Imagine a deadly computer virus makes its way around a well-guarded, critical industrial complex—say a nuclear plant—sabotaging its operations by sending bad commands to the centrifuge controller. “Storyline of a B-grade Hollywood movie,” you might say. The Stuxnet worm, a piece of malicious software or malware, whose origins are yet unknown, is designed to do such things.
The Stuxnet worm (or more accurately, W32.Stuxnet) was first reported in June 2010 but its roots can be traced back to June 2009. It was specifically written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems, by reprogramming the programmable logic controllers (PLCs) used within them. However as one would expect, these systems and PLCs are usually not connected to the external world. The Stuxnet worm works around such measures by attacking the PLCs through machines that are used to program them. These are typically computers using versions of Microsoft Windows operating system and running special software in it.
What is interesting is the length to which Stuxnet’s creators have gone in order to attack these Windows systems. Stuxnet uses an unprecedented four 0-day attacks (that are previously unknown to the maker of the software) with the aim of compromising these computers, targeting those installed with the Siemens WinCC/Step 7 program used to control Siemens PLCs. Four 0-day attacks being used by a single worm is unheard of in the exploit community.
Stuxnet has several more firsts to its credit. In addition to being the first malware to specifically attack critical industrial infrastructures, it is the first known malware to use a rootkit to hide itself within the PLC, in addition to hiding itself in the computers used to program them. To install itself on the Windows machine, Stuxnet makes use of two different stolen digital signatures to sign the malware code.
All this effort to what end, you may ask. While it is still a theory, many researchers think that, given the geographic distribution of the infected machines and the very specific nature of the attack payload, the Stuxnet worm was written to attack and disrupt the Iranian nuclear programme, specifically its reactors. Some feel that it was targeting the Bushehr nuclear power plant while other think that the nuclear fuel centrifuge facility at Natanz was the target. The possible targets, along with the level of sophistication required to develop the malware suggests at a government-level effort, perhaps originating in the United States or Israel. While wild theories and attribution “proofs” will keep flowing for some time to come, it seems like a safe bet to say that proper attribution will remain elusive.
While Iran appears to be the main target, Indian interests might have suffered some collateral damage in the process. According to Symantec, an internet security firm, India had the third-highest infection rates, after Iran and Indonesia. However, before one jumps to the theory that India might also be an actual target, it is prudent to also note the numbers from Symantec about the percentage of Stuxnet-infected hosts with Siemens software installed—India occupied a distant seventh place, behind Iran, South Korea, USA, UK, Indonesia and Taiwan.
Jeffrey Carr, a noted authority on cyber security, suggested in a blog post published by Forbes that the glitch experienced by India’s INSAT-4B communication satellite on July 7th could be the handiwork of the Stuxnet worm. The glitch, attributed to a power supply anomaly in one of its two solar panels led to the shutdown of 12 of the 24 transponders on the satellite. Carr bases his hypothesis, partially at least, on the fact that the Indian Space Research Organisation (ISRO) is a Siemens customer and that two former engineers’ resumes seem to suggest that Siemens PLC and WinCC software were used by ISRO’s Liquid Propulsion Systems Centre.
For its part, ISRO has ruled out the possibility that Stuxnet could be the source of the trouble, stating that “INSAT-4B doesn’t have a PLC. So the chances of the Stuxnet worm attacking it appear remote.” Such an argument however does not pass muster though. The absence of PLCs onboard the satellite does not isolate the satellite from the worm. Given that INSAT-4B has been operational since March 2007, well before the estimated origin of the Stuxnet worm, the question of whether the hardware on the satellite is itself comprised does not arise. Rather, the question is whether any of the systems that interact with the satellite from the ground station, for example, passing commands and instructions that govern, say the deployment of the solar panels, use Siemens PLCs and further whether any of them were compromised.
This is not to say that the glitches are the result of Stuxnet. After all, the W2M satellite that ISRO built with EADS Astrium had similar problems when it was being moved from the test orbit to the intended orbit in 2008, leaving the satellite unavailable for service.
Whatever Stuxnet may or may not have done, its appearance in the malware and cyber security landscape has changed the scene for ever. Earlier, claims that industrial systems could be attacked using malware were considered outlandish. Post-Stuxnet, communication satellites, nuclear reactors and other industrial systems will be considered vulnerable. At the same time, Stuxnet has shown that digital confrontation is no longer about cyber-vandalism or cybercrime anymore. Its developers were not interested in either of them. The general consensus is that this piece of malware was specifically written to be used as a weapon in the cyber-war/cyber-terrorism arsenal of some entity, most probably a nation-state.
India’s apex security policy-makers must take urgent note of this development and its strategic implications. We might not have been the targets this time, but we could easily be the next time around. How should India defend against such cyber attacks on its critical infrastructure? Should India be developing such weapons? What will be the rules of engagement for using such cyber-weapons? How will collateral damage be controlled? Need it be controlled at all, especially given that attribution is so difficult? These are just some of the questions that Stuxnet has pushed to the forefront of the discussion. The days of cyber-warfare are nearer than what many thought they were.