Is STUXNET just a flash in the pan?

Are American industries, particularly heavily automated systems, immune or highly vulnerable to major shutdowns from STUXNET-type viruses?

I’m thinking they are vulnerable. I’ve never seen anything that a virus can’t be designed to take down. Even Linux systems are now vulnerable to usb plug-in attacks that could evolve into botnet disasters.

What are the odds that industrial sabotage viruses will proliferate?

Yes, everything is vulnerable to one degree or another. It’s an arms race.
Yes, we’ll see more attacks like that, carried out both by corporations and nation states.

Welcome to the future.

The STUXNET virus was a major production, with significant funding behind it. The developers also, likely, had access to implementation details of proprietary software and hardware which would be unavailable to an organization which didn’t have the trust of the company which develops those products. Obtaining that information without the other company physically giving it to you would require massive reverse engineering (which is generally going to be infeasible) or actual espionage.

STUXNET may be the start of corporate and military warfare via viruses, but I don’t think it’s the start of something that will affect most of us.

25 years ago I could take over almost every commercial computer system simply by knowing what the OS was. Very rarely did anyone change the default system password. STUXNET was effective based on that same kind of open simplicity. Anyone can steal a car if the keys are left in it.

Despite the hyperbolic claims of complexity in STUXNET, it was effective only because a well known industrial control system was surreptiously modified to perform differently than intended while reporting that it was operating normally. This could be done to any system which had no safeguards against such modification, which is almost all of them.

Because people are naturally short-sighted, the simple precautionary counter-measures will fail, and STUXNET-type attacks will occur several more times. Eventually someone will catch on to the complexity of the problem, new systems will be created that involve sufficiently complex anti-sabotage measures so that simple failures and denial-of-service attacks will be the only approaches worth investing in, and STUXNET will disappear among the other short branches of history.

There’s an old axiom that covers this: in the battle between bombs and armor, bombs always win in the end.

If someone can write code, somebody else can alter it for their own purposes. How many times have we seen that, from Apple iPhones being jailbroken mere hours after release to complicated copy protection being defeated immediately after it is applied?

The more likely solution is system isolation. If they can’t access the system remotely they have to do it physically, something much more difficult to do. But as long as people have a way to access systems remotely a determined unauthorized person can get into it and mess it up.

Two lives ago I was at a non-profit that worked w/DHS (a piece that eventually became NPPD), on a classified program, that was designed specifically to protect PCS/SCADA systems against this kind of stuff. Believe me when I tell you, the good guys are on the ball.

I’m guessing we didn’t escrow the code at the Tehran branch of Iron Mountain… :slight_smile:

Once you have physical access to a machine, yes, so long as you have enough money and time you can crack it eventually (presuming it isn’t an explosive – but that comes under the “enough time” heading). I’d disagree, however, that remote access necessarily equates to vulnerability. If you have long enough passwords and lock accounts after several unsuccessful login attempts, you’re effectively as safe as you’ve any desire to be. It’s simply a game of probabilities. If you give people 100 login attempts before you lock their account, but make the password any value between 0 and 10,000,000,000,000,000,000,000,000,000,000,000,000, and transmit credentials via secure means, then there simply isn’t any getting in unless you resort to espionage and steal a password.

For that matter, the Iranian centrifuge systems were already isolated, and were in fact attacked via physical access. Best guess anyone has is that one of the techs (presumably unknowingly) brought in Stuxnet on a thumb drive that he plugged into the system.

How easy is it to isolate a factory or power plant? Power plants are connected to the power grid. Control of factories from afar is highly tempting, especially if it’s automated.

http://en.wikipedia.org/wiki/Gary_McKinnon

People today, even top secret government servers, still don’t change the password that comes with the system.

There’s nothing in that article that says that he accessed top secret servers.