Rightly or wrongly, the most talked-about issue in the security industry in 2010 has been Stuxnet. Some of this attention is rightly due to the attack’s sophistication, but even more is due to breathless speculation about “cyber-warfare,” the alleged links to Israel and Iran, and speculations about the foreign policy effects of Stuxnet. However, all this media attention tended to cloud the issue. Let me explain why.
There’s no doubt that Stuxnet is a highly sophisticated piece of malware with significant resources in terms of time, money, and manpower spent to develop. However, in terms of impact, most users were not significantly affected. True, Stuxnet did spread to a lot of systems around the world. But for almost all of the affected systems, it wasn’t a big problem. It did not steal information, it did not peddle fake antivirus products, neither did it send out spammed messages.
Neither is it completely accurate to say that Stuxnet heralded a new age of malware threats affecting “real-world” facilities. As early as 2003, the Slammer worm did hit a nuclear facility in Ohio and shut down a monitoring system. The DOWNAD/Conficker worm hit multiple high-profile institutions like hospitals (even infecting MRI machines), law enforcement agencies, and even various military organizations.
What can be said about Stuxnet is that it marks the first time someone decided that it was worth deliberately targeting a specific vendor’s SCADA platform. The technology to do so was already available but the motivation to do so was not.
These types of malware attack are few and far between in today’s threat landscape. Currently, information theft is still the biggest problem around. Data-stealing malware account for the majority of malware Trend Micro finds daily. For every Stuxnet infection we see today, we find thousands of incidents involving credential theft malware such as ZeuS and SpyEye.
Two separate lessons can be drawn from Stuxnet. For industrial control systems similar to those targeted by Stuxnet, it should serve as a huge wake-up call. Stuxnet hit “soft” targets that were not secured well. These systems were not properly secured, as they were in the “interior” of their networks and it may have been assumed that perimeter security would have been sufficient. Ultimately, a network is only as secure as its weakest link. Therefore, computers and networks that are part of these industrial control systems will have to be hardened at all levels. Third-party applications that are frequently targeted by exploits such as Adobe Flash Player and Reader should always be kept up-to-date, if not removed from these systems if possible. Even attacks via removable devices such as USB drives have to be considered and defended against. This is not likely to be quick, easy to do, or inexpensive.
However, for users who are not in charge of critical systems, the danger from Stuxnet has to be placed in the proper context. Credential theft malware poses a far greater threat. In addition, it should be remembered that threats targeting critical systems are likely to be just that—targeted. The typical user is more likely to see more generic threats like credential theft and fake antivirus malware.
The bottom line is that while Stuxnet has enjoyed a great deal of media attention, it’s more significant as a warning to system administrators to secure critical systems—even the ones they think wouldn’t be exposed to malware—than as an actual threat. It’s a problem that has to be placed in the context of the greater malware threat, which sees tens of thousands of new threats every day, the vast majority of which end up stealing user information.