IDAHO FALLS, Idaho (Reuters) - Behind the doors of a nondescript red brick and gray building of the Idaho National Laboratory is the malware laboratory where government cyber experts analyzed the Stuxnet computer virus.
The malicious software targets widely used industrial control systems built by German firm Siemens. Cyber experts have said it appeared aimed mostly at Iran’s nuclear program and that its sophistication indicates involvement by a nation state, possibly the United States or Israel.
The Stuxnet virus was a “significant game changer in the cyber world, said Marty Edwards, a Department of Homeland Security official in charge of a cybersecurity program in partnership with the Idaho National Laboratory, which conducts nuclear research.
The U.S. government is concerned that cyber attacks could wreak havoc on the industrial base and cost millions of dollars. The Idaho lab programs are geared toward protecting the industrial infrastructure: chemical plants, food processing facilities, utilities, water systems and transportation.
“It is probably the most important security issue that we face today,” said Greg Schaffer, a top official in the DHS National Protection and Programs Directorate. “This is a problem that continues to grow.”
In the first major DHS media tour at the Idaho Falls facility Thursday and Friday, reporters visited the malware laboratory and saw demonstrations of how cyber intrusions can attack computer networks of industries.
The building that houses the malware laboratory also has forklifts in the back to bring in equipment that companies send to be analyzed for cyber vulnerabilities.
The malware laboratory is a quiet room with a large dark conference table where Homeland Security and Idaho National Laboratory analysts stare at big computer screens studying lines of code in malicious software to try and determine how to fight it.
“This location was the location that we did the analysis of the Stuxnet virus when it first came out,” Edwards said.
“The virus was brought back in here and run in a contained facility against actual control system equipment so that we could study those effects to release mitigation measures to the general public,” he said.
Edwards would not reveal details of the analysis because it was sensitive information, but said the findings were released to industries who have “a need to know to protect themselves.”
“But in general we found that Stuxnet was a very sophisticated virus that was looking for a very specific control system,” he said. “And manipulated that system for ill-intent.”
The laboratory conducts its analyses of such malicious software in a “sandbox,” an isolated environment not connected to external computer systems to prevent infection.
“You wouldn’t want something that we’re analyzing to crawl out into the rest of the Department of Energy or the Department of Homeland Security systems,” Edwards said.
Is the United States vulnerable to a Stuxnet-style attack?
“All of the industrial control systems that are deployed have some type of susceptibility to attacks like Stuxnet. But through the efforts that we have partnered with industry on, I can tell you that there is very good progress being made to protect the systems,” Edwards said.
A white and glass cube-shaped building displayed signs along the staircase that said “this area is not approved for classified discussion” and no cellphones allowed.
That was the site of the classified watch and warning center where cyber threat data is gathered and shared. It is purely voluntary for private firms to share often proprietary data with the government when they suspect a cyber attack.
DHS received 81 requests from private firms for appraisals of control system security this year, up from 57 last year.
Employees at the watch center sit behind computer screens and look at large video screens overhead to detect any event that might turn out to be a cyber threat to industry.
“Often in the early stages we don’t know what the event is,” Schaffer said. For example they investigated the recent San Diego power outage that knocked out electricity to millions of people, but then determined it was not a cyber attack.
“We’re paying attention to anything that is going to negatively impact the capability of our cyber ecosystem,” Schaffer said.
Editing by Doina Chiacu