The Impact and the Vulnerability of the Stuxnet Worm - Case Study Example

?SCADA WORM SCADA Worm Affiliation Table of Contents Vulnerability of the SCADA 3 Methods to Mitigate the Vulnerabilities 5 Levels of Responsibility between Government Agencies and the Private Sector 6 Elements of an Effective IT Security Policy Framework 8 Conclusion 9 References 10 Introduction Stuxnet Worm is believed to be an extremely complicated and sophisticated computer worm, which was initially exposed in June 2010. In this scenario, Microsoft Windows was being used as a basic source for its dispersion, and its main target was Siemens’s engineering applications and equipment. However, it is not the first time when system hackers became successful in targeting engineering applications; it is the initially exposed malware that was discovered on and subverted industrial applications. It is as well the first worm which encompasses a programmable logic controller (PLC) root kit. Additionally, in the beginning Stuxnet worm dispersed without rhyme or reason; however, it incorporated a high level and sophisticated malware payload that was particularly designed to target Siemens supervisory control and data acquisition (or simply SCADA) systems that are intended to manage and observe detailed industrial procedures. In this scenario, Stuxnet infects PLCs by weakening the Step-7 software system that is employed to reprogram these systems (O'Murchu, 2012; Keizer, 2009; John, 2010; Masood, Um-e-Ghazia, & Anwar, 2011). This paper discusses the impact and the vulnerability of the SCADA/Stuxnet Worm in the critical infrastructure of the United States. This paper will also discuss some of the important methods to mitigate the vulnerabilities. This research will investigate the levels of responsibility between government agencies and the private sector for mitigating threats and vulnerabilities. Vulnerability of the SCADA This section outlines some of the major vulnerabilities regarding SCADA. Various research studies have shown that a range of vulnerabilities still exist inside SCADA systems. In this scenario, the majority of extensively publicized security based attacks on SCADA systems have taken place over the past few years as well as a large number of reports have been produced confidentially and publicly admitting issues and challenges securing similar systems. For example, SCADA system’s major vulnerability revealed itself when Japanese groups purportedly attacked control systems organizing commuter trains. Another major vulnerability attack was the Slammer worm that immobilized a security monitoring arrangement at Davis-Besse nuclear power plant located in the Oak Harbor, Ohio in the year 2003 (Swan, 2012; Fidler, 2011; Rebane, 2011). In addition, there are so many other instances of this attack, for instance a major vulnerability taking place due to an illegal intrusion through a previous, disgruntled worker into a worldwide chemical corporation attempting to cause damage. In the same way, Ira Winkler’s security based vulnerability instance in SCADA happened while conducting experiments at a power corporation network that was so flourishing that the test had to be stopped. Another major vulnerability in SCADA was identified due to the Sobig computer virus that influenced the CSX train signaling arrangement in the year 2003. Additionally, the disruption in collaboration and communication happened in Worcester, Massachusetts Air Traffic Communications system in 1997. SCADA vulnerability also happened due to foreign actors, where a cyber attacked a United States water plant in an obvious effort to achieve access as well as probably control of the significant corporate arrangement. In addition, the latest Stuxnet Worm that spreads extensively searching for exact SCADA applications and systems, supposedly attacking Iran’s Natanz nuclear arrangement, allegedly reasoning 1,000 centrifuges to spin out of control (Swan, 2012; Fidler, 2011; Rebane, 2011). Moreover, these above stated different vulnerabilities could have taken place due to some of the reasons (Swan, 2012; Fidler, 2011; Rebane, 2011): Activism Ego Espionage Revenge Creation of anarchy Financial gain Hence, it is necessary to decide what vulnerabilities currently exist in the system, how they influence SCADA systems processes and functionality, what strategies should be placed into place to stop similar penetrations, as well as what that influence it has on a business’s equipped capability (Swan, 2012; Fidler, 2011; Rebane, 2011). Methods to Mitigate the Vulnerabilities This section discusses some of the major initiatives that can be adopted to deal with vulnerabilities of SCADA. In this scenario, one of the standards that can be used to avoid such kinds of vulnerabilities is the US Computer Emergency Readiness Team (US-CERT) generic regulation of various standards and references on what is recognized as Control Systems Security Program (CSSP). In the same way, some important planning and policy research directions to protect SCADA applications are incorporated in publication TR99.00.01, which is developed and published by the Global Society of Automation. In this scenario, TR99.00.01 publication is a technical statement available in 2004 and entitled Security Technologies for Control Systems and Manufacturing (Swan, 2012; Rebane, 2011; Khelil, Germanus, & Suri, 2012). In addition, the use of physical system security procedures can help industrial sector prevent inner threats. These procedures can be adopted to monitor the security against possible outside threats, such as somebody trying to get access to a SCADA technology based arrangement by making use of wireless connection via an application or through illegal direct access to a system. Additionally, some of the efficient and correctly configured applications and hardware, for example, firewalls, are able to make sure that security procedures are correctly implemented to stop Internet users from getting access to industrial control systems. Moreover, to tackle one of the greatest fears of SCADA applications, if critical infrastructure does not require using access points, elimination of connection to all needless networks should be a most important strategy of the business. Furthermore, the evaluations, audits of vulnerability, and suitable training are an important part of standard strategy that make sure that systems are completely secure (Swan, 2012; Rebane, 2011; Khelil, Germanus, & Suri, 2012). Levels of Responsibility between