Stuxnet, which was first reported in mid-June (2010) by VirusBlokAda, a little-known security firm based in Belarus, gained notoriety a month later when Microsoft confirmed that the worm was actively targeting Windows PCs that managed large-scale industrial-control systems in manufacturing and utility firms.

Those control systems are often referred to using the acronym SCADA, for "supervisory control and data acquisition." They run everything from power plants and factory machinery to oil pipelines and military installations.

The damage that Stuxnet did was in gaining control of the SCADA devices to have them give instructions to the machinery they controlled that would damage them. In this case to centrifuges and related equipment used by the Iranians to enrich Uranium for their nuclear program. The sophistication of the software led to speculation that the worm was not the work of hackers.

The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.

Recently a NY Times article quoted sources in the Obama administration as confirming that the worm was a joint US effort with Israel.

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

The worm may have been a very high-level type of malware, but that is not necessarily required to do considerable damage to machinery and infrastructure run by these industrial control systems. Much of the expertise went into concealing the fact that the worm was doing its nefarious work. If the goal is simply to disable or disrupt these systems much simpler attacks could be very effective. Even worse there are versions of the Stuxnet code available on the internet which has many people concerned including the Department of Homeland Security.

At a hearing Tuesday before a subcommittee of the US House of Representatives Committee on Energy and Commerce, DHS officials said they are worried the wealth of technical details and code samples from Stuxnet could lead to clones that similarly target critical infrastructure in the US.

One of the reasons these types of controls are so vulnerable is that they were never designed to be connected to the public internet or in many cases to even be networked at all. For many of these devices the expectation was that a technician would physically approach the control and enter or export data thus providing an air gap between the machinery being controlled and the outside world. But as technology has progressed and companies and governments have looked for ways to operate more efficiently these devices have been connected to corporate and government networks and even to the public internet.

This opens attack vectors never contemplated by the designers and if a hacker or bad actor can gain access to these devices they can wreak all kinds of havoc. Imagine setting turbines to spin at unsafe speeds, opening (or closing) all of the gates on a dam or lock system or allow the release of toxic chemicals and you have an idea of the dangers we face.

Normal information security procedures can safeguard against many types of attacks, but there is a huge difference between getting your website shut down for a few hours by a DDoS attack and an industrial catastrophe that could kill large numbers of people. There are plenty of priorities that need to be addressed in our cyber defenses, attacks against the systems and infrastructure that run our country need to be near the top of the list.

I recently discussed this issue w/ Frank Gaffney on his radio show.

JH