The fact that, according to Symantec, most of the attacks seem to have been directed at Iran, India and Indonesia (Figure 1) lends credibility to this kind of thinking.
As of Sept. 17, Hamburg, Germany-based security expert Ralph Langner (www.langner.com/en/index.htm) offers a suspected victim, the Bushehr nuclear site in Iran, as well as a possible source of the virus, a Russian systems integrator. Note that none of this is proven yet, but Langner makes an interesting case for it.
Industrial espionage. Nuclear facilities. Nation-states. Terrorism. Now we're getting into Tom Clancy territory. Interesting speculation, but not necessarily helpful.
Let's get back to what we really know now as I am writing this story. Within days of the virus' discovery, both Siemens and Microsoft issued patches to close the holes that Stuxnet used to get into systems. As of now, Michael Krampe, director of media relations for Siemens (www.siemens.com), says that "We have identified 15 customers where the virus has been identified on their systems. We have been able to isolate it, detect it and remove it from those systems without damage to operations."
Another way to get perspective on the issue is by seeing what has not happened. No major process event has happened that can be attributed to the Stuxnet virus. Furthermore, no entity has come forward to say it is the perpetrator or demanded money or issued threats. Why that is the case is open to interpretation, but the fact is, at the moment, in spite of its disturbing potential, Stuxnet seems not to have done much harm.
No Harm, No Foul?
For the most part, other than Siemens, major automation vendors at first treated Stuxnet as just another security vulnerability. "How we treat Stuxnet is pretty much how we view every vulnerability for control systems. It's not the first, and it won't be the last," says Ernie Rakaczky, program manager for control systems cybersecurity, Invensys Operations Management (http://iom.invensys.com).
Vendors also reported that only a few of their customers seemed especially concerned, even after news of Stuxnet was released.
In part, this is no doubt due to the fact that not every control system is architected the same way, and the techniques deployed by Stuxnet's inventors would not necessarily work on other systems. Furthermore, every major vendor has systems in place for managing security and notifying users of vulnerabilities.
"We have formalized a whole set of practices to address cyber security—basic stuff—design, validation of code, training, information exchange with customers, monthly patch updates," says Rakaczky, naming a laundry list that would apply to most vendors.
So what's the big deal? Just another virus. Not exactly.
"This is a defining moment for the industry." says Doug Wylie, business development manager for networks and security at Rockwell Automation (www.rockwellautomation.com) "This was intentional, focused on industrial applications. The intent has caused a number of customers and the entire industry to say, 'Yes, this is real.' There are parties not just looking for information, but wanting to take control of systems,"
Roy Tanner, of Strategic Marketing, Industries at ABB (www.us.abb.com), adds, "While this was a focused attack on a particular control system, it is also a clear sign that control systems are being specifically targeted. This must be considered in all phases of control system product development, but also in how control systems are installed, operated and maintained."
"They could have done it to anyone's system," says Bob Huba, product manager and security architect for Emerson Process Management (www2.emersonprocess.com). "[Stuxnet] will certainly accelerate security awareness a bit."
Kevin Staggs, engineering fellow at Honeywell Process Solutions (http://hpsweb.honeywell.com), adds that, "Although Stuxnet may have targeted specific systems, it serves as a reminder of the responsibility of keeping the malware protection software current on all control systems and following the best security practices. "
Brian Owen of OSIsoft (www.osisoft.com) adds, "This was very targeted, and if anyone thinks they can hide when they're targeted, they're wrong."
A Change to the Systems?
"One effect of the Stuxnet virus is that there will be a change in the way systems are built," says Cusimano. "The trend has been around for awhile, but this will kick it into high gear. Users have been pressuring vendors to build security into systems.
"The ISA Security Compliance Institute (www.ISAsecure.org), for example, is a consortium of venders and users, who have written a set of compliance criteria for assessing the level of security embedded in products."
He continues, "There's also stuff going on in terms of best practices and competency of systems integration personnel. Control system security is a narrow field. It requires control system, IT and risk management knowledge. That's a pretty special skill set."
Invensys' Rakaczky says vendors must build more security management tools into their systems. "Tools must have functionality to enable people to use them. We have a lot of good guidance and direction, things to do, etc. in our systems—but customers are still struggling with the fact that that too much of that focuses on more for control engineers to do. Every successful [security] program has a strong management component—keeping logs, changing passwords, etc. The key will be the approach. We need a standard way of managing it, so that it can talk to all vendors' products. It needs to recognize multiple vendor environments. We have an obligation to the community here. We're not so much competing against one another here. At this level, all vendors are in this together."