Stuxnet worm: Private security experts want US to tell them more
Private sector security experts say the government’s public reports on the Stuxnet worm – the world’s first publicly-known cyber superweapon – often seem to be old news or incomplete.
(Page 3 of 4)
But until the Sept. 15 advisory – which appeared two days after Mr. Langner’s revelations on his website – none of these federal missives provided details that would be needed by US-based industrial systems to detect and remove Stuxnet from infected programmable logic controllers or PLCs, several experts say.Skip to next paragraph
Subscribe Today to the Monitor
One part of Stuxnet sneaks into an industrial control system. But another part drops its main bomb on PLCs – vital computers that directly control robots on the factory floor. It was an issue focused on and unpacked in detail by Symantec in early August. But it took the government until its Sept. 15 advisory to address the PLC issue.
While some private researchers have peeled the Stuxnet onion, others left waiting since mid-July for key details from US government researchers for corroboration have frequently been disappointed.
“They did okay addressing Stuxnet, but I would like to know what I can do to prevent a similar attack coming in the future. That’s where they come up short,” says Langill.
One who applauds the federal government for its efforts on Stuxnet is Mark Weatherford, chief of security for the North American Electric Reliability Corporation. His organization, which is charged with keep the grid up and running, says his group has been working closely with government to get the word about Stuxnet security concerns directly to about 2,000 registered energy generators nationwide.
“Hopefully Stuxnet will die a peaceful death,” he says. “But we’re going to stay on top of it until we feel comfortable that the threat is no longer there.”
Lack of details leads to rumors and speculation
Still, the consistent shortfall in Stuxnet details from government has led to rumors and speculation. One theory circulating is that the Defense Department feared somehow exposing nuclear systems by detailing Stuxnet fixes.
Another more obvious theory is that Israel may be behind the cyber attack on Iran – and US officials don’t want to provide Iran with a road map for fixing computers inside their nuclear facilities. Iranian authorities have admitted that Stuxnet infiltrated their nuclear power plant.
“The real question is: Did the US government know the target,” says one cyber security expert in the private sector who asked not to be named because he works with the government sector and fears losing its business. “Did the US government know Stuxnet’s target and say, ‘No, no, no – we don’t want this information [about how to defang Stuxnet] out there. It’s highly plausible that people knew Iran was the target and didn’t want all the details about how to fix Stuxnet to get out right away.”
But Scott Borg, who directs the US Cyber Consequences Unit, an independent cyber research center, says because malware attacks are so hard to source, he would not be too quick to assume the US is withholding information to help Israel, or even that Iran was the target, despite the apparent predominance of Stuxnet infections reported in Iran.
The most plausible explanation is that private sector researchers are winning the race on getting information out because they are better at it.