Today’s FT has a piece about a bit of malware called Stuxnet, which “has infected an unknown number of power plants, pipelines and factories” (or more specifically, the SCADA – Supervisory Control and Data Acquisition – systems that control them). According to the FT, Stuxnet
…spreads through previously unknown holes in Microsoft’s Windows operating system and then looks for a type of software made by Siemens and used to control industrial components, including valves and brakes.
Stuxnet can hide itself, wait for certain conditions and give new orders to the components that reverse what they would normally do, the experts said. The commands are so specific that they appear aimed at an industrial sector, but officials do not know which one or what the affected equipment would do.
While cyber attacks on computer networks have slowed or stopped communication in countries such as Estonia and Georgia, Stuxnet is the first aimed at physical destruction and it heralds a new era in cyberwar.
For the tech details, see this briefing from Microsoft’s Malware Protection Center back in July, and also this comprehensive overview from Wired – which notes that Symantec is calling the worm “the most complex piece of malware we’ve seen in the last five years or more … it’s the first known time that malware is not targeting credit card [data], is not trying to steal personal user data, but is attacking real-world processing systems. That’s why it’s unique and is not over-hyped.”
So is this down to hackers, terrorists or organised crime targeting the soft underbelly of OECD economies? Not necessarily. Some analysts are speculating that the target may be Iran’s nuclear program, given that the majority of infections have taken place there. That’s not confirmed by any means – but what analysts do know, according to Wired, is that
the worm is designed to attack a very particular configuration of the Simatic SCADA software, indicating the malware writers had a specific facility or facilities in mind for their attack and had extensive knowledge of the system they were targeting
Analysts have been expecting this type of attack for a long time – John Robb highlighted SCADA vulnerabilities in an excellent blog post on infrastructure attacks all the way back in 2004 – but it’s been slow to materialise.
The headache for governments is that defending critical national infrastructure successfully against this kind of attack depends on how good utility companies’ security is – which is why governments have been spending a lot more time and energy on stuff like this.