The Stuxnet worm is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The worm used both known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-practice security technologies and procedures.
Since its discovery, there has been extensive analysis of Stuxnet’s internal workings. What has not been discussed is how the worm might have migrated from the outside world to supposedly isolated and secure industrial control systems (ICS). Understanding the routes that a directed worm takes as it targets an ICS is critical if these vulnerable pathways are to be closed for future worms.
To help address this knowledge gap, this White Paper describes a hypothetical industrial site that follows the high security architecture and best practices defined in vendor documents. It then shows the ways that the Stuxnet worm could make its way through the defenses of the site to take control of the process and cause physical damage.
It is important to note that the analysis presented in this paper is based on a security model that, though it is accepted in industry as a best practice, is often not implemented in practice. System architectures in the real world are typically much less secure than the one presented in this paper.
The paper closes with a discussion of what can be learned from the analysis of pathways in order to prevent infection from future ICS worms. Key findings include the following:
- A modern ICS or SCADA system is highly complex and interconnected, resulting in multiple potential pathways from the outside world to the process controllers.
- Assuming an air-gap between ICS and corporate networks is unrealistic, as information exchanges are essential for process and business operations to function effectively.
- All mechanisms for transfer of electronic information (in any form) to or from an ICS must to be evaluated for security risk. Focusing security efforts on a few obvious pathways (such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense.
- Industry must accept that the complete prevention of ICS infection is probably impossible and that instead of complete prevention, industry must create a security architecture that can respond to the full life cycle of a cyber breach.
- Industry must address the containment of attacks when prevention fails and aggressively segment control networks to limit the consequences of compromise. In particular, securing last-line-of-defense critical systems, such as safety integrated systems (SIS), is essential.
- Combining control and safety functionality in highly integrated ICS equipment exposes systems to common-cause security failures. For critical systems, diversity is important.
- Providing security by simply blocking or allowing entire classes of protocols between manufacturing areas is no longer sufficient. Stuxnet highlights the need for the deep packet inspection (DPI) of key SCADA and ICS protocols.
- The Remote Procedure Call (RPC) protocol is an ideal vector for SCADA and ICS attacks because it is used for so many legitimate purposes in modern control systems.
- Industry should start to include security assessments and testing as part of the system development and periodic maintenance processes in all ICS.
- There is a need to improve the culture of industrial security among both management and technical teams.
The entire white paper is available on the Tofino Security website by clicking here.