LONDON (Reuters) - No one may ever know for sure who built computer worm Stuxnet or why, but now it is out there it could prove as big a game changer for industrial system security as the September 11 attacks were for aviation.
Others compare it to the first atomic blast — a first clear real-world demonstration of something long thought possible that makes it easier and more likely for others to follow.
Since its discovery this summer, spy agencies, security experts, hackers and others — perhaps including militants — have been scrutinising Stuxnet to learn and exploit its secrets.
Most analysts agree it was probably built by one or more nation states to target a particular industrial facility, most likely Iran’s nuclear program, reprogramming its own control systems to inflict physical damage.
Proving that is a different matter altogether. But those who have studied it closely say it is by far one of the most sophisticated attacks able to target the key control systems at the heart of almost all modern infrastructure, from nuclear plants and refineries to transportation and traffic.
“There’s still a lot we don’t understand about Stuxnet,” said Joel Langill, one of the authors of a new report into the worm from US-based group of experts the Cyber Security Forum Initiative CSFI.L. “But what we do know is it’s a very significant step forward from anything we’ve seen before. Understanding Stuxnet and how it operates is important to learning how to defend against the threat.”
If Stuxnet was released by a Western spy agency to damage Iran, Langill said, they could ultimately regret the decision.
“Having it out there certainly makes it easier for someone else to produce something similar,” he said.
A host of nations including the United States, China, Russia and Britain are pouring more resources into cyber warfare, viewing it as key to their national security.
Whilst the most sensitive systems such as nuclear power plants usually have protection advice from national security agencies, private firms operating utility, refinery and manufacturing plants get less support.
Corrupting their programming could still kill, and even the suspicion of infection could force a system shutdown.
“Stuxnet will live on — it will be the zombie of our nightmares,” blogged German expert Ralph Langner, one of the first to identify it. “It provides a blueprint for aggressive attacks on control systems that can be applied generically.”
A handful of firms dominate the infrastructure control system market: Emerson and Honeywell from the US, Britain’s Invensys, Germany’s Siemens, Switzerland’ s ABB and Japan’s Yokogawa.
Windows software tends to underpin almost all systems, with all seen likely to have previously undiscovered “zero day” vulnerabilities.
Stuxnet exploited at least four separate zero day vulnerabilities, a sign of its complexity — it is rare for even two to be targeted at the same time. Those particular holes are now being closed with software patches, but meanwhile Stuxnet has quietly copied and sent itself around the world.
Most users it passed through would never have noticed. It would have uploaded itself, scanned their system, found it was not in its target and moved on, meanwhile sending data back to its creator via now-blocked websites in Denmark and Malaysia.
The target itself was likely kept separate from the Internet for security, but it would have entered the system through an infected USB stick before taking control.
“Stuxnet does a lot of things we haven’t seen before,” said CSFI’s Langill, an oil sector cyber security consultant for Houston-based ENGlobal. “It is able to conceal itself within the system. It is able to reprogram code and then conceal (that).”
Experts always knew a Stuxnet-like attack was possible. But no one had seen an apparently working version until this summer. By then, it had already been circulating since 2009, apparently updated by its creators sometime this year.
Iranian officials say the worm infected some computers at its Bushehr nuclear plant but deny it delayed start-up.
If it did real damage, few expect Tehran — or any other victim — ever to admit it. Israel’s intelligence services are widely suspected, but few expect them to come forward either.
But as well as representing a technical breakthrough in its own right, Stuxnet relied on lax security systems — unchanged default passwords and poor control around the use of pin drives.
The 911 attacks prompted an immediate tightening of security measures around the world to make simply hijacking aircraft more difficult — measures that arguably should already have been in place. Some argue Stuxnet should have a similar effect.
“You need a security program that looks at not only one or two security controls but a comprehensive defence in depth strategy,” said Langill. “There are a whole lot of things you can do — some very simple. Complacency is the real problem.”
The good news, experts say, is that designing attacks this sophisticated — even with the original worm to work from — remains fiendishly difficult, certainly much more so than hijacking an airliner with a box cutter.
As well as understanding how to create the worm, any attacker needs to have deep knowledge of the system they target.
“I’d compare it more to the first detonation of an atomic bomb (than 911),” said Alastair Newton, former policy lead for cyber warfare at Britain’s foreign office and now chief political analyst for Japanese bank Nomura.
“As the North Koreans keep proving, 65 years later it’s still not an easy thing to replicate even though many of the instructions are out there on the Internet.”
Additional reporting by William Maclean; editing by Ralph Boulton