Stuxnet malware worse than expected, hides injected code on a PLC: all automation control systems at risk!
All automation control systems at risk!
More (and later) reading on this malware!
2011
A powerplant hack that anybody could use (PC World 5/8/2011)
Siemens PLC Security Vulnerabilities – It Just Gets Worse (Eric Byres, Tofino 4/8/2011)
Beresford @ Black Hat, Part I: Details; Part II Guru’s, Politics and ICS Response (Digital Bond 4/8/2011)
Iran still reeling (IIS Source 3/8/2011)
Hard-Coded Password and Other Security Holes Found in Siemens Control Systems (Wired 3/8/2011)
Feds fear new Stuxnet threats (ISS Source 2/8/2011)
Summer & Stuxnet (ControlGlobal 2/8/2011)
More Possible Siemens Vulnerabilities (ISS Source 25/7/2011)
A time bomb with fourteen bytes (Ralph Langner 21/7/2011)
Stuxnet returns to bedevil Iran’s Nuclear Systems (DEBKAfile 20/7/2011)
How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History (Kim Zetter: Wired 11/7/2011)
Automation summit! Missing the security boat (Our report on Siemens Summit 7/7/2011)
How Stuxnet Spreads (Jon DiPietro; ISA Exchange 5/6/2011)
“Son-of-Stuxnet” – Coming Soon to a SCADA or PLC System Near You (Eric Byres, Tofino 31/5/2011)
Stuxnet and the Paradigm Shift in Cyber Warfare (R.M.Lee ControlGlobal 17/5/2011)
Stuxnet is an interesting and worrisome attack for several reasons (Eric D. Knapp Security Park 23/3/2011)
More SCADA Vulnerabilities Found (Greg Hale ISS Source 23/3/2011)
Fukushima Dai-ichi status and potential outcomes (Euan Mearns, The Oil Drum 17/3/2011)
Stuxnet report IV: Worm slithers in! (ISS Source 16/3/2011)
Post-Stuxnet industrial security (ControEngineering EME 14/3/2011)
Stuxnet Report III: Worm Selects Site (ISS Source 9/3/2011)
ISA99 task force formed! (4/3/2011 Read-out Signpost)
New ISA99 Task Group Targets Cyber Threat Gaps (Automation World 3/3/2011)
Stuxnet Report II: A Worm’s Life (ISS Source 2/3/2011)
Revealing network threats, fears (Byres InTech Jan/Feb 2011)
Stuxnet Report: A System Attack (ISS Source 24/2/2011)
Stuxnet, security and taking charge (Ewald Kok IEB Feb 2011)
“How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems.” (White Paper Byres and others 22/2/2011)
Irish team played key role in deciphering virus at centre of Iran cyber hit (Mary Fitzgerald: Irish Times 19th Feb 2011)
The world of cyber threats (BBC Mary Shiels’ blog 16 Feb 2011)
Stuxnet Warfare (Jim Pinto 28th Jan 2011)
The Stuxnet worm and options for remediation (Industrial Wireless Book Jan’11)
The Stuxnet Worm and Iran – The day after! (Gary’s Choices 16/1/2011)
Israeli Test on Worm Called Crucial in Iran Nuclear Delay (NY Times 15/1/2011)
In a post Stuxnet world! (Jim Cahill, Emerson Process Experts 13/1/20110
How to hijack a controller (Ralph Langner, Control 13/1/2011)
Insuring Against Stuxnet (ISS Source 7/1/2011 Part II with link to part I)
Industrial Defender Updates Stuxnet Whitepaper (Andrew Ginter 6/1/2011)
2010
Stuxnet Updates (Chemical Facility Security News 27/12/10)
Stuxnet – Cybersecurity Trojan Horse (Joe Weiss InTech December 2010)
Stuxnet — A new weapon for cyber insurgents? (Automation Nation 28/11/2010)
STUXNET Scanner: A Forensic Tool (TrendMicro 15/11/2010)
Preventing the spread of the Stuxnet worm in both Siemens and non-Siemens network environments. (Byres Security: White paper 8/11/2010)
A Different Spin On Sleuthing Stuxnet (Kelly Jackson Higgins, DarkReading 5/11/2010)
The Stuxnet Worm: more than 30 people built it! (The Atlantic 4/11/2011)
STUXNET : le rappel de quelques faits (ISA-Flash ISA France Bullitin Nov 2010)
Byres Security updated white paper Analysis of the Siemens WinCC / PCS7 Stuxnet Malware for Industrial Control System Professionals. (15/10/2010)
