Organised crime groups with "billions" to spend may be the first to develop malware from Stuxnet blueprints, industry analysts have warned.
According to IBRS analyst James Turner, smart grid networks, transport and baggage scanning systems could be targeted by future variants of the complex worm that crippled Iran's nuclear program last year.
"The entire malware-creating industry - script kiddies, organised crime, and nation-state cyber warfare groups - has been shown the blueprint for the internet equivalent of a bunker-buster," Turner said in an as yet unpublished research note.
"Stuxnet has fundamentally shifted the paradigm of what is achievable through malware. The implications for the future of malware are dramatic."
Security researchers have published troves of information about Stuxnet after de-constructing its attack on Iran's uranium enrichment program.
Researchers found that the malware contained four zero day vulnerabilities and used numerous vectors to spread infection.
It also contained a man-in-the-middle attack which mimicked the normal functions of sensor signals used in the uranium enrichment process, and prevented malfuctioning systems from shutting down.
"The resources required to create another worm which replicates the power of Stuxnet is out of reach for most individual malware creators. However, organised crime gangs have billions of dollars at their disposal," Turner said.
"Creating a malware factory would be an effective way for them to both launder their money, as well as generate new money making ventures."
Eric Byres, a subject matter expert on the industrial control systems that Stuxnet targeted, expects an arms race to emerge (pdf).
He warned that crude new variants of Stuxnet could cause much more collateral damage than the original.
Insecure proprietary communication protocols were one of the most vulnerable points of industrial control systems and fixing the problem required systems to be dissected, Byres said.
But "air gapping" or disconnecting industrial control networks from the outside was not the answer.
A security chief for a large utilities company who requested anonymity said the benefits of linking industrial control systems to external networks made the risks worthwhile.
“Air gapping between SCADA and corporate networks isn’t the solution,” he said. “Keeping that link is, in fact, the answer.”
He said such attacks have led to the “death of security through obscurity” and operators must instead harden the most critical elements of industrial control systems.
Turner said security engineers should "get serious about network segmentation" noting that the systems infected by Stuxnet had insufficient controls in place.
He expected anomaly detection to become a critical feature in Security Incident and Event Management (SIEM) systems, and said security awareness training should be given a higher priority.
"The security systems that have a chance of being able to detect custom malware are the systems that know all the normal behaviour on a network (or device) and can spot aberrations from this," he said.
"Some of these systems won’t even see the malware; they will just see the shadow of its passage (e.g. in the form of aberrant behaviour of trusted protocols)."