Stuxnet worm, a malware discovered in June 2010 that specifically targets supervisory control and data acquisition (SCADA) management systems has seen rapid spread. The Stuxnet worm is also believed to have targeted Iran's nuclear facilities. In India, the situation is alarming, as Manu Zacharia, the director of information security at Millennium IT Consultants Private Limited, claims it to be the second most highly susceptible country to the Stuxnet worm attack. “On an average, a thousand systems are getting infected, every day,” informs Zacharia.
As of now, only the Siemens SCADA systems (S7-400 PLC and SIMATIC WinCC) have been found vulnerable to the Stuxnet worm. However, Neelabh Rai, the consultant for information security at Pyramid Cyber Security and Forensic Private Limited, fears that Stuxnet may be a major security threat for India, since most of the industrial control systems in the country that run manufacturing plants, power generation and distribution plants, refining water treatment plants, and oil and gas plants use Siemens’ SCADA systems.
SCADA systems are not usually connected to the Internet, but the Stuxnet worm could spread via infected memory sticks plugged into a computer’s USB port. The malware also exploits the four zero-day vulnerabilities of Microsoft Windows. While the Stuxnet threat may be increasing, its awareness among enterprises in the utility sector is limited.
K K Mookhey, the principal consultant at NII Consulting, explains, “Indian enterprises believe that as the SCADA systems are obscure, no one would be able to figure out how to attack them; thus, the security controls are devised on this faulty assessment.” The security of SCADA systems needs to be treated with as much priority as the traditional TCP/ IP networks. Zacharia also refers to these low awareness levels and points out that although Microsoft has come out with patches related to the vulnerabilities that the Stuxnet worm targets, not all Indian enterprises may have upgraded to it.
Security issues with SCADA systems
According to Mookhey, it is quite common to find a network bridge between SCADA and corporate networks (TCP/IP), which might be used to extract data for producing reports. This creates scenarios where the SCADA networks are not completely isolated anymore. He further explains that the Stuxnet worm first targets Windows to get access to the SCADA system (which relies on traditional Sun Microsystems or IBM servers). If these servers are not properly hardened, they can be exploited by hackers to get access to the SCADA system.
SCADA systems run large-scale businesses. Hence, no test environments are available for enterprises to harden the network. Even if such test environments exist, they are different from the production system. Thus, no company is concerned about testing the system supplied by the vendor, which keeps running on default configuration. This increases the risk of security threats like the Stuxnet worm.
Stuxnet worm: A cyber weapon against India?
The Stuxnet worm is being propagated as the best malware ever written and is being touted as a fearsome prototype of a cyber weapon, which targets the critical infrastructure. The sophistication of the malware clearly indicates it is the work of a well-financed team or government-funded agency. Could the Stuxnet worm have been created by another government or agency to attack Indian SCADA systems? Consultants believe that the possibility cannot be ruled out. A cyber-warfare attack on the infrastructure of the country, disrupting power, public utilities, traffic, and other computer-controlled systems no longer exists only in science fiction.
It is suspected that the Stuxnet worm has struck the Indian Space Research Organization’s INSAT-4B Satellite, which also uses Siemens S7-400 PLC and SIMATIC WinCC. So, is India ready to enter the age of cyber warfare? “Few organizations in India keep an eye on these activities and are preparing themselves to handle such attacks,” claims Zacharia.
Today, every state has a CERT-In representative and information continuously flows between the center and the state entities. However, to what extent these guidelines are implemented at the end level is debatable. Rai believes that independent cyber security researchers should be encouraged to take up such causes, as it’s not possible to completely rely on CERT-In.