The security chief at the North American Electric Reliability Corp. (NERC) is calling for better designed and more hardened systems in the wake of the Stuxnet malware threat.
We're still seeing products that come out that are susceptible to vulnerabilities that quite frankly have been in the wild for quite some time.
vice president and chief security officerNorth American Electric Reliability Corp. (NERC)
The Stuxnet Trojan quickly gained the attention of the security industry because it was one of the first pieces of malware to use multiple previously unknown vulnerabilities. Stuxnet initially relied on four zero-day vulnerabilities to gain access to devices that could potentially connect to critical control systems, allowing Stuxnet to spread to other machines. It was also the first piece of malware that could inject itself into programmable logic controllers, the system that controls temperature, pressure and other processes vital to keeping industrial facilities running smoothly. As Stuxnet activity peaked in late September, NERC readied a guidance document to help North American energy firms address the threat.
But addressing Stuxnet goes beyond using quality security controls, said Mark Weatherford, vice president and chief security officer at NERC. The industry, he said, needs to demand higher quality software that is free from defects.
"This is not an indictment on [the] control system industry; it's an indictment on the IT business in general," Weatherford said. "We're still seeing products that come out that are susceptible to vulnerabilities that quite frankly have been in the wild for quite some time."
NERC maintains security standards and issues guidance to about 2,000 public and private firms involved in electricity generation and distribution in the U.S. and Canada. Weatherford said a "Malware Tiger Team" was formed in July when Microsoft issued the first of what will likely be four patches designed to plug the zero-day vulnerabilities used by the Stuxnet malware in its attacks. Once the malware uses those vulnerabilities, it seeks out the Siemens industrial control system and then attempts to inject itself and change critical processes. Weatherford said Stuxnet is seen as a blueprint that can be used by future cyberterrorists to inflict damage on critical national infrastructure systems or create some kind of catastrophic event.
"Companies who develop products and write code need to continue to mature their development processes to become more secure," he said.
The Tiger Team, which is made up of representatives from various federal agencies, as well as malware experts from several antivirus vendors and security consultancies, helped ensure the information disseminated to critical infrastructure facilities was accurate and not conflicting, Weatherford said.
"The Tiger Team will be a living, breathing organization that morphs and contracts as necessary in response to whatever the threat is," he said.
After Stuxnet surfaced, researchers began the painful process of reverse engineering the malware, a task made more difficult because the Siemens system Stuxnet was targeting is known by only a specialized group of researchers. Many federal organizations had their hand in driving much of the research, including experts with the Department of Energy, the Department of Homeland Security and the Federal Energy Regulatory Commission (FERC).
"All infrastructure is at risk and I would pause and say the utility industry is no more at risk than any other critical infrastructure," Weatherford said. "The malware still exists and certainly could be a threat to any critical facility."
The information gleaned from the ongoing Stuxnet research resulted in two advisories, the details of which Weatherford declined to disclose, as well as a formal recommendation letter, which was sent to electric facilities. It will culminate with the guidance document, which also will remain confidential to protect the security of the facilities, he said. Much of the advice disseminated to U.S. firms included basic security guidelines, such as ensuring that antimalware signatures are up to date and ensuring facilities use security policies that address the use of removable media and USB drives.
"There's no indication that any North American companies have had any type of infection," Weatherford said. "That [Siemens control system] is not widely used in North America but it is also not uncommon."