In 2010, news started to filter out of Iran that a software worm called Stuxnet had attacked computer systems at several of the country’s nuclear testing facilities. Thousands of centrifuges were wrecked, causing massive delays to Tehran’s uranium enrichment programme.

Worms such as Stuxnet are malicious pieces of software, or malware, that replicate themselves to affect computers and systems. Stuxnet specifically attacked the networks of Iran’s nuclear facilities, causing essential hardware to malfunction. Accusations were soon being levelled at Western government agencies by Iran claiming they were responsible for carrying out cyber-terrorism. The US and Israeli governments did little to refute suggestions they were responsible.

The technical expertise that goes into the initial programming of cyber-terrorism weapons such as Stuxnet is as extensive as it is ingenious and need not be isolated to Iran or nuclear plants. Any facility operated by an industrial control system is potentially at risk from such malware.

Cyber-warfare in the Middle East

For the Middle East, this means any of the major oil producers in the region could see output grind to a halt if targeted. Power stations and industrial facilities could shut down and national grids fail as a result of a cyber-terrorist attack. Many of the region’s oil and gas firms have already had to cope with such assaults.

There is no better way of taking down a company or country than attacking its control networks

Tareque Choudhury, BT Advise

“This is high-level cyber-warfare and there is no better way of taking down a company or country than attacking its control networks,” says Tareque Choudhury, Middle East and Africa chief security officer and head of professional services at the UK’s BT Advise, which guides oil and gas companies on IT security issues. “The dependency on a network is so critical to any organisation that the malware focuses its attack on that and this can prove devastating if steps are not taken to stop it.” 

Stuxnet’s attacks on Iran’s atomic energy facilities saw the worm infect the software that looks after the supervisory control and data acquisition (scada) systems of nuclear plants.

The worm instructed the industrial control systems that governed Iran’s nuclear facilities to operate outside their normal parameters. This, in turn, caused centrifuges to fail and set back Tehran’s nuclear aspirations by months. 

Every plant in every sector uses an industrial control system to run day-to-day operations. In facilities including offshore rigs or refineries this is usually a small box that has been programmed to collect data from electronic sensors located across the plant. The data is processed by the scada system and relayed back to a member of the operations team, or used to regulate systems such as thermostats, flow controls and centrifuges.

The Stuxnet malware was specifically aimed at the Step 7, or S7, system built by Germany’s Siemens. S7 control boxes linked to the internet were located by a search engine called Shodan, created in conjunction with Stuxnet. Anything controlled by an S7 can be targeted, and to date Shodan has located and mapped an estimated 100 million controllers worldwide.

“Stuxnet marked a turning point for the entire automation industry, turning theoretical problems into headlines,” says a spokesman for Siemens. It also led to extensive research on systems made by the firm’s competitors and all were found to have similar security flaws.

“There will never be an end-point when it comes to industrial security threats, but companies can better protect their systems by staying up-to-date with the research community, following the guidance of governmental agencies, and by working with responsible, technologically-innovative vendors,” says the spokesman.

Siemens has since announced wide-ranging measures to increase the security of its industrial control systems.

Sensitive energy company information

The threat is relatively new. “In the past, these systems would not have been connected to the internet, so they would be completely safe from malware such as Stuxnet,” says Choudhury. “That is not the case any more and any companies that do not want these viruses infecting their systems need to take far-reaching precautions to prevent this from happening.” 

Stuxnet is not the only worry for the IT teams tasked with protecting industrial facilities. In May, reports emerged that another sophisticated worm called Flame had been targeting corporations, in particular, global energy companies working in the Middle East. Flame was discovered by Russia-based IT security firm Kaspersky Labs. The company’s scientists say Flame is up to 20 times more complicated than Stuxnet.

