Worm invades Siemens SCADA systems globally, power unaffected for now

By Kathleen Davis, Senior Editor

Viruses, worms and Trojans are an unfortunate part of the computerized present — albeit not a pleasant part, which Siemens has been finding out all too personally this summer.

In June, the company discovered it was the specific and directed target of some nasty malware which uses a Microsoft Windows loophole dealing with shortcut files to latch on and download secure information from supervisory control and data acquisition (SCADA) systems using a leaked Siemens password.

The sticking point, though, is that the worm is rather low-tech (relatively) in its delivery: the computer has to be physically connected to an infected USB stick (although there is also a possibility of it spreading via CDs and file-sharing). If someone views an item from that infected stick, the worm sneaks on out into the system, searching out information to copy.

Named the Stuxnet worm, it seems to be hitting Middle Eastern and Asian countries the most. (Symantec Corp. revealed that over half of the systems impacted were specifically in Iran, but Indonesia and India have also seen a large set of Stuxnet issues, according to one IDG News Service report.) And it is spreading.

The worm itself was discovered by an antivirus company in Belarus named VirusBlokAda, which has labeled the worm “very dangerous” and noted that it could lead to a “virus epidemic” on the company website.

Threat protection company ESET claimed discovery of a second variation of the Stuxnet worm last week and issued a warning. According to ESET Virus Lab, this second-generation worm was active in the U.S. and Iran. Almost 58 percent of all infections were reported in the U.S., 30 percent in Iran and slightly over four percent in Russia.

“This worm is an exemplary case of targeted attack exploiting a zero-day vulnerability, or, in other words, a vulnerability which is unknown to the public. This particular attack targets the industrial supervisory software SCADA. In short, this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does,” said Juraj Malcho, head of the Virus Lab at ESET’s global headquarters in Bratislava, Slovakia.

Most of the damage caused by the worm is limited to industrial targets, according to ESET. Siemens spokespersons also stressed that the Stuxnet worm has not yet impacted any power generation SCADA system nor any T&D SCADA system.

“To our knowledge, only two industrial systems were affected by this [malware],” a Siemens spokesperson told POWERGRID International on Thursday, July 26. The fact that power-system SCADA networks weren’t impacted reveals the hearty backbone of those systems, according to Scott Gosnell, CMO with Tatsoft, a developer of software tools, products and services.

“This particular attack shows the strengths of current security technologies and protocols—the worm didn’t come in through a network vulnerability,” he noted.

Industry insiders warn, however, that utilities should not assume they are out of the woods just yet, even if the Stuxnet worm has avoided corrupting power systems this round. It is still spreading, and it won’t be the last threat by far.

“This is not the time to stick your head in the sand and say “Ëœit can’t happen here,'” said GarrettCom President Frank Madren. “Cyber attacks on industrial control system are happening now and will probably increase.” Madren suggested best practices to prevent damage include a multi-pronged approach of good industry standards, technology and personal, targeted recommendations to fill in holes in a utility’s security program.

Tatsoft’s Gosnell would add man to Madren’s best practices equation — keep him tech savvy and on top of things.

“This [attack] also demonstrates that operational risks are an inherent part of running these systems,” Gosnell added. “One of your biggest potential problems comes from poor processes and policies at the human level. Maintaining good security hygiene at the human and social level complements good technical hygiene.”

Madren noted that North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) regulations help protect power utility substations from a variety of security issues, including worms like this one. They are incredibly comprehensive and offer a great amount of defense.

 “However, no system is completely immune from creative new incursions. Constant vigilance is required,” Madren said.

 

Previous articleDOE awards Skyonic $25 million to build carbon mineralization plant
Next articleEPA reaffirms human health risks of greenhouse gases

Worm invades Siemens SCADA systems globally, power unaffected for now

By Kathleen Davis, Senior Editor

Viruses, worms and Trojans are an unfortunate part of the computerized present — albeit not a pleasant part, which Siemens has been finding out all too personally this summer.

In June, the company discovered it was the specific and directed target of some nasty malware which uses a Microsoft Windows loophole dealing with shortcut files to latch on and download secure information from supervisory control and data acquisition (SCADA) systems using a leaked Siemens password.

The sticking point, though, is that the worm is rather low-tech (relatively) in its delivery: the computer has to be physically connected to an infected USB stick (although there is also a possibility of it spreading via CDs and file-sharing). If someone views an item from that infected stick, the worm sneaks on out into the system, searching out information to copy.

Named the Stuxnet worm, it seems to be hitting Middle Eastern and Asian countries the most. (Symantec Corp. revealed that over half of the systems impacted were specifically in Iran, but Indonesia and India have also seen a large set of Stuxnet issues, according to one IDG News Service report.) And it is spreading.

The worm itself was discovered by an antivirus company in Belarus named VirusBlokAda, which has labeled the worm “very dangerous” and noted that it could lead to a “virus epidemic” on the company website.

Threat protection company ESET claimed discovery of a second variation of the Stuxnet worm last week and issued a warning. According to ESET Virus Lab, this second-generation worm was active in the U.S. and Iran. Almost 58 percent of all infections were reported in the U.S., 30 percent in Iran and slightly over four percent in Russia.

“This worm is an exemplary case of targeted attack exploiting a zero-day vulnerability, or, in other words, a vulnerability which is unknown to the public. This particular attack targets the industrial supervisory software SCADA. In short, this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does,” said Juraj Malcho, head of the Virus Lab at ESET’s global headquarters in Bratislava, Slovakia.

Most of the damage caused by the worm is limited to industrial targets, according to ESET. Siemens spokespersons also stressed that the Stuxnet worm has not yet impacted any power generation SCADA system nor any T&D SCADA system.

“To our knowledge, only two industrial systems were affected by this [malware],” a Siemens spokesperson told POWERGRID International on Thursday, July 26. The fact that power-system SCADA networks weren’t impacted reveals the hearty backbone of those systems, according to Scott Gosnell, CMO with Tatsoft, a developer of software tools, products and services.

“This particular attack shows the strengths of current security technologies and protocols—the worm didn’t come in through a network vulnerability,” he noted.

Industry insiders warn, however, that utilities should not assume they are out of the woods just yet, even if the Stuxnet worm has avoided corrupting power systems this round. It is still spreading, and it won’t be the last threat by far.

“This is not the time to stick your head in the sand and say “Ëœit can’t happen here,'” said GarrettCom President Frank Madren. “Cyber attacks on industrial control system are happening now and will probably increase.” Madren suggested best practices to prevent damage include a multi-pronged approach of good industry standards, technology and personal, targeted recommendations to fill in holes in a utility’s security program.

Tatsoft’s Gosnell would add man to Madren’s best practices equation — keep him tech savvy and on top of things.

“This [attack] also demonstrates that operational risks are an inherent part of running these systems,” Gosnell added. “One of your biggest potential problems comes from poor processes and policies at the human level. Maintaining good security hygiene at the human and social level complements good technical hygiene.”

Madren noted that North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) regulations help protect power utility substations from a variety of security issues, including worms like this one. They are incredibly comprehensive and offer a great amount of defense.

 “However, no system is completely immune from creative new incursions. Constant vigilance is required,” Madren said.