Stuxnet issues rumble on as vulnerabilities remain

Software attacked by Stuxnet still has vulnerabilities, security company claims

Stewart Mitchell
9 Nov 2012

The fallout from Stuxnet continues to rumble on, with security companies claiming similar flaws in other industrial systems controls and another victim of the original cyber weapon emerging.

Stuxnet has been widely claimed as the first cyberwar weapon following attacks on Iran's nuclear programme believed to have been undertaken by US and Israeli forces.

Yet more than two years after the tool first came to light, the Siemens control software targeted in the attack remains vulnerable, according to vulnerability testing company Positive Technologies.

The company claims the ICS and SCADA software that controls industrial hardware is riddled with problems, and the specific WinCC software attacked in Iran still contains multiple vulnerabilities.

For the first 8 months of 2012, 98 new vulnerabilities were reported — more than during the previous years put together

WinCC is a SCADA (Supervisory Control And Data Acquisition) controller, and despite the problems revealed in Iran many flaws remain. "It's easy to find a vulnerability in WinCC - you can just point at it,” Sergey Gordeychik, Positive Technologies CTO told Computer World after cancelling a technical talk to give Siemens more time to fix newly revealed vulnerabilities.

The comments come as the company revealed figures showing a significant rise in the number of SCADA vulnerabilities since the Iranian attacks.

“The ICS/SCADA systems are present in high-speed trains and subway trains, oil and gas pipelines, nuclear power plants, hydroelectricity plants, electric power and water supply management networks,” the company said.

“It is easy to imagine what may happen in case a system failure in a facility occurs as a result of a hacker attack. The number of such threats is growing all the time."

“During the period from 2005 to early 2010, only 9 vulnerabilities in industrial control systems were discovered; while in 2011, after the detection of the Stuxnet worm, 64 vulnerabilities were discovered. For the first 8 months of 2012, 98 new vulnerabilities were reported — more than during the previous years put together.”

According to Positive Technologies, industrial systems manufacturers are too slow to fix vulnerabilities when they are pointed put, with 20% of potential holes left unfixed for at least a month.

“Most security defects are fixed rather efficiently by the ICS component vendors before they became widely known or within 30 days of uncoordinated disclosure,” the company said. “Approximately every fifth vulnerability was fixed with a significant delay, or was not fixed in certain cases. For instance, Siemens fixed and released patches for 92% of vulnerabilities, while Schneider Electric fixed only 56% of security defects.”

Wider threat

The threat posed by further infection as a result of SCADA attacks has been highlighted after fresh revelations that the malware also infected US oil company Chevron's systems when the Stuxnet malware escaped into the wild in 2010.

“I don’t think the US government even realised how far it had spread,” said Mark Koelmel, general manager of the earth sciences department at Chevron, according to the Wall Street Journal. “I think the downside of what they did is going to be far worse than what they actually accomplished."

Read more about: