Stux-NOT – No Evidence in Power Plant Shutdown of State-Sponsored Effort Yet


Reports that came out today of the virus that shut down an unnamed power plant can not be necessarily associated with a state-sponsored attack at this point.  While no doubt a significant and critical event that we should pay heed to, there are a number of issues in labeling this as something parallel to Stuxnet.  Stuxnet emerged into consciousness as possibly the first state-sponsored cyberweapon.  Its purpose and nature were unmistakeable, to attack Iranian nuclear development efforts.

There are a number informal qualifiers to calling any outbreak a state-sponsored effort.  Stuxnet was discovered to have attacked a specific spectrum and type of computer system.  To start, the systems that were targeted by Stuxnet were specific systems that controlled uranium enrichment equipment.  Stuxnet also was designed to avoid detection as long as possible using stealth tactics to mask its activity, and averted antivirus detection in its strategy while it did its deed.  Stuxnet also was controlled by a command and control network, adding to the fact that this was clearly not a rogue infection.  Most significantly, Stuxnet was designed to physically destroy the nuclear fuel centrifuges used to produce usable material and also set back the development by affecting the centrifuge conditions.  Surely, the investigation must have looked or is looking for any kind of evidence of sophisticated efforts to take out these power plants with evidence along those lines of any sort.

The simple presence of a virus that broke out at a power plant and kept it offline cannot at this point, be considered a state-sponsored event just yet.  The virus itself may have been an oversight of some kind or USB drive that picked up a virus from any number of sources.  The real issue here is the procedure that allowed that to happen at all, namely the introduction of a USB drive.  There are a number of controls to effectively disable USB from these systems, and there is probably some evaluation going on to implement these restrictions.  Systems are vulnerable at a number of points, and the worst of them in any scenario is the human element.  ICS-CERT – a component of the DHS recently reported that they had documented some 200 incidents in 2012 that were targeted specifically against employees in the energy sector.  Such reports highlight the need for continued vigilance and thorough investigation of particular incidents.  This latest news may prove to be an effective fire drill for a potential next significant cyber-event on domestic ground.