Duqu, Son of Stuxnet, Increases Pressure for Cyber Security at All Utilities

A powerful but mysterious computer worm related in structure and sophistication to the Stuxnet worm has been detected on computer systems in Europe and may be an early phase of a planned new international cyber attack. "Duqu" contains code similar to that of Stuxnet, the malicious software discovered in 2010 and widely believed to have set back Iran’s uranium enrichment operations by about three years. Cyber security experts have been warning that Stuxnet’s code would be repurposed, and one year after the discovery of Stuxnet, Duqu has confirmed those predictions. Initial infections of Duqu were discovered in the networks of European control system vendors. So far, analysts believe Duqu was developed by hackers to attack critical infrastructure, including water plants and the power grid in the U.S. and around the world. The emergence of Duqu further highlights the risk to all control systems, anywhere and everywhere, from cyber attack.

According to initial analysis by Symantec, while Duqu looks to have been derived from the Stuxnet worm, its purpose is different. Rather than damaging industrial control systems directly, Duqu seems to be more of an information stealing "Trojan," collecting key strokes and other information that could be used in attacks on critical infrastructure. Per Symantec’s recent threat post, "When run, Duqu injects itself into one of four common Windows processes: Explorer.exe, IEExplore.exe, Firefox.exe or Pccntmon.exe. Once installed, the worm downloads and installs the information stealing component which harvests information from the infected system and stores it in encrypted files on the infected system to export to the attackers’ system." Symantec researchers believe hackers sent the malware to targeted victims via emails with tainted Microsoft Word documents attached. If a recipient opened the Word document and infected the PC, the attacker could take control of the computer and access an organization's network to propagate itself and hunt for data. Analysis of Duqu is continuing and may yet lead to more unpleasant surprises—the complete analysis of Stuxnet took approximately six months.

The emergence of the Duqu and Stuxnet worms makes clear that extremely well resourced nations and nation states are becoming a significant threat. Large and small utilities alike are potential targets, directly or indirectly, because they are interconnected and deploy common technologies from common vendors. As stated by FERC, "It is not the size of an entity that is critical, but rather the potential for an entity to become a vector of vulnerability to the security posture of interconnected control systems." After the Internet, the Smart Grid represents the largest cyber attack surface in North America. Smart meters, substations, and intelligent monitors and sensors on transmission and distribution lines represent millions of physically remote and insecure access points to critical utility networks.

To ensure security, and ultimately reliability, utilities must create a defense-in-depth posture through which they segment networks, deploy multiple defenses to protect critical operations systems, monitor for intrusions and have policies, plans and procedures in place to recover operations systems from cyber attack. Initial steps include conducting a risk analysis, creating cyber security policy statements, establishing a cyber security team on staff and making a review of cyber security policies and procedures a top priority. N-Dimension recommends that every utility review the following 10 basic questions on a regular basis and respond accordingly:

1. Do you have policies and procedures addressing cyber security for operations systems?

2. Do you perform annual cyber security assessments?

3. Do you have operations systems (SCADA, AMI, OMS) that are directly connected to or reachable from the corporate network?

4. Do any third parties have access to your networks or operations systems (e.g. vendors, service providers, power providers)?

5. Do you allow access to the Internet from operations networks?

6. Do you patch systems in your operations network regularly?

7. Do you monitor operations systems and networks for anomalous activity and potential attacks?

8. Do you use Wi-Fi? Is it properly secured?

9. Do you scan for unauthorized wireless access points?

10. Does any of your operations traffic travel over utility-owned fiber or radio links or third-party networks (e.g. private WAN, MPLS, Frame, ISDN, etc.)?

APPA members of all sizes must resist falling prey to the common myths that public power utilities are not targets or that having a firewall is sufficient protection. Cyber security is a critical component to reliability, and there are cost-effective, easy-to-implement solutions available to enable small and mid-sized public utilities to protect their operations.

Doug Westlund is Chief Executive Officer and Dr. Andrew Wright is Chief Technology Officer of N-Dimension Solutions Inc., provider of cyber security solutions in affiliation with Hometown Connections. N-Dimension is a member of NIST's Cyber Security Working Group and a founding member of the National Electric Sector Cyber Security Organization, and works with numerous industry organizations developing the cyber security standards for the Smart Grid.