in an article on SearchSecurity.com this week. "This is not an indictment on [the] control system industry; it's an indictment on the IT business in general." (NERC created a "Malware Tiger Team" in July to coordinate the accuracy and delivery of information distributed to the critical infrastructure facilities, according to the article.)
McGurk disagreed with Weatherford's assessment about the prevalence of buggy software, and said that software vendors were doing a good job of balancing security and functionality trade-offs.
"I would say that most systems are designed for ease-of-use and interoperability and, subsequently, malicious actors are exploiting those capabilities," he said. "They were applying very good security practices...but it's a constantly evolving process."