By Ellen Nakashima
Washington Post Staff Writer
Friday, October 1, 2010; 2:49 PM
A sophisticated worm designed to infiltrate industrial control systems could be used as a blueprint to sabotage machines that are critical to U.S. power plants, electrical grids and other infrastructure, experts are warning.
The discovery of Stuxnet, which some analysts have called the "malware of the century" because of its ability to damage or possibly destroy sensitive control systems, has served as a wake-up call to industry officials. Even though the worm has not yet been found in control systems in the United States, it could be only a matter of time before similar threats show up here.
"Quite honestly you've got a blueprint now," said Michael J. Assante, former chief security officer at the North American Electric Reliability Corporation, an industry body that sets standards to ensure the electricity supply. "A copycat may decide to emulate it, maybe to cause a pressure valve to open or close at the wrong time. You could cause damage, and the damage could be catastrophic."
Joe Weiss, an industrial control system security specialist and managing partner at Applied Control Solutions in Cupertino, Calif., said "the really scary part" about Stuxnet is its ability to determine what "physical process it wants to blow up." Said Weiss: "What this is, is essentially a cyber weapon."
Researchers still do not know who created Stuxnet, or why.
The antivirus security firm Symantec analyzed the worm this summer and, by taking control of servers it had been connected to, determined that the malware had infected about 45,000 computers around the world. Most of those infected - about 30,000 - were in Iran. Those computers were not the targets, but the finding suggested that the target was nearby.
Speculation has focused on Iran's nuclear enrichment facilities, and this week Iranian officials said they suspect a foreign organization or nation designed the worm.
The United States has a covert program to sabotage the systems that undergird Iran's nuclear facilities. Some experts have also suggested that other countries, including Israel, could be behind Stuxnet.
Joel F. Brenner, former national counterintelligence executive and a former senior counsel at the National Security Agency, said he thinks it is unlikely that the United States created the worm. "We don't do anything on purpose that we can't really target and control," he said.
Brenner, who has long warned of such a threat to the electric grids, also cautioned against assuming a nation state was behind it. A group at a "premier technical institute" in the United States, China, Israel or Russia, could have carried it off, he said.
Siemens, a German-headquartered multinational company, has identified 15 cases of infections on customers' plants worldwide; the single largest concentration - five - was found in Germany. Each customer was able to detect the worm and remove it without harm to their operations, spokesman Alexander Machowetz said.
Still, the possibility that Stuxnet could be used by copycats, even those who don't intend to do harm with it, is causing concern among experts.
"Stuxnet opened Pandora's box," said Ralph Langner, a German researcher whose early analysis of the worm's ability to target control systems raised public awareness of the threat. "We don't need to be concerned about Stuxnet, but about the next-generation malware we will see after Stuxnet."
Sean McGurk, director of the U.S. National Cybersecurity and Communications Integration Center at the Department of Homeland Security, said that the department posted its first report to industry recommending steps to mitigate the effects of Stuxnet on July 15. But "not even two days later," he said, a hacker Web site posted the code so that others could use it to exploit the vulnerabilities in Microsoft.
"So we know that once the information is out in the wild, people are taking it and they're modifying it," he said.
While analysts still do not know what the creators of Stuxnet were targeting, this much is known:
* It exploited four Microsoft "zero-day" vulnerabilities, allowing Stuxnet to spread automatically without computers users' knowledge.
* One vulnerability allowed the worm to spread via the use of a thumb drive or other removable device. That flaw and one other have since been patched.
* It is autonomous - it requires no hidden hand at the control stick to direct its moves.
* It targeted a specific kind of Siemens software that runs on industrial control systems from water sanitization to oil pipelines and nuclear plants.
* Once it found its target, it was designed to inject code into the controller to change a process. What that process is, is not yet known.
* Time stamps on pieces of the code suggest it was created in early 2009.
* It was first reported in June by VirusBlokAda, a Belarus security firm.
Assante, formerly of the North American Electric Reliability Corp., also known as NERC, noted that Stuxnet was built to take advantage of weaknesses in industrial systems. For instance, the worm banked most industrial plants' reliance on third parties to perform maintenance and assist in troubleshooting, and these outsiders often plug thumb drives or other removable media into the systems.
The irony, he said, is that industry has long known about these gaps and high-risk practices.
"We know so much about what we need to address," said Assante, now president of the National Board of Information Security Examiners. "We just need a more organized way of addressing the weakness."
Recently, in light of Stuxnet, NERC issued an update to electric power companies, making recommendations for protection, but said that companies would "not be subject to penalties for a failure to implement" them.
Stuxnet underscores the need to strengthen the defense of critical industrial systems, lawmakers say. "While industry attitudes and awareness have improved in the last few years, the same broken systems are in many cases still in place, leaving our nation vulnerable to attacks," said Rep. Jim Langevin (D-R.I.), who this week introduced legislation to allow the administration to regulate these critical systems and to expand the Department of Homeland Security's authority to enforce the rules.
Several weeks ago, a control system monitoring pressure in a natural gas pipeline in San Bruno, Calif., malfunctioned, resulting in an explosion and fire that killed eight people.
"This is what you could do unintentionally," said Weiss, the industrial control system security specialist. "Think about Stuxnet, where you could start doing things intentionally."