'One of a kind' Stuxnet worm remains a serious mystery
Threat is real, but its origin and target are still unknown, Senate panel told
Industry and government security experts testifying Wednesday called the Stuxnet worm a wake-up call for critical infrastructure security because of its ability to manipulate control systems for physical industrial processes.
“Stuxnet is one of a kind,” said Sean McGurk, acting director of the Homeland Security Department’s National Cybersecurity and Communications Integration Center, which did some of the early analysis of the malicious code. “It is a game changer.” He spoke at a hearing before the Senate Homeland Security and Governmental Affairs Committee.
In the past, automated systems that control physical infrastructure or industrial processes have been breached by nontargeted threats that attack the information technology systems with which they are connected, said Michael J. Assante, CEO of the National Board of Information Security Examiners, a nonprofit certification group. But Stuxnet has taken the threat to a new level because it specifically targets control systems and has the ability to reprogram logical controllers to change or interrupt physical processes.
These changes could be subtle, resulting in minor changes to a finished product, or they could destroy a system. The one bright spot in Stuxnet is that it is so sophisticated it is not likely to be a common threat.
“It is an incredibly large and complex threat,” said Dean Turner, director of Symantec’s Global Intelligence Network, which has studied the worm. “Only a select few groups are capable of creating such an attack.”
But its threat is real, and Symantec has identified 44,000 unique Stuxnet infections worldwide, 60 percent of them in Iran, where it is believed the infection started with a USB drive containing the code.
Stuxnet reveals vulnerabilities in industrial controls
Stuxnet was discovered in June, and DHS received its first sample of the code from the German CERT, which obtained it from a German manufacturer of control equipment that appears to be targeted by the worm.
“The device is ubiquitous,” McGurk said of the equipment. It is used around the world in agriculture, energy generation and distribution, water treatment and manufacturing.
Despite the analysis of the Stuxnet code, much still remains unknown about it, particularly who created it and who its target is. Because it is focused in Iran and seems to target a specific type of equipment used in that country’s nuclear enrichment plants, there has been speculation that Iran’s nuclear program was the target and that it was created by another country, possibly Israel or the United States.
But neither McGurk nor Turner would speculate about the worm’s target or its origin.
“Nothing in the code points to a specific point of origin,” McGurk said. It is assumed that the authors were well financed, but that does not necessarily mean it was a government project, he said. Organized cybercriminals also could have access to the money and resources needed to create the worm.
As for its target, “it would require an incredible amount of knowledge” to identify it, McGurk said.
Turner said the speculation about the authors, based on the apparent target, is just that – only speculation.
The hearing was called by committee chairman Sen. Joseph Lieberman (I-Conn.) and ranking Republican Sen. Susan Collins of Maine, who have co-sponsored a comprehensive cybersecurity bill now pending in the Senate. Industry representatives testifying Wednesday support passage of the bill as part of an effort to create a more unified, risk-based approach to IT security across both the public and private sectors. The bill would give DHS’ National Center for Cybersecurity and Communications the lead in coordinating efforts between government and industry.
The Protecting Cyberspace as a National Asset Act, S. 3480, was passed out of the committee in June but the Senate has not taken action on it. The sitting 111th Congress has time to consider the bill during the short time remaining before the introduction of the 112th Congress, which Collins urged it to do.
“I personally think it is an ideal issue for the lame-duck Congress to take up,” she said.
Lieberman expressed little hope that the bill would be passed by this Congress. “It’s unfortunate that the clock will run out on us before we have a chance to complete negotiations with other committees and with the administration, who I regret to say did not engage as early in the process of developing this legislation as was necessary,” he said.
Assante summed up a number of steps that industry believes are necessary to close the security gap in the physical critical infrastructure:
- Remove and remediate weaknesses, vulnerabilities and security designs in industrial control systems.
- Design and integrate security and forensic tools into control environments, while investing in people.
- Prioritize efforts based on consequences of directed and well-resourced attacks against high-risk segments of the critical infrastructure.
- Organize a well-funded, multi-year research & development program to design a more resilient infrastructure.
- Establish risk-based performance requirements that value learning and promote innovation. Legislation should include better defined federal authority to address specific and imminent cybersecurity threats to critical infrastructures with emergency measures.
- Require critical infrastructure asset owners and control system vendors to report industrial control system specific security incidents, and the government must provide up-to-date information to asset owners and operators.
- Invest in the workforce that defends and operates infrastructure systems.