Government Agencies and the Private Sector There are many combined (government and industry) attempts to develop the security of corporate management and control infrastructures. Additionally, a number of industries, such as oil and gas industries, chemical and water plants, are at present building programs for protecting their corporate arrangements. For example, the electric sector has adopted North American Electric Reliability Corporation (NERC) cyber security regulations for control systems. In fact, it is essential to implement the standards of North American Electric Reliability Corporation, and it is essential that all electric utilities are completely aligned with these standards (Tsang, 2011). In addition, the AGA (American Gas Association) has structured a set of documents which outline a wide variety of methods and tools to defend SCADA communications beside cyber incidents. In this scenario, the recommended technology based practice stressed assuring the privacy of SCADA collaboration and communications. In the same way, the API (American Petroleum Institute) includes more than 400 members from all areas of the oil and natural gas industry. In this scenario, the American Petroleum Institute standard offers a strategy for the workers of oil and natural gas pipeline arrangements for management of SCADA system reliability and safety (Tsang, 2011). Moreover, Government guided efforts and standards comprise the following main initiatives (Tsang, 2011). The Department of Energy has as well guided security attempts by implementing the national SCADA test divan program and building up a 10-year plan for securing control systems in the national energy sector. In this scenario, the technology based report recognizes four major objectives: (Tsang, 2011) Determine present security Build up and integrate defensive procedures Identify intrusion as well as implement response policies Maintain security developments Moreover, ISA is a newly developed society of industrial automation and control systems, which is building the ISA99 Industrial Automation and Control Systems Security Standards. Additionally, these standards are specifically designed for use in manufacturing and wide-ranging industrial controls. In addition, under the supervision of the Department of Energy, Sandia National Laboratories has developed the Center for Control System Security. This research center offers a number of test bed services, which permit real-world significant communications problems to be managed and modeled, simulated, designed, established, and validated. The basic purpose of building these research labs is to offer a research attention on resolving present control system security issues and building advanced generation based control systems (Tsang, 2011). Elements of an Effective IT Security Policy Framework There are many security schemes which are particularly designed to tackle security threats of SCADA arrangements. In this scenario, these schemes have been supported by all stakeholders involved in SCADA security. These stakeholders include vendors, system owners, academic organizations, advisors, sovereign associations, National Labs and bodies, and government groups. Additionally, SCADA system’s users need to be well aware of the quality of secure products. In the same way, technology vendors need to recognize security as a significant aspect that can be a make-or-break issue for their firm. In addition, government associations should give adequate funds to SCADA safety research. Once technology based products are prototyped, accesses to the National SCADA Test Bed offers an important established ground and possible credentials for marketing (Tsang, 2011; SCADAhacker, 2011; Blackhat, 2012; Hildick-Smith, 2005). Conclusion This paper has presented an analysis of SCADA Worms (Stuxnet). This worm is designed particularly to damage the industrial system. This research has highlighted the impact and the vulnerability of the SCADA/Stuxnet Worm on the critical infrastructure of the United States. This is one of the latest worms. This research has assessed some of the important methods to mitigate the vulnerabilities. This paper has also assessed the levels of responsibility between government agencies and the private sector for mitigating threats and vulnerabilities to our critical infrastructure. At present, government and private sectors are working closely to tackle these issues. This research has also presented the major elements of an effective IT Security Policy Framework. References Blackhat . (2012). SCADA Security and Terrorism: We are not Crying Wolf. Retrieved December 10, 2012, from http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf Fidler, D. P. (2011). Was Stuxnet an Act of War? Decoding a Cyberattack. IEEE Security and Privacy, Volume 9 Issue 4, pp. 56-59. Hildick-Smith, A. (2005). Security for Critical Infrastructure SCADA Systems. Retrieved December 09, 2012, from http://www.sans.org/reading_room/whitepapers/warfare/security-critical-infrastructure-scada-systems_1644 John, S. (2010, September 26). Stuxnet worm hits Iran nuclear plant staff computers. Retrieved December 08, 2012, from http://www.bbc.co.uk/news/world-middle-east-11414483 Keizer, G. (2009, September 16). Is Stuxnet the 'best' malware ever? Retrieved December 06, 2012, from http://www.infoworld.com/print/137598 Khelil, A., Germanus, D., & Suri, N. (2012). Protection of SCADA communication channels. Springer-Verlag Berlin Heidelberg . Masood, R., Um-e-Ghazia, & Anwar, Z. (2011). SWAM: Stuxnet Worm Analysis in Metasploit. FIT '11: Proceedings of the 2011 Frontiers of Information Technology (pp. 142-147). IEEE Computer Society. O'Murchu, L. (2012). Last-minute paper: An indepth look into Stuxnet. Retrieved December 10, 2012, from http://www.virusbtn.com/conference/vb2010/abstracts/LastMinute7.xml Rebane, J. C. (2011). The Stuxnet Computer Worm and Industrial Control System Security. Commack, NY, USA: Nova Science Publishers, Inc. SCADAhacker. (2011). Cyber Security Services for SCADA and Industrial Control Systems. Retrieved December 10, 2012, from http://scadahacker.com/services.html Swan, D. (2012). SCADA Systems: Vulnerabilities, Policies and Procedures. Retrieved December 10, 2012, from http://www.academia.edu/1792319/SCADA_Systems_Vulnerabilities_Policies_and_Procedures Tsang, R. (2011). Cyberthreats, Vulnerabilities and Attacks on SCADA Networks. Retrieved December 10, 2012, from http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf Read More