Stuxnet worm: Private security experts want US to tell them more
Private sector security experts say the government’s public reports on the Stuxnet worm – the world’s first publicly-known cyber superweapon – often seem to be old news or incomplete.
(Page 2 of 4)
“We were able to reverse engineer the [Stuxnet] code and monitor how it works,” McGurk says. “There have been individuals speculating on attribution and intent…. Our main focus has been on understanding the malware and putting mitigation in place – how to prevent the spread and how to protect the physical infrastructure.”Skip to next paragraph
Subscribe Today to the Monitor
Still, examples of government as follower abound that Peterson and others say show the government has not been doing enough to get critical information out.
On Sept. 21, German researcher Ralph Langner dropped a bombshell at a cyber security conference in Maryland detailing how Stuxnet “fingerprints” its target, making it the first-known targeted cyber missile. It is designed to home in on and “destroy something” in the real world, Mr. Langner says. Some of his findings, posted on his website Sept. 13, were echoed days later in an ICS-CERT alert.
This past week the big anti-virus software company Symantec again eclipsed government researchers by unveiling a 49-page blue print of Stuxnet, which some experts speculate was aimed at wrecking Iranian nuclear facilities, but which has spread far beyond Iran.
Symantec’s analysis – much of it released long ago in blog posts this summer – details not only how Stuxnet operates, but also key steps to defuse it.
That could be important since Symantec notes in its new report that about 60 percent of the 100,000 Stuxnet-infected computers worldwide were in Iran. Yet just under 1 percent of those infections were in the US – roughly 900 computers systems. And within that smaller group, about 5 percent of the infections (40-50 computers) were on Siemens industrial control systems.
Siemens uncertain how many clients infected
That’s a lot more than Siemens admits to. A spokesman told the Monitor just 15 of its industrial controls systems clients worldwide had reported Stuxnet infection. The spokesman acknowledged, however, the company is not certain all its clients would have reported an infection if they had one.
That worries some experts who wish there was a stronger government push to fan out among potentially affected industries to explain Stuxnet and the threat variants it might pose.
“I don’t think the chemical industry has their eyes on this, which is why I’m writing about this,” says Patrick Coyle, a retired chemical engineer who writes a blog called Chemical Facility Security News. “Government hasn’t reached these guys.”
Others like Joel Langill, an industrial control systems security expert who works in the oil and gas industry says there’s been a distinct lack of information flowing from government.
“It was very quiet in July, and about the only place to get public information on Stuxnet was from Symantec,” says “I don’t think ICS-CERT reports have done justice to the magnitude of what happened. Their reports have contained a lot of detail about the Stuxnet worm and prevention, but haven’t done much about what to do if you had it. If this was a massive cyber attack, they didn’t do very well.”
On Sept. 29, ICS-CERT released a four-page “advisory,” the most recent in a series of similarly brief tracts on how Stuxnet has operated since July.