Monday, March 21, 2011

Summing up Stuxnet in 4 Easy Sections (plus Handy Presentation)

(Originally posted by Eric Byres on March 21, 2011 @ Practical SCADA Security)

There has been a lot of media coverage and discussion of the Stuxnet malware, and its impact on industrial control system (ICS) and SCADA security. We are one of the groups guilty of creating a Stuxnet publishing industry.

A few weeks ago we issued a White Paper “How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems” written by Andrew Ginter, Joel Langill and I. The paper is a 26 page deep dive into how Stuxnet could migrate from the Internet to an isolated ICS, including a discussion of what can be learned from Stuxnet’s pathways.

Now, frankly, I am sick of Stuxnet. If you are one of our regular readers, you might be as well. However, being sick of a threat doesn’t make it go away. So far, very little has changed in our industry; we still need to address the issues that Stuxnet exposed.

Furthermore, I am constantly surprised how little upper management in the industry knows about the worm. I am not expecting that the CEO of “Real Big Corporation” knows the technical details, but it would be good if he or she at least understood the basics. Otherwise, it is hard to get ICS security the attention it deserves.

So today, we are publishing a presentation that abridges the findings of the "How Stuxnet Spreads" White Paper, and is a summarization of a lot of information on Stuxnet. If you need a crash course on Stuxnet, or a presentation for management, this may come in handy.  Below is a synopsis of the presentation, and a link to the download for it.

1.     What is Stuxnet?
Stuxnet is an advanced malware worm that was discovered in July 2010 and that has attacked Siemens PCS7, S7 PLC and WinCC systems around the world. It has infected at least 22 manufacturing sites, and it appears to have impacted its possible target - Iran’s nuclear enrichment program.

You may think, “Great, we weren’t the target!” However, Stuxnet successfully infected a large U.S. manufacturing plant. The impact was that major resources were required to disinfect project files, and the plant continued to experience symptoms on PLCs one month later.

The message to you is: Stuxnet is the first malware to specifically target an industrial process. Could your industrial process be next? And, even if you are not the target, you may face high resource costs to eliminate a potential threat from your systems.

2.    How Stuxnet Spreads
The management of many industrial sites feels “safe” because they believe the ICS network is not connected to the Internet. Some even believe their system is “air-gapped” from their corporate network. A part of the genius of Stuxnet is that it demonstrated how easy it is for an advanced cyber threat to go from a USB key, an external hard drive, an infected laptop or an infected project file to a control system network.

Using human vectors, local area network communications or infected project files, Stuxnet reached its PLC targets. The business practices of today, which involve using remote contractors and support staff, links between the enterprise network and the control networks, and removable media for updates or support, all provide multiple pathways for infection. Even a simple PDF file could be a pathway into your control system.

Indeed the number and complexity of the possible pathways is a key learning - any strategy designed to minimize the risk of advanced persistent threats must address this issue.

3.    Stuxnet’s Impact on PLCs
Stuxnet has two distinct payloads. One is the well-known attack against the Siemens S7-315-2 PLCs which targeted high frequency drives controlling centrifuges.

The other payload is less known, less understood, and scarier.. In essence, this payload performs a Man-in-the-Middle (MITM) attack INSIDE the PLC. It takes the inputs coming from the PLC’s I/O modules and fakes them so that the logic works off of incorrect information. It then tells the PLC’s outputs to do what it wants, not what the logic says.

At the same time, the payload replays previously recorded input data to make the PLC logic and the operator think that all is well.

We have no real idea what the target for this payload was because Stuxnet’s creators appear to have disabled it from loading at the last minute. My guess (and it is just a guess), is that the target is a safety system.

What is scary about this attack is that it offers a general model for simple, destructive SCADA worms that exploit inherent PLC, DCS and SIS design issues. There are no possible “patches” to our controllers in the foreseeable future.

Securing last-line of defense critical systems, such as safety integrated systems, is essential. Furthermore, combining control and safety functionality in integrated ICS equipment exposes systems to common-cause security failures.

The other bad news about this particular attack is that it is internal to the PLC, and not over the network. Once the PLC, DCS or SIS controller is infected, no anti-virus, IDS, or firewall (not even the Tofino firewall!) can help you. So it is critical that earlier defences such as firewalls or IDS prevent the worm from getting to the controllers in the first place.

4.    Protecting Against the Son-of-Stuxnet
A key to protecting your ICS from a potential “Son-of-Stuxnet” is to examine all possible infection pathways, not just a single pathway such as a USB key. Develop strategies for discovering, documenting and mitigating ALL transfer of electronic information, regardless of the technology or form of the transfer.

It is likely that even with strong mitigation, infection will occur. Be ready by installing ICS-appropriate detection and security technologies. Look beyond traditional firewalls to firewalls that are capable of deep packet inspections of key SCADA and ICS protocols. And, focus on securing last-line-of-defense critical systems, particularly safety-integrated-systems (SIS).


Stuxnet has changed the threat landscape by showing that control systems are now the target of sophisticated attacks.

ICS and SCADA engineers, management and vendors need to accept that a much higher level of risk exists post-Stuxnet - and we need to do something about it!

The complete prevention of ICS infection is probably impossible; therefore we must urgently improve our overall defense-in-depth strategies.

PDF "What Does Stuxnet Mean for ICS" - Presentation (588kb)

No comments:

Post a Comment