A year of Stuxnet: Why is the new cyberweapon's warning being ignored?
Experts called Stuxnet a 'wake-up call' when it was identified as a cyberweapon. But even as hackers study it, there is scant evidence US utilities are bolstering their defenses against attack.
A cyberterrorist, foreign nation, or maybe just a hacktivist who wants all Internet information to be free, puts the lights out in a major American city with the click of a mouse button. For weeks.
That may sound like the stuff of a movie script, yet it is precisely the kind of nasty threat posed by Stuxnet, which one year ago emerged as the world's first publicly confirmed example of a digital guided missile. It was built to cross cyberspace, zero in on a real-world computer-controlled target – and physically destroy it.
Garden-variety computer viruses may steal your bank password, but Stuxnet is by design a military-grade cyberweapon – a computer “worm” built by an advanced cyberweapons state. It was designed to seek out and destroy Iran's nuclear-fuel refining centrifuges, and it wrecked at least 1,000 of them. But its implications go much further.
Hackers, cybercriminals, or rogue nations can now download Stuxnet off the Internet and reverse engineer it – using its tricks as a digital template for crafting malicious software attacks that wreck industrial infrastructure, cybersecurity experts say.
Inspired by Stuxnet's success, hackers are now known to be tinkering with Stuxnet code, say experts interviewed for this story. Iran also has Stuxnet now – as do other aspiring cyberweapons nations. Some experts call it a “Pandora's box” now loose on the Internet.
A year ago, US officials and cybersecurity experts dubbed Stuxnet a “game changer” and a “wake-up call.” Yet there is scant evidence today that the warning shot has been heeded – or that power plants, refineries, water treatment or chemical facilities in the US are leaping to bolster their defenses against a “son of Stuxnet” copycat attack, these experts say. Nor are the manufacturers of the software and hardware used in industrial control systems doing enough to make their systems less vulnerable, the experts say.
“Probably the best thing Stuxnet did was to raise awareness among senior executives at large companies and industrial control system vendors,” says Robert Huber, co-founder of Critical Intelligence, an Idaho Falls-based industrial control systems security firm. “But that awareness has not translated to a shift in dollars spent on security by control system software vendors or [electric] utilities. There’ve been no significant changes in how they operate.”
Among computer security experts in critical infrastructure industries in 14 counties, two-fifths reported they had found Stuxnet on their systems, according to a survey this spring by the Center for Strategic and International Studies (CSIS) and McAfee. Among those, nearly half in the electric industry – which had the highest occurrence of Stuxnet – reported having to take action against Stuxnet.
Despite this high penetration, those critical infrastructure companies did little to respond by adding security technology to detect and stop similar threats in the future. The discovery of Stuxnet on their systems “did not seem to galvanize companies to action,” the survey said. Fewer than 20 percent of US critical infrastructure companies even bothered conducting cybersecurity audits.
“A considerable percentage of those executives told us, basically – ‘So what?’ ” says James Lewis, director of the Technology and Public Policy Program at CSIS. “Some said they had things under control – or this type of threat was a national security problem for government – not them. Bottom line: these guys are reluctant to spend money on things that don’t generate a financial return. Cybersecurity doesn't make business sense.”
New cybersecurity standards for the electric utility industry are now in place. But loopholes allow US utilities to interpret the standards often as not applying to USB memory sticks, notes Joe Weiss, an industrial control systems security expert in a blog post. Yet infected USBs were exactly what Stuxnet's creator used to spread the attack to Iran's centrifuges, even though they were “air gapped” – separated from the Internet.
“Stuxnet-like threats will require asset owners, technology providers, and homeland security organizations to think more broadly about how [to] develop more flexible, skilled, and adaptive security programs,” says Michael Assante, former security chief of the North American Electric Reliability Corporation (NERC), which oversees grid reliability.
Even so, there are at least a few positive signs that Stuxnet has started to change how utility professionals think, he and others say. In corners of industry there's a “new appreciation for the types of consequences that Stuxnet introduced [that] is beginning to drive decisions about technology designs and practices,” he and others say.
For example, Schneider Electric, a big Paris-based manufacturer of industrial control systems hardware and software is taking steps, says Eric Byres, chief technology officer for Vancouver-based Byres Security.
“Schneider, and a few others, are definitely making a major push to create a security culture,” he says. “But other companies seem to be doing nothing. It's all over the map. Boeing and Exxon are moving aggressively. For others, it's business as usual.”
In a recent interview, Timothy Roxey, NERC’s director of critical infrastructure risk management and technology, says his group and the utility industry are keeping a watchful eye and taking steps to defend the US electric grid.
“Stuxnet, especially at the beginning, had everyone exceptionally concerned,” he says. As experts started to understand that Stuxnet was targeted at the Iranian centrifuges “a lot of the immediacy of the concern to the utility space kind of came off the table. It didn't mean that we at NERC were letting it off the hook, since we subsequently wrote an alert on it, but it did mean that we were apparently not the target.”
But there is also plenty of denial that Stuxnet represents a new threat.
Although Stuxnet infected tens of thousands of machines worldwide, its payload activated only when it found the particular system it was after. Yet according to the man who first identified Stuxnet as a weapon a year ago, industrial control systems expert Ralph Langner, the next Stuxnet-style attack might be closer to a “digital dirty bomb” that simply turns off any industrial machine it infects.
Stuxnet, he says, is a “Pandora's box” that provides ideas to hackers on how to build similar attacks.
Since Stuxnet appeared, the Industrial Control System – Computer Emergency Response Team (ICS-CERT), a division of the Department of Homeland Security, has issued a number of alerts. Yet Mr. Langner and others criticize it for being slow and incomplete in its analysis and dissemination of useful information on dealing with Stuxnet.
DHS officials, in interviews with the Monitor, have previously rebutted such criticism, saying it has done a lot – and can only do so much to protect US critical infrastructure when 85-90 percent of it is run by private industry.
Meanwhile, signs are growing that the hacker community is keenly interested in developing Stuxnet-like capabilities – and that far less discriminating cyberweapons than the original Stuxnet are not far behind. Terrorists and cybercrime groups meanwhile are waiting patiently to evaluate such weapons when they emerge, experts say.
“Right now people are playing with Stuxnet, seeing how it did what it did – and how might it affect control systems that run other civilian infrastructure,” says Stewart Baker, a Washington lawyer and cybersecurity expert who served in the Department of Homeland Security and the National Security Agency. “Free floating communities of amateur hackers who are working to deconstruct and democratize Stuxnet. They’re saying,: ‘Gee, this is cool. I could break the power grid.’ ”
Others agree. The rate at which industrial control system vulnerabilities are being discovered by researchers and added to the national database has more than doubled since Stuxnet appeared, says Mr. Huber, whose company tracks them. That intensified research into control system weaknesses usually translates within a short time into “exploits” – attack software designed to penetrate those known weaknesses.
“We’ve had signs that people were developing these things [industrial control systems attack software] for years,” Mr. Assante, the former electric grid security chief, said in an earlier interview. “What Stuxnet has done is to increase their confidence it can be done. Expect to see Stuxnet-type attacks in 2012.”
A year after Stuxnet demonstrated the capacity to wreck industrial equipment, NERC's Mr. Roxey says the utility industry is busy conducting followup webinars and embarking on a fresh examination of systems to see if Stuxnet has reemerged.
But not everyone is convinced that either government – or private industry – is doing enough.
“There has been some recognition of the threat – yet we still haven't made the mental adjustment on strategy, policies, and the many things we have to do to guard ourselves,” says Baker, the former DHS and NSA official. “We need to do a lot more – and sooner rather than later.”