StuxnetStuxnet-clones easily created

Concerns grow over the release of Stuxnet clones // Source: secfence.com

With the release of the Stuxnet worm, the first piece of malicious code to cause physical damage, a whole new frontier of cyberattacks has been opened and imitators have been able to create Stuxnet-like clones with alarming ease.

The worm specifically targeted specialized software called supervisory control and data acquisition systems (SCADA) that controlled core processes at Iran’s Bushehr nuclear facility and forced centrifuges there to spin out of control.

Initial reports regarding Stuxnet suggested that the code was developed by elite computer experts with the help of state support and highly secretive military intelligence, but security experts working in a laboratory setting have been able to recreate key elements of the worm in a short time frame with limited resources.

For instance, in just two months and with $20,000 in equipment, Dillon Beresford, an independent cybersecurity researcher at NSS Labs, was able to findmore than a dozen vulnerabilities in the same type of electronic controllers exploited by Stuxnet in Iran. With the vulnerabilities that he found, Beresford was able to remotely commandeer an industrial control system’s devices and reprogram them.

“What all this is saying is you don’t have to be a nation-state to do this stuff. That’s very scary,” said Joe Weiss, an industrial control system expert. “There’s a perception barrier, and I think Dillon crashed that barrier.”

Meanwhile, Ralph Langner, a German control system security consultant and an expert on Stuxnet, developed a Stuxnet copycat in just four lines of code. Langner calls the code a “time bomb” and describes it as the most basic imitation attack that a malicious actor could create.

“As low-level as these results may be, they will spread through the hacker community and will attract others who continue digging,” he said.

In another test, Mocana Corp., a cybersecurity firm was hired by a power utility in southern California to test the controllers used in its substations. In one day, Mocana was able to find multiple vulnerabilities that would allow hackers to control any piece of equipment connected to the controllers.

“We’ve never looked at a device like this before, and we were able to find this in the first day,” said Kurt Stammberger, Mocana’s vice president. “These were big, major problems, and problems frankly that have been known about for at least a year and a half, but the utility had no clue.”

According to Siemens AG, one of the world’s largest manufacturers of industrial control systems and the maker of the system hit by Stuxnet, security vulnerabilities primarily affect older industrial control systems, but even those are heavily protected with passwords and other security measures that critical infrastructure should have in place.

In addition, the company said that it had patched vulnerabilities in its software and that it was working with DHS Computer Emergency Response Team (CERT) to defend against future threats.

Siemens is not the only company with vulnerabilities in its control systems, security gaps appear to be an industry-wide problem, as the system tested by Mocana was not manufactured by Siemens.

Fixing these security gaps could prove to be a significant challenge to industry as control systems are designed to be in place for decades, making replacing or updating them a difficult task. In addition as more research is published, the more likely attacks become. Finally, to secure older units, critical infrastructure operators would likely be forced to install new equipment, a decision strongly avoided by companies as they would be forced to shut down their operations.

“The situation is not at all as bad as it was five to six years ago, but there’s much that remains to be done,” said Ulf Lindqvist, an expert on industrial control systems with SRI International. “We need to be as innovative and organized on the good-guy side as the bad guys can be.”