DUBAI (Reuters) - Global energy infrastructure is more vulnerable than ever in an escalating cyber war thanks to “sons of Stuxnet” electronic missiles, which can be created from the virus designed to sabotage Iran’s nuclear program.
Cyber espionage is on the rise, with Chinese hackers stealing field data and cutting-edge technology from energy companies around the world since at least 2009, according to leading security firm McAfee (part of Intel Corp).
But the biggest threat to everything from power grids to digital oilfields may come from malware based on the Stuxnet worm, widely thought to have been sponsored by western government agencies, security experts say.
Cyber weapons like Stuxnet that can take control of plants appear to be more of an operational danger than the recently discovered Flame virus, which seems designed to gather data.
“Stuxnet really showed people you could do this, that is the problem. I cannot imagine any major government agency not developing an offensive capability,” Eric Byres, a leading authority on critical infrastructure security, told Reuters.
Byres, who advises governments and multinationals on cyber security, said government agencies could seek to infiltrate energy infrastructure in case of political tension. “That is one of the risks, that we are weaponizing our entire energy industry, or leaving weapons inside it, just in case.”
Governments are concerned that energy and communications networks would be the first victims of any conflict with a cyber-savvy aggressor.
“It is believed that would be part of any form of warfare - that they would take out private sector infrastructures as part of knocking out a country,” said Paul Dorey, who managed BP’s digital security until 2008 and is now professor of information security at the University of London.
The stable relationship between the United States, Russia and China, means there seems little chance they will try to disrupt one another’s energy networks any time soon.
But Iran has been bombarded with cyber bugs during its intense nuclear standoff with the west, with the virus known as Flame detected in April and a worm called Duqu, designed to gather intelligence on industrial infrastructure for future attacks, found last year.
The United States is by far the biggest source of general malicious activity on the Internet, data from antivirus software maker Symantec Corp indicates, but targeted industrial espionage largely comes from Asia.
“Targeted attacks are increasing dramatically. It could be state sponsored or it could be just hacktivists or it could be a cyber criminal organization. But we know the number one target is government institutions and the second is manufacturing, including oil and gas,” Bulent Teksoz, Symantec’s chief security strategist for emerging markets said.
According to data from the Repository of Industrial Security Incidents, power and transportation companies see the greatest number of major cyber security problems. Most of those incidents result in some loss of production or equipment control.
Until Stuxnet, breaking into supervisory control and data acquisition (Scada) systems running most of the world’s industry was thought to be beyond most hackers.
Thanks to its groundbreaking code now leaked and freely available on the Internet, any competent cyber criminal group could use it to spear Scada security that controls vital infrastructure around the world.
“Stuxnet does provide a delivery vehicle, for non state actors to use, that is a direct threat to critical infrastructure,” said Alexander Klimburg, senior cyber security adviser at the Austrian Institute for International Affairs.
“They have to go and develop their own warhead but you have given them a cruise missile... It’s perfectly possible that Stuxnet could be adapted for cyber terrorism purposes and that is a real concern.”
Byres, who designed the leading industrial firewall system, said that although the original cyber weapon targets Siemens systems that controlled Iran’s Natanz centrifuges, its parts could be adapted to take control of any industrial controller.
It has had some impact on at least 22 other installations, including a U.S. metals factory, he said.
The mother of all Scada attacks is believed to have occurred 30 years ago, when the U.S. Central Intelligence Agency is said to have used a “logic bomb” to blow up a Siberian gas pipeline.
According to a book by former senior U.S. intelligence officer Thomas Reed, after discovering the KGB was trying to steal pipeline control software, the CIA planted a version that would cause the system to over pressurize and let the Soviets have it.
President Barack Obama warned in 2009 that “cyber intruders” were probing the U.S. power network and that foreign intelligence services were behind some intrusions. In March the U.S. Department of Homeland Security identified a series of attacks on natural gas pipeline operators.
“We believe it is only a matter of time before someone employs capabilities that could cause significant disruption to civilian or government networks and to our critical infrastructure,” General Keith Alexander, head of the U.S. Cyber Command, told a senate committee hearing on March 27.
A spokesman for the U.S. Department of Homeland Security declined comment for this article. The agency’s Industrial Control Systems Computer Emergency Response Team is charged with responding to cyber attacks on energy plants and other critical infrastructure.
A U.S. Department of Defense report said this month that cyber spying was done by intelligence services, private sector companies, and individuals from dozens of countries, but that it expected China to remain an “aggressive and capable” collector.
“Chinese attempts to collect U.S. technological and economic information will continue at a high level and will represent a growing and persistent threat to U.S. economic security.”
U.S. cyber defense chief General Alexander told the committee that Chinese hackers were responsible for a raid in early 2011 on RSA, makers of the SecurID system used by many large companies to access private networks.
The codes and control servers used in the U.S. gas grid attacks match those used to break into RSA, Byres said.
Night Dragon, so called because U.S. security firm McAfee noticed the data raids took place from Beijing-based IP addresses on weekdays from 9.00 am to 5.00 pm Beijing time, was the first known coordinated attacks on global energy companies.
Night Dragon, reported in 2011, focused on stealing information on potential oil and gas reserves and new technologies from western energy companies, valuable information for rivals competing for exploration licenses around the world.
Modern “digital drilling rigs” with their multiple external connections to critical onboard systems, and the roll out of “smart meter” systems linking consumers and power generators via two way communication lines, are new potential weak spots.
“The attackers are getting more skilled and we are increasing the vulnerability,” Justin Lowe, an energy security specialist at PA Consulting Group told the conference.
“We are putting more systems out there which are attackable.”
Additional reporting by Jim Finkle in Boston. Editing by Philippa Fletcher and M.D. Golan