Security experts have been able to replicate quickly and inexpensively last year's high-profile attacks on computerized industrial control equipment in power plants in Iran – breaches that were known at the time as being so sophisticated they could only have been pulled off by a nation-state or a well-financed group of investors, according to the Associated Press.
The news could predict a new round of attacks on facilities that utilize electronic controller systems like the ones that were targeted by the Stuxnet worm in Iran.
In September of 2010, computer security company Symantec said that the Iran attacks "would not be easy for a normal group to put together," and would have to be initiated by individuals with intimate knowledge of industrial control systems.
But a year later, security researchers like Dillon Beresfordr have identified as many as a dozen vulnerabilities in the same kind of industry controllers as those used in Iran. What is worse, Beresfordr did it on his own in just two months, while investing only $20,000 in the project, says the AP.
"What all this is saying is you don't have to be a nation-state to do this stuff. That's very scary," Joe Weiss, an industrial control system expert, told the news source. "There's a perception barrier, and I think [Beresfordr] crashed that barrier."
The difficulty with mitigating attacks like those against Iran is that industrial controllers are very expensive and have large shelf-lives. This makes replacing the systems a major project for every company, government or facility that utilizes them.
Unfortunately, the AP references several examples of consulting firms that found multiple vulnerabilities in power plants, correctional facilities and other U.S.-based institutions that rely on industrial controllers.
Compounding the report is the fact that researchers have identified a new malicious program based on the infamous Stuxnet worm. Symantec – which discovered the malware, dubbed Duqu – said that it shares a lot of Stuxnet's code and compares equally in terms of sophistication.
“Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party,” the Symantec researchers said. “The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."
So far, Duqu has only affected a few organizations in Europe, says Symantec.
Beecher Tuttle is a TechZone360 contributor. He has extensive experience writing and editing for print publications and online news websites. He has specialized in a variety of industries, including health care technology, politics and education. To read more of his articles, please visit his columnist page.
Edited by Rich Steeves
