A year of Stuxnet: Why is the new cyberweapon's warning being ignored?
Experts called Stuxnet a 'wake-up call' when it was identified as a cyberweapon. But even as hackers study it, there is scant evidence US utilities are bolstering their defenses against attack.
(Page 3 of 3)
Stuxnet, he says, is a “Pandora's box” that provides ideas to hackers on how to build similar attacks.Skip to next paragraph
Subscribe Today to the Monitor
Since Stuxnet appeared, the Industrial Control System – Computer Emergency Response Team (ICS-CERT), a division of the Department of Homeland Security, has issued a number of alerts. Yet Mr. Langner and others criticize it for being slow and incomplete in its analysis and dissemination of useful information on dealing with Stuxnet.
DHS officials, in interviews with the Monitor, have previously rebutted such criticism, saying it has done a lot – and can only do so much to protect US critical infrastructure when 85-90 percent of it is run by private industry.
Meanwhile, signs are growing that the hacker community is keenly interested in developing Stuxnet-like capabilities – and that far less discriminating cyberweapons than the original Stuxnet are not far behind. Terrorists and cybercrime groups meanwhile are waiting patiently to evaluate such weapons when they emerge, experts say.
“Right now people are playing with Stuxnet, seeing how it did what it did – and how might it affect control systems that run other civilian infrastructure,” says Stewart Baker, a Washington lawyer and cybersecurity expert who served in the Department of Homeland Security and the National Security Agency. “Free floating communities of amateur hackers who are working to deconstruct and democratize Stuxnet. They’re saying,: ‘Gee, this is cool. I could break the power grid.’ ”
Others agree. The rate at which industrial control system vulnerabilities are being discovered by researchers and added to the national database has more than doubled since Stuxnet appeared, says Mr. Huber, whose company tracks them. That intensified research into control system weaknesses usually translates within a short time into “exploits” – attack software designed to penetrate those known weaknesses.
“We’ve had signs that people were developing these things [industrial control systems attack software] for years,” Mr. Assante, the former electric grid security chief, said in an earlier interview. “What Stuxnet has done is to increase their confidence it can be done. Expect to see Stuxnet-type attacks in 2012.”
A year after Stuxnet demonstrated the capacity to wreck industrial equipment, NERC's Mr. Roxey says the utility industry is busy conducting followup webinars and embarking on a fresh examination of systems to see if Stuxnet has reemerged.
But not everyone is convinced that either government – or private industry – is doing enough.
“There has been some recognition of the threat – yet we still haven't made the mental adjustment on strategy, policies, and the many things we have to do to guard ourselves,” says Baker, the former DHS and NSA official. “We need to do a lot more – and sooner rather than later.”
RECOMMENDED: The new cyber arms race