A year of Stuxnet: Why is the new cyberweapon's warning being ignored?
Experts called Stuxnet a 'wake-up call' when it was identified as a cyberweapon. But even as hackers study it, there is scant evidence US utilities are bolstering their defenses against attack.
(Page 2 of 3)
“A considerable percentage of those executives told us, basically – ‘So what?’ ” says James Lewis, director of the Technology and Public Policy Program at CSIS. “Some said they had things under control – or this type of threat was a national security problem for government – not them. Bottom line: these guys are reluctant to spend money on things that don’t generate a financial return. Cybersecurity doesn't make business sense.”Skip to next paragraph
Subscribe Today to the Monitor
New cybersecurity standards for the electric utility industry are now in place. But loopholes allow US utilities to interpret the standards often as not applying to USB memory sticks, notes Joe Weiss, an industrial control systems security expert in a blog post. Yet infected USBs were exactly what Stuxnet's creator used to spread the attack to Iran's centrifuges, even though they were “air gapped” – separated from the Internet.
“Stuxnet-like threats will require asset owners, technology providers, and homeland security organizations to think more broadly about how [to] develop more flexible, skilled, and adaptive security programs,” says Michael Assante, former security chief of the North American Electric Reliability Corporation (NERC), which oversees grid reliability.
Even so, there are at least a few positive signs that Stuxnet has started to change how utility professionals think, he and others say. In corners of industry there's a “new appreciation for the types of consequences that Stuxnet introduced [that] is beginning to drive decisions about technology designs and practices,” he and others say.
For example, Schneider Electric, a big Paris-based manufacturer of industrial control systems hardware and software is taking steps, says Eric Byres, chief technology officer for Vancouver-based Byres Security.
“Schneider, and a few others, are definitely making a major push to create a security culture,” he says. “But other companies seem to be doing nothing. It's all over the map. Boeing and Exxon are moving aggressively. For others, it's business as usual.”
In a recent interview, Timothy Roxey, NERC’s director of critical infrastructure risk management and technology, says his group and the utility industry are keeping a watchful eye and taking steps to defend the US electric grid.
“Stuxnet, especially at the beginning, had everyone exceptionally concerned,” he says. As experts started to understand that Stuxnet was targeted at the Iranian centrifuges “a lot of the immediacy of the concern to the utility space kind of came off the table. It didn't mean that we at NERC were letting it off the hook, since we subsequently wrote an alert on it, but it did mean that we were apparently not the target.”
But there is also plenty of denial that Stuxnet represents a new threat.
Although Stuxnet infected tens of thousands of machines worldwide, its payload activated only when it found the particular system it was after. Yet according to the man who first identified Stuxnet as a weapon a year ago, industrial control systems expert Ralph Langner, the next Stuxnet-style attack might be closer to a “digital dirty bomb” that simply turns off any industrial machine it infects.