"Careful. We don't want to learn from this." -Bill Watterson
Unless you've been living under a rock the past few months, you've undoubtedly heard something about the Stuxnet worm. It's actually quite remarkable how much "information" is available with so little publicly known. As per usual, there's not much balance between inflammatory FUD and the pragmatic realities of the situation. The sad truth is that control systems like the one targeted are now often Internet-accessible, but have not been adequately secured in the least. While Stuxnet certainly leveraged 0-day vulnerabilities, it also relied on less-than-0-day attacks and took full advantage of really lousy security practices that allowed things like outside USB drives to be connected to control systems. Oops.
Background
Rather than spend a ton of time trying to tell the whole story, I think it's better to point to a couple references and then discuss what I view as the real implications. For decent summaries of the worm, check out:
* Wikipedia: Stuxnet
* Schneier on Stuxnet
In addition to these summaries, the Smart Grid Security Blog has also been tracking the event, providing a series of excellent posts that provide a more thorough coverage of the topic:
* Stuxnet marks the Emergence of Real-World SCADA Security Challenges
* SGSB Stuxnet Update
* Stuxnet Update III: Death to USB Thumb Drives
* (Updated) Stuxnet Update IV: Targeted OT Attacks Risk Collateral Damage
* Stuxnet Update V: Surviving Stuxnet and its Offspring
* Utilities could shoot to Roll with Stuxnet Junior's Punch - an SGSB Reader Chimes In
* Beating Stuxnet to Death (Before it Beats Us)
So What?
There are some interesting aspects to this worm that differentiate it from past attacks. In many ways, it seems to represent a public proof-of-concept that demonstrates what a weaponized malware threat might look like. Given adequate time and resources, a highly-motivated, highly-skilled, and well-funded adversary can essentially assert complete and total control over critical infrastructure today.
Perhaps the most sobering part of this new reality is that very little has yet changed. We don't really see any changes with Smart Grid vendors to fix their products, and many of the control system vendors have simply shrugged and said "patch your systems." Not exactly what I'd call a resounding wake-up call. Of course, none of this is particularly new or earth-shattering. The only thing that is really interesting seems to be the degree of apathy organizations are willing to display in the face of what is, by all accounts, a very credible and serious threat.
Ironically, as bad as this all is - and it is bad - it doesn't even begin to scratch the surface of the problem. Mike Ahmadi at GraniteKey was interviewed in August after a Smart Grid Security Summit about the reality of these challenges. He makes some good points including noting that "...despite what anyone may tell you, security is about economics. Ultimately the biggest driver for any organization to secure anything is to prevent getting hit in the pocketbook." Until the economic disparities can be addressed, there's little impetus for change.
Making things even worse is that there is a hard push toward Smart Grid, regardless of the underlying problems. Andy Bochman discusses this topic in his post "Security isn’t the Biggest Threat to the Smart Grid" over on The Smart Grid Security Blog. On top of it all, even when the vendors try to implement some security measures, such as encryption, they end up creating more hassles by cutting corners or simply not understanding how to perform basic activities like managing the underlying PKI (see Jim Tiller's post Smart Grid PKI: The hidden security challenge").
The "so what?" answer here is this: the energy sector, and likely other critical infrastructures as well, appear to be highly susceptible to attack, they're focusing on the wrong kinds of solutions, and they're not effectively or sufficiently addressing the security weaknesses in these solutions - even when they've known about them for years! The implication is, quite simply, that known broken systems are continuing to be deployed despite a viable warning shot having been fired across the bow of these vendors and the sector as a whole. One thing that is clear is that the next generation of malware is going to be bigger, badder, and all that much more effective. It's time to wake-up and smell the ozone!
Speculation Round-up
Rather than blather on endlessly here with speculation about who did what and why, I'll leave that to the mainstream media FUD-machine. Following are some interesting articles that wonder if the attack was, in fact, created by a nation-state for a specific purpose. Note that Schneier's summary (posted above) also postulates some alternative theories (several of which sound equally plausible). What's fascinating to me is that single strings (numeric and alpha) are being heavily over-analyzed in an effort to link the perpetrator to a specific nation-state, while this could have just as easily have been the actions of a criminal organization. Only time will tell what the real truth will be.
* PC World: "Was Stuxnet Built to Attack Iran's Nuclear Program?"
* Symantec: "Stuxnet Introduces the First Known Rootkit for Industrial Control Systems"
* Tech News World: "Stuxnet: Dissecting the Worm"
* Christian Science Monitor: "Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?"
* Christian Science Monitor: "Stuxnet worm: Private security experts want US to tell them more"
* Redmond Channel Partner Online: "Code Missile: Stuxnet Worm Takes Aim"
* The Register: "UK nuke station denies Stuxnet shutdown"
