Two months ago, I posted about the malware that is now known as Stuxnet, noting that it was designed to compromise SCADA systems; I thought that was proof that nations are planning a new form of cyberwar that will target electric power grids among other things. Two months later, security experts parsing Stuxnet have confirmed that assessment:
Cyber security experts say they have identified the world's first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.
The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.
The experts speculate that the malware was designed to jump the usual “air gap” security on thumb drives and then act more or less autonomously to penetrate to a particular SCADA system and override controls:
Langner's analysis also shows, step by step, what happens after Stuxnet finds its target. Once Stuxnet identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the giant industrial controls company, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it, Langner’s analysis shows.
"After the original code [on the PLC] is no longer executed, we can expect that something will blow up soon," Langner writes in his analysis. "Something big."
For those worried about a future cyber attack that takes control of critical computerized infrastructure – in a nuclear power plant, for instance – Stuxnet is a big, loud warning shot across the bow, especially for the utility industry and government overseers of the US power grid.
Of course, Stilts readers heard that warning shot two months early. And the target of DEADFOO7? Utterly unconfirmed speculation points toward Iran’s nuclear facility.
So what if all software had to be signed using a split private key, and the key splits were held by five large international banks. Then the worm's driver software could not have been signed using a presumably pilfered key and therefore would not have been recognized as authentic by the Windows operating system. And as a result the presumably targeted Iranian facility instead comes on line on schedule.
Posted by: Chuck Miller | Sep 25, 2010 at 07:15 PM
Welcome to the wonderful, scary world of "equities," in which protecting your crucial institutions means protecting everyone else's. And vice versa.
Posted by: stewart baker | Sep 25, 2010 at 11:24 PM