It is about restricting access. If you were a bank, you would not allow unlimited access to the vault

Tareque Choudhury, BT Advise

Flame’s code was similar in part to Stuxnet, but its aim appears not to have been sabotage. Its prime directive was to harvest sensitive information from the databases of energy firms across the Middle East, such as project financing accounts, production figures for oil and gas fields, and details of the technology used to operate plants. Flame monitored keystrokes and Skype calls, harvested contact information from Bluetooth devices and could even switch on computers’ microphones to listen in on nearby conversations. It collected data and sent it back through encrypted pathways to its creators.

“The danger today is that most of the oil and gas infrastructure in the Middle East is connected to the internet,” says Choudhury. “This leaves it open to an attack from malware.”

In the energy industry, harvesting information about a major producer’s oil and gas infrastructure could result in the kind of cyber-terrorism carried out against Iran’s nuclear facilities. The results could be devastating. If, for example, an attack lowered Saudi Arabia’s oil production by even 10 per cent, a million barrels a day of oil output would be lost, which could have a major impact on the global economy. An attack on an offshore rig could cause an ecological disaster.

Security measures against malware

The computer code for Flame could take up to 10 years to decipher. Until then, the full extent of its capabilities will not be known. Its implications are already driving organisations to action. Governments are scrambling to improve the security of their vital industries. In the Middle East, improving the virtual checks surrounding oil and gas infrastructure is key. Choudhury estimates that most large national oil companies spend more than $10m a year protecting their networks with security measures.

Not every system is as vulnerable as an S7. Due to the sheer scale of operations, much of the information technology attached to the region’s oil, gas and industrial plants is custom-made technology. Attacks on scada systems require intimate knowledge of how they work so that hackers can create code to attack them.

Security measures to protect against cyber attacks are not so different from the measures taken to prevent a facility being physically attacked. The first step is to set up a perimeter around the network in the form of a computer firewall to monitor incoming and outgoing network traffic. This will stop most malware attacks. Behind the firewall is an intrusion prevention device, backed up by extensive password and encryption systems on the actual network.

“It is all about restricting access as much as possible,” says Choudhury. “If you were a bank, you would not allow unlimited access to the vault and this is exactly the same principle.” He adds that all companies should look not only to tighten access to essential network systems, but also to log all users and look for unusual patterns that could indicate security is being breached.

Human access is as much a worry as digital loopholes. If a company allows easy access to its systems information, then it is leaving itself open to attack.

Eric Byers, chief technical officer and vice-president of engineering at Canada’s Tofino Security Products, writes firewall software for industrial facilities. In a white paper on improving the security of scada systems, he says training personnel to be aware of the dangers, carrying out regular assessments of the system and installing stringent document control and access systems are all necessary. The scada system should be segmented into separate security zones to contain any breaches.

The Middle East’s largest oil producers have embraced these security measures and they have been backed by countries outside the region that realise a major loss of oil production in the Middle East could have implications around the world.

The issue of who to blame for the creation of malware such as Stuxnet and Flame has been the basis of much speculation over the first half of 2012. Due to the complexity and sophistication of the worms and their targeting of Iran’s nuclear programme, the Islamic republic was quick to blame security agencies from the US and Israel for the attacks. Officials from those countries implicitly admitted involvement in Stuxnet in 2012, but the origins of Flame have yet to be determined.

Asset protection from malicious software

The two worms prove that writers of malware are getting more skilled at developing software that can attack almost any kind of industrial or commercial facility, causing damage that could cost a country or company billions of dollars.

Businesses and governments are making their systems and networks more secure, but anything connected to the internet can potentially be attacked by malware. In the online age, there is no escaping this and it is highly likely that hackers are developing newer, more effective malware aimed at paralysing infrastructure or shutting down major industrial plants.    

“Five years ago, no one would have believed something as complex and far-reaching as Flame was yet possible, but the reality is that it was probably being written then,” says Choudhury. “There could even be something more complex than Flame circulating on the internet right now, so every company needs to be aware of the risks and to take every measure possible to protect their assets.”

Key fact

Flame is up to 20 times more complex than Stuxnet used in the cyber attacks against Iran

Source: Kaspersky Labs