Posted on July 23, 2010, by T. Scott Cowperthwait
In the wake of the Russian spy scandal that rocked Washington, D.C. earlier this month, U.S. law enforcement authorities have increased monitoring all potential espionage activity. Now comes news from overseas that computer hackers have developed a new virus, named Stuxnet, which targets industrial control systems. The Stuxnet virus targets systems with installed supervisory control and data acquisition (SCADA) software, specifically Siemens AG Step 7 software, and is spread through removable drives plugged into USB computer ports. SCADA systems are used to control, operate and monitor the facilities that represent sectors of our nation’s critical infrastructure, such as electric power systems, water supply/distribution and wastewater management systems and the transportation of gas and oil in pipelines.
Identifying the motive and ascertaining the identity of those responsible for the release of the Stuxnet virus should be a top priority for the U.S. Department of Homeland Security National Cyber Security Division’s Control Systems Security Program, which is tasked with reducing industrial control system risks within and across all critical infrastructure and key resource sectors by coordinating efforts among federal, state, local and tribal governments, as well as industrial control systems owners, operators and vendors. Symantec Corporation, the largest maker of personal computer security software, has already hypothesized about the identity and motives for the attack, including: 1) the lone wolf theory; 2) the disgruntled employee theory; 3) commercial competitor/corporate espionage; 4) state-sponsored espionage; 5) nationalistic, political, religious, and related motivations; and 6) terrorism.
The complexity of the threat has led many analysts to conclude that the attack is much more than a lone wolf or disgruntled employee, which leaves us with the remaining four possibilities, none of which are comforting. Corporations that operate SCADA systems should take immediate affirmative steps to safeguard its systems and educate its employees about security and threats.