The European agency responsible for protecting the critical infrastructure of EU countries is warning its member states that the Stuxnet attack represents a major change in the malware landscape and that they should be prepared for further attacks with the same level of sophistication and professionalism.
The European Network and Information Security Agency has told the members of the European Union that Stuxnet should not be viewed as a one-off targeted attack, but instead should be seen as a sign of things to come in malware.
“Stuxnet is really a paradigm shift, as Stuxnet is a new class and dimension of malware. Not only for its complexity and sophistication, e.g. by the combination of exploiting four different vulnerabilities in Windows, and by using two stolen certificates, and from there attacking complex Siemens SCADA systems. The attackers have invested a substantial amount of time and money to build such a complex attack tool,” said Udo Helmbrecht, executive director of ENISA. “The fact that perpetrators activated such an attack tool, can be considered as the “first strike”, i.e. one of the first organized, well prepared attack against major industrial resources. This has tremendous effect on how to protect national (CIIP) in the future.”
ENISA is the rough equivalent of the technical directorate of the Department of Homeland Security for all of the EU. In contrast to ENISA’s warning, there have been no public warnings to industry or government agencies from the DHS about Stuxnet. However, there has been a lot of conversation within the security community and among security researchers about the significance and sophistication of Stuxnet, and what that means for the evolution of malware and the usefulness of current defenses.
Some experts have said that, regardless of what the actual target of Stuxnet was and who its creator is, the emergence of the malware is in and of itself a significant event in the use of offensive security capabilities.
“I will state categorically that I think that Stuxnet should settle the
debate about the possibility of weaponized software; someone clearly
has the ability to gather the intelligence and build the software
necessary to achieve military goals. Whether or not this is such
an incident is a separate issue; the capability demonstrably exists,” Steven Bellowin of Columbia University wrote in a blog post analyzing Stuxnet’s significance. “The ability to do precision targeting is quite intriguing. One concern about
cyberwar is the potential for damage to civilian infrastructure, which is
against
international law.
Stuxnet shows that (under the right circumstances) attacks can be very carefully
directed. That, to my knowledge, had not been anticipated in writings on the
subject.”
ENISA, in its warning to EU states, contemplates more attacks in the vein of Stuxnet as attackers analyze the malware and learn from both its success and its failures.
“After Stuxnet, the currently prevailing philosophies on CIIP will have to be reconsidered. They should be developed to withstand these new types of sophisticated attack methods,” Helmbrecht said. “Now, that Stuxnet and its implemented principles have become public, we may see more of these kinds of attacks. All security actors will thus have to be working more closely together and develop better and more coordinated strategies.”