This past weekend Iranian authorities reported that the Stuxnet worm, one of the most sophisticated malware programs ever written, had infected thousands of PCS that manage large-scale industrial-control systems in manufacturing and utility companies.
These control systems, called SCADA, for “supervisory control and data acquisition,” operate everything from power plants and factory machinery to oil pipelines and military installations.
While no blame has been assigned to this attack, there is rumor that it was a focused attempt to disrupt Iran’s nuclear facilities. The destructive Stuxnet worm has surprised experts because it is the first one specifically created to take over industrial control systems, rather than just steal or manipulate data.
Alan Bentley, senior international vice president at security firm Lumension, said Stuxnet is “the most refined piece of malware ever discovered”, and that the worm was significant because “mischief or financial reward wasn’t its purpose, it was aimed right at the heart of a critical infrastructure”.
Stuxnet works by exploiting previously unknown security holes in Microsoft’s Windows operating system. It then seeks out a component called SimaticWinCC, manufactured by Siemens, which controls critical factory operations. The malware even uses a stolen cryptographic key belonging to the Taiwanese semiconductor manufacturer RealTek to validate itself in high-security factory systems.
The worm then takes over the computer running the factory process – which for WinCC would be “mission-critical” systems which have to keep functioning under any circumstance – and “blocks” it for up to a tenth of a second. For high-speed systems, such as the centrifuges used for nuclear fuel processing being done by Iran, that could be disastrous, experts suggested.
Graham Cluley, senior consultant with the security company Sophos, stated that Siemens has “astonishingly” advised power plants and manufacturing facilities not to change the default password that allows access to functions, despite it being exploited by Stuxnet and being “public knowledge on the web for years”.
The United States is also tracking the worm, and the Department of Homeland Security is building specialized teams that can respond quickly to cyber emergencies at industrial facilities across the country.