Since Stuxnet was revealed, other sophisticated worms, Trojans, and backdoors have been identified, including Duqu and Flame, which are both apparently related to Stuxnet. Eugene Kaspersky, head of Kaspersky Lab, which discovered Flame, called it “the most sophisticated cyberweapon yet unleashed,” and he further noted that “even those countries that do not yet have the necessary expertise [to create a virus like Flame] can employ engineers or kidnap them, or turn to hackers for help.”
Because international attacks tend to be tit for tat, Iran will probably launch a reprisal cyberattack of its own. It is already reportedly involved in cybercrimes at the nation-state level; for example, according to Defense Tech, an online publication that reports on cybersecurity issues, the Islamic Revolutionary Guard Corps set up its first official cyber-warfare division in 2010, with an estimated $76 million budget.
Though espionage is often thought to be the focus of nation-state cyber activity, Stuxnet shows that they have the potential to go far beyond spying. Given the expansion and proliferation of ICSs, such attacks could be used to disrupt utility networks and other ICS components, shut down power grids, and sabotage nuclear systems. Given that nation-state sponsored activity exists and is likely be more prevalent than is known, IT security professionals at critical infrastructure operations that use ICSs must prepare for the likelihood of attacks.
Guidance such as ANSI ISA 99, NERC CIP, and other documents provide a good framework for identifying critical cyber assets and controlling access to these, as well as for maintaining a healthy cyber environment. Employee and contractor background checks, limiting access, logging, scanning, auditing, due diligence, and situational awareness are all cited as important aspects of reducing the cyberthreat.
Companies need to ensure that they educate employees and raise their awareness. Stricter safeguards, such as USB port control, continuous monitoring, and anomaly detection, are also important. These procedures can help to mitigate both careless and malicious malware introduction where the insider is the primary conduit in code transfer. Web filtering is another effective safeguard against the potential downloading of malware onto corporate networks.
ICS operators also need to establish a defense-in-depth approach that establishes and maintains a high level of security capability. One aspect of this is to segregate the most critical systems behind several layers of protection. Other aspects include identifying potential internal and external threats and risks, establishing requirements for access to critical systems, and developing robust security architectures and policies.