If Stuxnet was act of cyberwar, is the U.S. ready for a response?
The complex Stuxnet worm proved attacks on SCADA and other industrial control systems were possible. Are we ready if one comes our way?
By George V. Hulme
March 02, 2011 — CSO —
With Stuxnet setting back Iran's disputed nuclear program, that country has vowed to take "pre-emptive" strikes against the powers it believes launched the attack, a recent news story in the Tehran Times reported.
"An electronic war has been launched against Iran," an official was quoted as saying.
Accurate or not, most reports and expert conjecture peg the responsibility for the creation of Stuxnet with the United States and Israel. If Iran retaliates and attacks industrial controls or the Supervisory Control and Data Acquisition (SCADA) systems, are our systems prepared and secure enough to withstand an advanced and targeted attack?
The short answer is no.
"The biggest challenge we face isn't that we're not ready for a Stuxnet. The biggest problem we face is that we're not really ready for anything. If you were to do a pen test -- and there's plenty of research out there to support this -- most utility companies are extremely vulnerable," says Eric Knapp, director of critical infrastructure markets at NitroSecurity.
That begs the question: How far away are utilities and other critical infrastructures from where they need to be? "Some [utilities] are way, far away from where they need to be," says one security assessor who has recently completed a number of assessments on utility companies and requested not to be quoted by name. "They're making many poor assumptions about their risk," he says. "They believe that because their communications between devices are encrypted, or because they have some type of access control that they're secure. In many ways they're acting like software companies did about a decade or so ago. They just don't want to see the reality of things."
Knapp says, while lackadaisical in many areas, it's not consistently bad. "We work with a lot of utilities and a lot of industrial manufacturing facilities, and for every comment like that I hear, there are other utilities that take it very seriously," says Knapp.
Mike Sconzo, principal security consultant, NetWitness, believes that industries in the critical infrastructures, such as utilities and manufacturing are starting to take the steps necessary to become more resilient. "Critical infrastructures are going through the same kind of growing pains as the IT industry did over the years," Sconzo says. "For instance, the first version of NERC's CIP (North American Electric Reliability Corporation's Critical Infrastructure Protection) standard consisted of primarily of security box checking. Meaning if you do X, Y, and Y you are supposedly secure. I'm hearing more interest now, however, in moving toward more risk-based assessments. A lot of people are realizing that risk-based security management is not such a horrific idea," he says.
"The key is getting everyone up and down the stack to realize that security is a continuous process, and just as software developers learned basic best practices a decade ago and built from there, so must utilities and other critical infrastructures," says Sconzo.
Sure enough, but with many experts believing it's only a matter of time before a Stuxnet-like worm is targeted toward U.S. interests, one has to wonder if there's enough time.George Hulme writes about security and technology from his home in Minneapolis. After spending more time researching critical infrastructure security, he's been often spotted pricing gas and solar-powered backup generators. He can be found on Twitter as @georgevhulme.
Read more about critical infrastructure in CSOonline's Critical Infrastructure section.