* Stuxnet leaks mean virus is available
* Energy sector espionage is on the rise
* Significant disruption could occur
By Daniel Fineren
DUBAI, May 31 Global energy infrastructure is
more vulnerable than ever in an escalating cyber war thanks to
"sons of Stuxnet" electronic missiles, which can be created from
the virus designed to sabotage Iran's nuclear programme.
Cyber espionage is on the rise, with Chinese hackers
stealing field data and cutting-edge technology from energy
companies around the world since at least 2009, according to
leading security firm McAfee (part of Intel Corp ).
But the biggest threat to everything from power grids to
digital oilfields may come from malware based on the Stuxnet
worm, widely thought to have been sponsored by western
government agencies, security experts say.
Cyber weapons like Stuxnet that can take control of plants
appear to be more of an operational danger than the
recently-discovered Flame virus, which seems designed to gather
data.
"Stuxnet really showed people you could do this, that is the
problem. I cannot imagine any major government agency not
developing an offensive capability," Eric Byres, a leading
authority on critical infrastructure security, told Reuters.
Byres, who advises governments and multinationals on cyber
security, said government agencies could seek to infiltrate
energy infrastructure in case of political tension. "That is one
of the risks, that we are weaponizing our entire energy
industry, or leaving weapons inside it, just in case."
Governments are concerned that energy and communications
networks would be the first victims of any conflict with a
cyber-savvy aggressor.
"It is believed that would be part of any form of warfare -
that they would take out private sector infrastructures as part
of knocking out a country," said Paul Dorey, who managed BP's
digital security until 2008 and is now professor of
information security at the University of London.
The stable relationship between the United States, Russia
and China, means there seems little chance of they will try to
disrupt one another's energy networks any time soon.
But Iran has been bombarded with cyber bugs during its
intense nuclear standoff with the west, with the virus known as
Flame detected in April and a worm called Duqu, designed to
gather intelligence on industrial infrastructure for future
attacks, found last year.
ESPIONAGE
The United States is by far the biggest source of general
malicious activity on the internet, data from anti-virus
software maker Symantec Corp indicates, but targeted
industrial espionage largely comes from Asia.
"Targeted attacks are increasing dramatically. It could be
state sponsored or it could be just hacktivists or it could be a
cyber criminal organisation. But we know the number one target
is government institutions and the second is manufacturing,
including oil and gas," Bulent Teksoz, Symantec's chief security
strategist for emerging markets said.
According to data from the Repository of Industrial Security
Incidents, power and transportation companies see the greatest
number of major cyber security problems. Most of those incidents
result in some loss of production or equipment control.
Until Stuxnet, breaking into supervisory control and data
acquisition (Scada) systems running most of the world's industry
was thought to be beyond most hackers.
Thanks to its groundbreaking code now leaked and freely
available on internet, any competent cyber criminal group could
use it to spear Scada security that controls vital
infrastructure around the world.
"Stuxnet does provide a delivery vehicle, for non state
actors to use, that is a direct threat to critical
infrastructure," said Alexander Klimburg, senior cyber security
adviser at the Austrian Institute for International Affairs.
"They have to go and develop their own warhead but you have
given them a cruise missile... It's perfectly possible that
Stuxnet could be adapted for cyber terrorism purposes and that
is a real concern."
Byres, who designed the leading industrial firewall system,
said that although the original cyber weapon targets Siemens
systems which controlled Iran's Natanz centrifuges, its parts
could be adapted to take control of any industrial controller.
It has had some impact on at least 22 other installations,
including a U.S. metals factory, he said.
CYBER COLD WAR
The mother of all Scada attacks is believed to have occurred
30 years ago, when the U.S. Central Intelligence Agency is said
to have used a "logic bomb" to blow up a Siberian gas pipeline.
According a book by former senior U.S. intelligence officer
Thomas Reed, after discovering the KGB was trying to steal
pipeline control software, the CIA planted a version that would
cause the system to over pressurize and let the Soviets have it.
U.S. President Barack Obama warned in 2009 that "cyber
intruders" were probing the U.S. power network and that foreign
intelligence services were behind some intrusions. In March the
U.S. Department of Homeland Security identified a series of
attacks on natural gas pipeline operators.
"We believe it is only a matter of time before someone
employs capabilities that could cause significant disruption to
civilian or government networks and to our critical
infrastructure," General Keith Alexander, head of the U.S. Cyber
Command, told a senate committee hearing on March 27.
A U.S. Department of Defense report said this month that
cyber spying was done by intelligence services, private sector
companies, and individuals from dozens of countries, but that it
expected China to remain an "aggressive and capable" collector.
"Chinese attempts to collect U.S. technological and economic
information will continue at a high level and will represent a
growing and persistent threat to U.S. economic security."
U.S. cyber defense chief General Alexander told the
committee that Chinese hackers were responsible for a raid in
early 2011 on RSA, makers of the SecureID system used by many
large companies to access private networks.
The codes and control servers used in the U.S. gas grid
attacks match those used to break into RSA, Byres said.
Night Dragon, so called because U.S. security firm McAfee
noticed the data raids took place from Beijing-based IP
addresses on weekdays from 9.00 am to 5.00 pm Beijing time, was
the first known coordinated attacks on global energy companies.
Night Dragon, reported in 2011, focused on stealing
information on potential oil and gas reserves and new
technologies from western energy companies, valuable information
for rivals competing for exploration licenses around the world.
Modern "digital drilling rigs" with their multiple external
connections to critical onboard systems, and the roll out of
"smart meter" systems linking consumers and power generators via
two way communication lines, are new potential weak spots.
"The attackers are getting more skilled and we are
increasing the vulnerability," Justin Lowe, an energy security
specialist at PA Consulting Group told the conference.
"We are putting more systems out there which are
attackable."
(Editing by Philippa Fletcher)