Stuxnet – the prototype cyber weapon?

Hailed as the most sophisticated malware ever found, Stuxnet is widely seen as a prototype cyber weapon, pushing the concept of cyber warfare into the realm of the possible.

Hailed as the most sophisticated malware ever found, Stuxnet is widely seen as a prototype cyber weapon, pushing the concept of cyber warfare into the realm of the possible.

The highly complex Stuxnet code is aimed at infecting and reprogramming industrial control (Scada) systems using multiple techniques and components, including four zero-day exploits, anti-virus evasion techniques, valid digital certificates, and various propagation and update methods.

As worrying as that is, most business IT security managers have dismissed Stuxnet as something that has no relevance to them.

Stuxnet has sparked much speculation, but its origin and purpose are still unknown.

What is clear to many IT security and cyber defence experts is that Stuxnet proves malware can cross the line into the physical world to cause chaos and damage by disrupting critical infrastructure such as electrical power grids, water piplelines, and financial trading systems. 

What has Stuxnet got to do with business IT security managers?

John Colley, managing director, EMEA of ISC2, believes Stuxnet contributed to the National Security Council declaring cyber attacks a high-priority risk for the UK, and says corporations also need to respond.

Not only do many private corporations form part of the UK’s critical national infrastructure, responsible for services such as water, gas and electricity supplies, but an increasing number of ordinary businesses use industrial control systems, says Colley.

Most modern buildings use industrial control systems for air conditioning, lighting, lift and CCTV systems, so the capabilities demonstrated by Stuxnet are directly relevant to the people responsible for IT security in their organisations.

At the ISSE 2010 security conference in Berlin, German minister of the interior Thomas de Maizire said Stuxnet marked a watershed in IT security management, and Raj Samani of ISSA UK believes Stuxnet may have changed the way malware and security are viewed.

For IT security managers, this has several implications Ð to start with, including all control systems in their remit and treating them as they would any other IT system in the organisation.

Because Stuxnet is a volatile worm, infecting a system via a mountable drive and seeking connections to Siemens Simatic automation systems, IT security professionals must be concerned about the dangers it poses, says Mikko Hyppšnen, chief research officer at F-Secure.

“Stuxnet makes complex modifications to the infected system,” he says. “By taking control of the factory environment, the worm can run equipment and adjust settings, for example in motors, conveyor belts and pumps. In extreme circumstances, it could even cause complete failure or explosions.”

Last year, Siemens announced that its Simatic automation systems could control alarm systems, access controls and doors. Consequently, says Hyppšnen, Stuxnet could be used to gain access to top-secret locations, which should alert any security professional.

“These threats prove Stuxnet is very relevant to them in their day-to-day lives,” he says. “Heads of IT need to equip employees with the latest defences and train them in the use of IT security.”

And because Stuxnet is spread via mountable drives, every time an employee uses a USB stick, they are could be putting the entire system at risk, says Hyppšnen.

According to a survey published by security firm Avast Software, just over 13% of 700,000 recorded attacks monitored by the company in the last week of October came through USB devices, which are not confined to memory sticks, but can include devices such as cameras.

“In a work environment, staff will often bring their own USB memory sticks to move files around,” says Jan Sirmer, analyst at Avast Virus Lab. “This can bypass gateway malware scanners and leave the responsibility for stopping malware to anti-virus software on the local machines.”

Read more on IT risk management