1. The Stuxnet malware was directed at the industrial control system of the Iranian nuclear research center. Could it also affect SCADA systems connected with energy infrastructure? If so, how?
STUXNET malware could also affect SCADA systems connected with energy infrastructure. The malware made the headlines in July when security experts found out that the worm’s design was intended to exploit vulnerability in computers running Microsoft Windows to either disrupt or steal industrial secrets. According to Weiss (2010), experts observe that the worm was created from the bottom up with the aim of attacking SCADA systems or systems that manage complex industrial networks such as chemical manufacturing facilities and power plants. Baker (2012) refers to STUXNET as the “SCADA security game changer”, while noting that the very nature of SCADA systems makes it difficult for cyber attacks. When STUXNET penetrates the system, it is capable of exploiting Siemens SIMATIC Default Password Security Bypass Vulnerability and thus can gain access to the database. This makes it possible for an attacker to view the database. For example, in the Iranian Nuclear facility case, STUXNET targeted an air-gapped infrastructure, rewriting the PLC code for the Siemens SCADA systems. Therefore, STUXNET can affect SCADA systems.
2. Control systems are not only connected to processes that distribute energy, they also are part of building systems designed to conserve energy. Are these at risk as well? How?
Usually, control systems are incorporated in the building systems with the aim of conserving energy. However, these systems do pose risks as well. For example, Harris & Tschudi (2006) observes that many control systems are often connected to the internet so as to enable remote management. This is usually done without putting in place the appropriate security measures. As such, attackers constantly look for potential vulnerabilities in such systems. Systems that are poorly secured pose serious security risks. The risks include: unauthorized individuals can be able to manipulate controls; unauthorized individuals might be able to access sensitive information and data and; this information can be used in the plotting of physical attacks such as bombings (National Cyber Security Centre, 2012). When attackers are able to access these systems, they can obtain critical information regarding the buildings such as vulnerable points that can be exploited. Therefore, control systems in buildings both pose threats of cyber attacks as well as physical attacks.
Baker, J.A. (2012) Cybersecurity Issues and Policy Options for the US Energy Industry. Baker Institute Policy Report, Number 53, pp. 1-16.
Harris, J., Tschudi, W. & Dyer, B. (2006) Securing Buildings and Saving Energy. Energy Efficiency and Renewable Energy, 2006, pp. 1-10.
National Cyber Security Centre. (2012) Security Risks of Online SCADA Systems. Ministry of Security and Justice, Factsheet FS-2012-01, pp. 1-4.
Weiss, J. (2010, September 14) Stuxnet Worm Far More Sophisticated Than Previously Thought. KrebsonSecurity, 2010. Retrieved from http://krebsonsecurity.com/2010/09/stuxnet- worm-far-more-sophisticated-than-previously-thought/