[This is a guest blogpost by Srikanth R., Senior Research Associate at the Takshashila Institution. In this blogpost, Srikanth provides context to the Stuxnet Trojan and highlights preventive measures India can take to minimize collateral damage.]
News on the impact of what has come to be known as the Stuxnet Trojan on Iran’s nuclear facilities at Natanz and Bushehr has generated a considerable amount of media and academic interest on its origins. In a briefing to the U.S. Senate Homeland Security and Governmental Affairs Committee, Sean McGurk, director of Homeland Security’s national cybersecurity operations center, described Stuxnet as a “game changer.”
According to the Siemens product support site, Stuxnet affects Microsoft Windows PCs with WinCC and PCS 7. The malware spreads via mobile data carriers, for example USB sticks, and networks. The Trojan is activated solely by viewing the contents of the USB stick. The website also suggests that Stuxnet was not developed by a hacker but “with the product of a team of experts who must have IT expertise as well as specific know-how about industrial controls, their deployment in industrial production processes and corresponding engineering knowledge” and “This means that the malware is able, under certain boundary conditions, to influence the processing of operations in the control system.”
There is a procedure to clean a system infected with Stuxnet, but the Trojan can be activated by plugging in a USB device that has been infected, and cleaning a network of infected machines cannot be done without disrupting all activity and shutting down the entire network. As explained in the support website:
It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications. [Siemens]
Indeed, Iran’s centrifuge program had to go through a shutdown and restart process to cleanup its infected system, delaying its schedule. The implications of the Trojan for the India’s own nuclear program have thus far been unreported. Since the Trojan’s target is system-specific (WinCC and PCS7), the impact is likely minimal unless India employs the same software to program its spinning machines. However, it is still conceivable that similar SCADA systems are used in Indian industry for a variety of other purposes and could potentially be vulnerable to Stuxnet-like attacks in the future.
Given the inherent vulnerability of WinCC-based processes to such attacks, it is prudent to take precautions and design processes to ensure that no unverified software can be loaded onto the system, either over the Internet or via USB memory sticks. Industries that are currently vulnerable to such attacks must consider moving to non-WinCC systems in the long run.
What Stuxnet tells us is that a malignant organization or country can put together a team of experts to create Stuxnet-like Trojans to target SCADA systems in India or elsewhere. While cybersecurity policy makers assess the long term implications of Stuxnet-like Trojans, short term precautionary measures are necessary to prevent further collateral damage. Sites operating such systems should segment their different SCADA systems in different isolated subnets to ensure that infection of one system does not spread to others. Furthermore, it may be useful to institute security protocols to prevent the ingestion of USB devices into any machine in the network. USB devices of unknown origin must be forbidden from being used.
It is also advisable to move towards more secure Unix-based platforms for Industrial Control systems, where the security architecture is more robust than those in Windows-based SCADA systems. Windows-based systems are affected by about 2 million known malware, with Linux a distant second with 1,178 vulnerabilities.