In an increasingly Internet-connected era, keeping sensitive systems off of exposed networks is often seen as an essential and effective way of protecting them. But, according to security expert Eugene Kaspersky, once cybersecurity threats are in the wild, there’s no telling how they might reappear and affect even systems that seem unbreachable. Driving this point home in a recent talk before the National Press Club of Australia, he noted that the high-profile Stuxnet malware has been found in two Russian nuclear power plants and on the International Space Station.
“Cyberspace, everything you do is a boomerang,” Kaspersky said in the talk. “It will get back to you.”
He explained that a source of his who worked in a Russian nuclear facility had told him the power plant was “badly infected” by Stuxnet despite its use of an air gap – the practice of separating systems from the Internet. The malware, therefore, had been spread by USB sticks that had been previously infected. The International Space Station had also been a victim of the worm, apparently spread by an astronaut who brought an infected USB stick onboard, Kaspersky suggested.
Stuxnet is believed to have been originally created by the U.S. and Israel to dismantle Iranian nuclear weapons development programs. This is the first known instance of the malware cropping up in a new context, The Register reported. However, it’s likely that the worm has spread beyond its initial boundaries.
“Unfortunately, it’s very possible that other nations which are not in a conflict will be victims of cyberattacks on critical infrastructure,” said Kaspersky.
Malware like Stuxnet that is designed to target industrial systems such as power plants has posed a growing cybersecurity concern in recent years, largely because such systems are being brought online despite the fact they were not designed with Internet connectivity in mind. The unlikely spread of Stuxnet specifically highlights, as Kaspersky suggested, the unpredictable nature of malware once it’s in the wild, and shows that even the lack of Internet connectivity is no guarantee that a cybersecurity risk doesn’t exist.
For system vendors and software developers, this threat means that code in any system that could be manipulated needs to be secured, even if there is not an obvious attack vector. Using a secure development lifecycle that incorporates tools such as static analysis software is a key step for ensuring security is considered as new products are introduced.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.