US infrastructure vulnerable to Stuxnet-style attacks

Utilities, oil and gas manufacturing are especially vulnerable

An independent security researcher has issued warnings through the federal U.S. Computer Emergency Response Readiness Team that utilities, traffic-management systems and other organizations in the U.S. are vulnerable to the same type of attacks that bedeviled Iran's nuclear development program in 2009 and 2010. According to researcher Luigi Auriemma, who posted the results on his Web site and on Bugtraq, four leading SCADA (supervisory control and data acquisition) systems contain security flaws, bugs and other vulnerabilities that can be exploited by remote users connecting through the Internet.

The standout of the four products is, Siemens' Tecnomatix FactoryLink – an obsolete pharmaceutical and metals manufacturing application Siemen has announced it will replace by 2012 with replacing with a newer application called WinCC.

Oddly, WinCC is the application the Stuxnet virus targeted when it attacked the Iranian nuclear facilities.

Other companies with apps that appear vulnerable are the oil/gas/pharmaceutical industry application Genesis32 and Genesis64 from Iconics, utility automation developer 7-Technologies and oil/utility/transport software developer Datac's RealFlex.

Unlike flaws in most other types of software, SCADA vulnerabilities carry the risk that exploits could have direct, disastrous impact in the real world, rather than just the virtual one.

The Stuxnet virus, for example, attacked SCADA applications running on Windows computers, changing the way they interacted with thousands of high-speed centrifuges used to process nuclear materials to ensure the centrifuges were spinning at the wrong speeds, making them less effective.

The result was to hinder Iran's nuclear development effort. If the effect were a little more drastic, the result could have been to destroy the centrifuges, expose workers to radioactive material or cause other catastrophic problems in the fuel-refining process.

It's not as if those opposed to Iran's nukes avoid such drastic action. Two top Iranian nuclear scientists were murdered under suspicious circumstances during 2009 and 2010 and a third was critically wounded.

Iranian officials charge was developed and released by Western powers, probably Israel and the U.S. Israeli officials have acknowledged testing Stuxnet after it was found in the wild, but have been cagey about what other involvement Israel might have had.

Iran responded by expanding the militia it dedicates to cyberwar systems.

Terrorists attacking SCADA systems in the U.S. could potentially hinder or destroy automated industrial systems in hydroelectric dams, oil-refining facilities, water-processing facilities, traffic systems and other systems that make the real world work.

Hacking banks or the cell phones of celebrities may be sexier exploits because they make the hackers rich or famous. If they're serious about attacking the U.S. and making a real impact – killing people, damaging the economy or civil infrastructure, SCADA systems are the way to go.

Today's news just confirms what security experts thought – that SCADA systems running U.S. industrial facilities are vulnerable, and so are the people who rely on them.

Kevin Fogarty writes about enterprise IT for ITworld. Follow him on Twitter @KevinFogarty.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies