The Stuxnet virus was first identified in 2010 by German researcher Ralph Langner, and in the year since the discovery, Langner says little to nothing has been done to protect critical infrastructure systems against similar attacks against our own networks.
Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks, and the initial attacks are thought to have caused severe damage to Iranian uranium enrichment facilities, setting back the nation's nuclear weapons program by as much as several years.
Iran is still struggling with the aftermath of the Stuxnet virus attacks more than a year after the infestation was discovered. The virus specifically targeted Siemens Programmable Logic Controllers (PLCs) used to control uranium enrichment centrifuges, but Langner says the code could easily be adapted to target other command and control systems.
"Last year, after Stuxnet was identified as a weapon, we recommended to every asset owner in America – owners of power plants, chemical plants, refineries and others – to make it a top priority to protect their systems... That wakeup call lasted only about a week. Thereafter, everybody fell back into coma," Langner told The Christian Science Monitor in a recent interview.
Langner warns that there could be dire consequences, including the very real chance that similar attacks could eventually result in the loss of human life, if the parties responsible for critical infrastructure control systems security fail to act immediately.
"Funny thing is, all these control systems, if compromised, could lead to mass casualties, but we still don't have any significant level of cybersecurity for them," Langner said.
Langner laments that there has been little to decisive action taken on the part of the Department of Homeland Security and the administrators of networks that control complex systems integral to maintaining a safe critical infrastructure. One year later, the same vulnerabilities still exist.
"The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks.... With every day [that] cyber weapon technology proliferates, the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares," Langer stated.
The problem comes down to a lack of committed resources and the failure of leadership to recognize the severity of the threat, which is routinely discounted as being far-fetched and highly improbable.
"Most engineers are aware of the problem, it's just that they don't get the budget to fix the problem. The risk is just discounted. As long as management doesn't see an immediate threat, there is a tendency to ignore it because it costs money to fix," Langner explained.
In an effort to dispel notions that a Stuxnet-type attack requires a high level of sophistication and and a great deal of proprietary knowledge of the targeted systems, Langner released four lines of code in a proof-of-concept exercise that showed just how easily aspects of the Stuxnet virus could be adapted for widespread use in subsequent attacks against our own networks.
"I couldn't stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened."
Langner believes that authorities must adopt a new strategy for cyber offensive tools, and that they can not simply attempt to apply a conventional model of weapons monitoring to this new generation of cyber armaments.
"I'm afraid cyber-arms control won't be possible... It will be costly to fix the vulnerabilities in industrial-control systems. But it will be definitely more costly if we wait until organized crime, terrorists, or nation states make their move first."