Last fall, I wrote a couple of posts here about the Stuxnet worm, one of the more sophisticated bits of malware to have surfaced. One of the installations severely affected by the worm was the Iranian nuclear facility at Natanz. Analysis of Stuxnet showed that it was designed to focus its attacks on a particular industrial control system supplied by the German firm Siemens, a system used at Natanz to control the centrifuge cascade for enriching uranium. (Wired has an interesting article describing the process of analyzing Stuxnet. The worm first compromises control software running on Microsoft Windows PCs, then installs a rootkit in the programmable logic controller [PLC] used to control the machinery.) There has been some suspicion that Stuxnet was developed specifically to target the Natanz facility, possibly by Israel or the United States.
Recently, some worries have been expressed that Stuxnet, or a variant of it, might pose a significant threat to parts of the US infrastructure. (If the US was indeed involved in Stuxnet’s development, the irony requires little comment.) The Department of Homeland Security, in testimony to a congressional committee, expressed concern that Stuxnet might be used to mount such an attack. While the Stuxnet worm was designed to attack Siemens systems, it could in principle be modified to seek out other types of control systems; various versions of the worm’s code have been available on the Internet for some time. The effectiveness of such an attack would probably depend on how well it could manipulate the PLCs at the heart of the control system, but it could be a serious nuisance at least.
Wired also reports that a potential attack against a different segment of infrastructure is scheduled to be discussed at the DefCon 19 hacker conference, taking place later this week in Las Vegas. Apparently, many security and control systems used in prisons (used, for example, to control access and cell doors) use PLC-based systems fairly similar to the Siemens systems attacked by Stuxnet.
[John] Strauchs, who says he engineered or consulted on electronic security systems in more than 100 prisons, courthouses and police stations throughout the U.S. — including eight maximum-security prisons — says the prisons use programmable logic controllers to control locks on cells and other facility doors and gates.
Some of the networks connecting these systems are also connected to the Internet, providing an attack vector; or they may include other computers (in, for example, a prison laundry or commissary) that might be compromised by USB drives or phishing attacks. Strauchs and a group of research colleagues have published a paper [PDF] describing the threat.
We are all used to hearing about PC viruses, malicious Web sites, and other varieties of malicious software. SCADA systems are mostly “out of sight, out of mind”, but the example of Stuxnet should serve to remind us of how vulnerable they can be.
Update Tuesday, 2 August, 23:24 EDT
Bruce Schneier also has a blog post on the attack against PLC-based systems in prisons. He says, reasonably, that this is a minor risk at present. Stuxnet was very sophisticated, and developing an equivalent for a different environment is not a trivial task. Nonetheless, the long-term lesson is clear.
As we move from mechanical, or even electro-mechanical, systems to digital systems, and as we network those digital systems, this sort of vulnerability is going to only become more common.
Think about an old-fashioned warded lock. The technology was not sophisticated, and the lock wasn’t hard to pick — but, as the saying goes, you had to be there. It is a truism of security that attacks only get better over time, and interconnected digital systems let a lot more players in on the action.