To Worry or Not to Worry About Icky Worms

Viruses, worms and Trojans are an unfortunate part of the computerized present—albeit not a pleasant part, which Siemens has been finding out all too personally this summer. But, should we really be all that worried about our smart grid’s cyber security, or are we panicking ourselves unnecessarily?

The Siemens thing: In June, the company discovered it was the specific and directed target of some nasty malware which uses a Microsoft Windows loophole dealing with shortcut files to latch on and download secure information from supervisory control and data acquisition (SCADA) systems using a leaked Siemens password. The sticking point, though, is that the worm is rather low-tech (relatively) in its delivery: The computer has to be physically connected to an infected USB stick (although there is also a possibility of it spreading via CDs and file-sharing). If someone views an item from that infected stick, the worm sneaks on out into the system, searching out information to copy.

 Named the Stuxnet worm, it seems to be hitting Middle Eastern and Asian countries the most. (Symantec Corp. revealed that over half of the systems impacted were specifically in Iran, but Indonesia and India have also seen a large set of Stuxnet issues, according to one IDG News Service report.)

 The worm itself was discovered by an antivirus company in Belarus named VirusBlokAda, which has labeled the worm “very dangerous” and noted that it could lead to a “virus epidemic” on the company website. But, how dangerous is it if I need to connect an infected part and then open something up by hand to create this issue? That doesn’t really sound like a system issue as much as a personnel issue, really.

Right now, according to Siemens spokespersons, the Stuxnet worm has not yet impacted any power generation SCADA system nor any T&D SCADA system.

"To our knowledge, only two industrial systems were affected by this [malware],” a Siemens spokesperson told me, and the fact that power-system SCADA networks weren’t impacted reveals the hearty backbone of those systems, according to Scott Gosnell, CMO with Tatsoft, a developer of software tools, products and services.

“This particular attack shows the strengths of current security technologies and protocols—the worm didn’t come in through a network vulnerability,” he noted.

Industry insiders warn, however, that utilities should not assume they are out of the woods just yet, even if the Stuxnet worm has avoided corrupting power systems this round. It is still spreading, and it won’t be the last threat by far. And, of course, there are other issues recently brought up around smart grid security, including a recent Pike Research report that points to smart meters as “the weakest link in the smart grid security chain” filled to the brim with juicy data that “could be successfully eavesdropped.” (Pike report: Smart Meter Security. Easy to find on their website pikeresearch.com.)

So, what’s a smart grid planner to do? Can he think ahead to the next malware? Can he plug all the security holes? Well, maybe he can’t do it all, but it seems that it is expected that he give it the ol’ college try, really.

“This is not the time to stick your head in the sand and say ‘it can’t happen here,’” said  GarrettCom President Frank Madren. “Cyber attacks on industrial control system are happening now and will probably increase.” Madren suggested best practices to prevent damange include a multi-pronged approach of good industry standards, technology and personal, targeted recommendations to fill in holes in a utility’s security program. It’s all about repetition. Never assume that all the holes have been covered. Always go back and check again and again. (In this way, malware is a lot like a zombie horde---always trying to get in a forgotten opening, an unchecked back door, an open window.)

Tatsoft’s Gosnell would add man to Madren’s best practices equation---keep him tech savvy and on top of things, ready for the onslaught.

“This [attack] also demonstrates that operational risks are an inherent part of running these systems,” Gosnell added. “One of your biggest potential problems comes from poor processes and policies at the human level. Maintaining good security hygiene at the human and social level complements good technical hygiene.”

Madren noted that North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) regulations help protect power utility substations from a variety of security issues, including worms like this one. They are incredibly comprehensive and offer a great amount of defense.

“However, no system is completely immune from creative new incursions.  Constant vigilance is required,” Madren said.

So, worry? Yes. Panic? Not helpful. Just keep one eye open … and try not to fall asleep and unconsciously let in those zombie malware hordes.