Nieuwe aanpak tegen cyberaanvallen nodig (en)

Met dank overgenomen van EUobserver (EUOBSERVER) i, gepubliceerd op dinsdag 11 oktober 2011, 18:12.

Brussels - With the discovery of Stuxnet, a computer worm believed to have been developed by the US government to shut down a nuclear plant in Iran, European companies like Siemens are coming under increased pressure to secure their software operating 'critical infrastructure' like power plants or water treatment facilities.

"The idea behind the Stuxnet computer worm is actually quite simple. We don't want Iran to get the Bomb," Ralph Langner, the German cyber security expert who first discovered what the virus does said in March at a tech conference.

Discovered in June 2010, Stuxnet is the first computer malware to specifically target only a certain type of industrial system - nuclear centrifuges - and is otherwise inoffensive.

Langner is convinced that the US government is behind this "very complex" piece of malware, which had around 15,000 lines of code to figure out.

While Stuxnet was designed to attack only Iranian centrifuges in Natanz which were using unauthorised copies of the Siemens software for nuclear plants, the German expert warns that it has created a precedent which, if replicated, could trigger a "cyber weapon of mass destruction".

"Unfortunately, the biggest number of targets for such attacks are not in the Middle East. They're in the United States and Europe and in Japan (...) We have to face the consequences, and we better start to prepare right now," Langner told the audience.

His warning was echoed by the EU's cyber security agency (Enisa i) who in October 2010 equated the discovery of Stuxnet to a "paradigm shift in threats and critical information infrastructure protection."

“After Stuxnet, the current prevailing philosophies on critical information infrastructure protection will have to be reconsidered. They should be developed to withstand these new types of sophisticated attack methods. Now, that Stuxnet and its implemented principles have become public, we may see more of these kinds of attacks," said Udo Helmbrecht, head of Enisa.

At the heart of the matter is the fact that the so-called supervisory control and data acquisition (Scada) programmes designed to operate valves, chemical pumps or to measure pressure in a sealed container, for instance in a water treatment plant, were not initially thought to be put on computers which also run Windows and are connected to the internet.

Luigi Auriemma, an IT security specialist who last month published a list of vulnerabilities and non-detected loopholes in Scada systems, told this website that "the problem is that there is a minor sense of security from their vendors. They think that a firewall is the solution to everything."

Firewalls are programmes designed to block unauthorised access, but Auriemma notes that their configuration capability is limited and that hackers can easily circumvent them, for instance by faking a trusted IP address.

Finding bugs in the software and pressing the vendors to fix them is to his mind the only solution. Germany's Siemens did fix a series of vulnerabilities detected by Auriemma in March, but that doesn't mean that their software is now attack-proof.

"There are only no known bugs available," the Italian says. Unlike other bug-hunters, Auriemma is publishing everything he finds, instead of going to the company first and waiting for them to fix it without releasing the details.

"I am for full disclosure because it forces the vendors to fix the bugs quickly. Bad guys already know them anyway. This is the first rule in security: What gets released is already known."

In the US, a computer emergency response team (ICS-CERT) has been set up by the government to respond to attacks on critical infrastructure. But in Europe, there is no equivalent

"So when a researcher decides to contact ICS-CERT and reports the bugs to them, the US is aware of security problems, but not the rest of the users of these programmes, including in Europe," he explains.

At the end of March, the EU commission tabled a few non-binding proposals on how to deal with this threat: an information sharing network among EU governments, a public-private partnership for "resilience" and pan-European exercises.


Tip. Klik hier om u te abonneren op de RSS-feed van EUobserver