The big question raised by the Stuxnet worm isn't so much who authored it and for what reason, but what its legacy will be.
However, most security experts agree that the advent of Stuxnet heralded a new age in security threats, a move towards cyber 'superweapons'.
Stuxnet was a very special case, says Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab.
“The resources in terms of money and research behind it were enormous,” he explains. It was one of the most sophisticated pieces of malware ever discovered, and the first aimed at supervisory control and data acquisition (Scada) systems, that control critical infrastructure.
Initially, Raiu says, the worm's purpose was unclear, but research into its functioning suggests it was aimed at disabling Iran's uranium enrichment programme, and is widely believed to have set the country's nuclear programme back around five years.
“There has been endless speculation on what Stuxnet can and can't do. The facts are simple; the Stuxnet virus can damage uranium enrichment processes that use specific software,” he says.
“In reality, Scada systems, which Stuxnet is attacking, are based on very old code, and were never designed to be attached to the Internet. This code is extremely vulnerable. There is a real possibility that, in future, cyber criminals could exploit these vulnerabilities to take control of such installations or to simply damage them.”
Raiu opines that perhaps next time, it will be stealthier. “We expect to see more targeted cyber superweapons, targeting specific installations, [and] regions. If the authors improve on existing cases, it is possible nobody would even hear about it.”
“In the case of Stuxnet, most of the systems controlling this particular infrastructure were designed about 10 years ago. At this time, Microsoft released operating systems, such as Windows 2000.
“Today, everything is run by Windows, supported by Windows systems. When dealing with critical infrastructure, it would be far safer to run infrastructure of this nature off more obscure operating systems. Well-known platforms are insecure, and used in a way for which they were not intended.”
In theory, Raiu says, this shouldn't be a problem as long as nobody knows that password. “In the case of Stuxnet, it seems they did manage to get access to these master passwords. That's how it managed to infect the databases and other computer systems.”
Considering networks and their associated vulnerabilities, any system connected to the Net will be susceptible to the same vulnerabilities. The bottom line is, consumer technology shouldn't be used for critical systems, he explains.
Speaking of the future, he says the initiative should come from governments. Private companies can't be forced to take action, but governments should understand that security of critical infrastructure has become a priority. “Unfortunately, it isn't seen as a problem until something happens.”
He says the IDC has predicted that by 2015, a country's critical infrastructure will be sabotaged by hackers. “The time to act is now.”
Another incident to ponder, says Raiu, is the recent assassination of the top Stuxnet expert in Iran. It was widely reported that Professor Majid Shahriari was killed in a drive-by shooting, by unknown operatives on speeding motorcycles.
“The message is clear,” says Raiu. “There are those out there that do not want Stuxnet to be too widely probed or talked about.”
Share
