Stuxnet 'a game changer for malware defence'
EU agency warning
The Stuxnet malware is a game changer for critical information infrastructure protection, an EU security agency has warned.
ENISA (European Network and Information Security Agency) warns that a similar attack of malware capable of sabotaging industrial control systems as Stuxnet may occur in future.
The worm, whose primary method of entry into systems is infected USBs, essentially ignores vulnerable Windows boxes but aggressively attacks industrial control (SCADA) systems from Siemens, establishing a rootkit as well as a backdoor connection to two (now disconnected) command and control servers in Malaysia and Denmark.
PLC controllers of SCADA systems infected with the worm might be programmed to establish destructive over/under pressure conditions by running pumps at different frequencies, for example. There's no evidence either way as to whether this has actually happened, but what is clear is that the malware has caused a great deal of concern and inconvenience. India, Indonesia and Iran have recorded the most incidents of the worm, according to analysis of infected IP addresses by security firms.
Incidents of infection were first recorded in Malaysia, but the appearance of the malware in Iran has been the focus of comment and attention. Plant officials at the controversial Bushehr nuclear plant in Iran have admitted that the malware has infected laptops. However government ministers, while blaming the attack on nuclear spies, had downplayed the impact of the attack and denied it has anything to do with a recently announced two-month delay in bringing the reactor online.
Dr Udo Helmbrecht, executive director of ENISA, commented: "Stuxnet is a new class and dimension of malware. Not only for its complexity and sophistication (eg by the combination of exploiting four different vulnerabilities in Windows, and by using two stolen certificates) and from there attacking complex Siemens SCADA systems. The attackers have invested a substantial amount of time and money to build such a complex attack tool."
"The fact that perpetrators activated such an attack tool, can be considered as the 'first strike' against major industrial resources. This has tremendous effect on how to protect national (CIIP) in the future," he added.
Ilias Chantzos, director of government relations at Symantec, told a meeting at the Symantec Vision conference in Barcelona this week that millions had been spent developing the malware.
"Stuxnet would have involved a team of between 5-10 people, six months research and access to SCADA systems. The motive behind the malware was to spy and re-program industrial control systems.
Chantzos declined to enter into speculation about who created the malware or its intended target beyond saying "only a well-funded criminal organisation or nation state would have the resources to develop the malware".
Steve Purser of ENISA told journalists that Stuxnet has taught security experts nothing they didn't already know. "What is significant is its target and impact. We have to prepare for a future Stuxnet."
Critical protection methodologies and best practices will have to be reassessed in the wake of Stuxnet, according to ENISA.
Large scale attacks on critical infrastructure require a coordinated international response. No Member State, hardware/software vendor, CERT or law enforcement agency can successfully mitigate sophisticated attacks like Stuxnet on their own. ENISA plans to support these efforts by helping to devise revised best practices for securing SCADA systems.
In addition, ENISA, in co-operation with all EU Member States and three EFTA countries, plan to mount the first pan-Europe cyber-security exercise in early November. Cyber Europe 2010 will set out to test member states' plans, policies and procedures for responding to potential critical information infrastructure crises or incidents, such as those posed by Stuxnet. The scheme is similar and smaller than the Cyber-Storm program in the US.
ENISA, which was established in 2004, was granted a five-year extenuation to its responsibilities last month. The agency's analysis of Stuxnet and links to other resources can be found here. ®
"helping to devise revised best practices for securing SCADA systems."
It should be quite a short document:
1. Do not connect any SCADA system to the internet.
2. Do not connect any SCADA system to any computer running any version of Windows.
3. Member States will impose the mandatory death penalty for anyone who violates rules 1 or 2.
Last self reptition, honest. Please RTF Analysis
"he was totally staggered that anyone would attach their SCADA to any network which could be connected to the outside world in any way"
The (allegedly) effected SCADA systems were not connected to the outside world in any way.
"or allow anyone to attach external media to the systems."
No one attached external media to the SCADA systems.
"He also said that this is SCADA lesson one.""
Indeed it is. Which is why stuxnet was coded in order to jump over these limitations.
Clearly none of the commentards can be arsed to RTFM, so in summary :
Stuxnet arrives at your plant on a USB drive (say). It then compromises machines and spreads through your internal net via a combination of tricky exploits. It also continues to infect USB (or other removable media).
At some point, someone takes a USB drive accross the air gap that separates the internal net from the PLKC development boxes and plugs it into the machine used for PLC software development, it spots the WinCC PLC development environment and trojans the fuck out of it, enabling it drop it's payload of malicious PLC code into any PLC projects that come along.
At some point further along, someone tales this developed PLC code on (say) a USB stick, and crosses another air gap to the machine that is used to program the code onto the PLC. At which point, stuxnet trojans the fuck out of the PLC programming software as well.
Now, at this point, when you take your PLC out of your SCADA gubbins to modify the process code on it, another air gap because no one attaches SCADA to anything, it rewrites the code on the PLC, only you can't see it, because stuxnet has trojaned the fuck out of the programming software, and it is now lying to you.
Then you put the PLC back across the air gap and start up your plant. Then your plant go boom.
Stuxnet was specifically designed to work around the fact that no one is dumb enough to connect SCADA kit to external networks, and to exploit the - now thoroughly debunked - belief that this is sufficient to protect them from remote malfeasance.
Now can we all please stop with the "shouldn't connect SCADA to teh internets" cockwaffle ?
with the continual de-skilling and down sizing of factory staff; OEM support is moving more and more into remote access. This after spending years telling clients that no sane Engineer would put a process network anywhere near the inter/intranet; hell we don't even want our friends from IT having access. But now we have to link (mostly via a good solid firewall) to the factory IT infrastructure & then out either by VPN/HTTS or dedicated adsl link.
So now I sit somewhere in the UK accessing factories all over the world. Some of them even want me to have access to their Process Control systems so I can modify/improve it - when it is running. And I can do this from the office or from home.
It is quite sobering; I know more about some plants that I have never been to than the people 'running' them. AND; if I so wished I could do all sorts of interesting things; some of which could cause things to go bang - or even B A N G ! And no one would be able to find out who caused the bang....
Stuxnet is what we spent years defending against. - and a lot of people (IT and Management) thought we were being stupid. Now when it becomes imperative that we have remote access; oops - there it is; only Siemens at the moment; Honeywell; Emerson; Rockwell; Wonderware etc can't be far behind. And thats when it gets really frightening; when the DCS systems are targeted; little PLCs aren't to much problem; but corrupt a DCS and then you will have BIG trouble. (So what idiots 'forced' COTS crap -AKA Windows- onto the process world ?). Think of all those BIG refineries/dangerous chemical plants they use DCS to control the PLCs & monitor what's going on...
The only solution is to train more engineers; pay them more than bankers, and have enough in plant to keep each plant safe. At least that way there are only a small number of people who would be in a position to commit sabotage.
AC - you think I'm as stupid ?