Destructive Trojan Poses as Microsoft Stuxnet Removal Tool in Softpedia (15/10/2010)
Stuxnet Aftermath: Cyber Warfare Already Here and Greg Hales’ “Safe From Stuxnet? Think Again!” in ISS Source (14/10/2010)
ARC Advisory Group Control Systems are Not Safe – Stuxnet Worm Raises Security Concerns in India (12/10/2010)
Paul Roberts in Threat Post: Security Firms Scramble For SCADA Talent After Stuxnet (7/10/2010)
Les Hunt from DPA Magazine comments in “The Worm Turns” (6/10/2010)
Defending against Stuxnet (Wes Iverson Automation World Oct’10)
This blog from the American Government Security Blogs, “Stuxnet and Self-Inflicted Wounds“, and also in Security Dark Reading, “Stuxnet Attack Exposes Inherent Problems In Power Grid Security”
“Why the Stuxnet worm is like nothing seen before.” (New Scientist 27 Sept 2010)
“Stuxnet worm hits Iran nuclear plant staff computers“.(BBC 26/9/2010)
See article in New York Times, “Malware Hits Computerized Industrial Equipment” and Nancy Bartel in Control Global “Worst Fears relaised” (24/9/2010.)
More from Eric Byres “The amazing Mr Stuxnet!” (23rd September 2010)
Another in ControlGlobal “Siemens Updates News on Stuxnet Virus.” (23/9/2010)
“Was Stuxnet Built to Attack Iran’s Nuclear Program?” (Robert McMillan 21/9/2010)
Stuxnet Update: Defending Against the Next Stuxnet (List of links from Grant Gerke inAutomationWorld 21/09/2011)
Exploring Stuxnet’s PLC Infection Process (Nicolas Falliere in Symantec connect 21/9/2010)
• The LinkedIn Stuxnet Global Discussion
by Nick Denbow, Industrial Automation Insider (Sept 2010 Issue)
We have covered this topic twice already first in July, “Security threat to the control system world!” and the Andrew Bond’s article in August: ‘ “Zero day” attack on Siemens control system software shows alarming new level of malware sophistication.‘ This article by Nick Denbow the new Editor of Industrial Automation Insider continues the analysis.
We are adding dated articles and blogs on this worm in the box on the right – latest at the top.
After the Stuxnet worm, all industrial control systems, PLCs and RTUs with embedded systems now have to be regarded as at risk. So says Walt Sikora of Industrial Defender Inc (ID) – but then he would say that, wouldn’t he, as vice president of security solutions at Industrial Defender? However a recent webcast by Sikora presents an excellent outline of the capabilities of the Stuxnet worm as known at present, and gives a timeline presenting the events of the past two months, as evidence for his assertion that “This is a very sophisticated, very scary piece of malware.”
In his webcast, first presented on 19 August, Sikora explains that the malware attacks the control system, and can insert itself into the internal communications to the PLC, being dubbed the first rootkit for a PLC device.
While the Siemens PCS7 is the target in this instance, the Stuxnet worm is not the result of a bored schoolboy prankster – it is described as a sophisticated cyber-war weapon, with a payload targeted at a specific industrial control system. The conclusion is that control systems are to be the targets for future worms: despite any future fast response from Microsoft, Siemens and AV suppliers, their actions can only slam doors shut after an attack has been successful.
Stuxnet time-line
The time-line for this story started over a year ago, when apparently the Stuxnet virus was launched. It was then discovered first June 17 by a Belarus AV development company, VirusBlockAda.
July 15 Frank Boldewin, a security researcher, decrypted the worm and found it targeted Siemens WinCC and PCS7 control systems
July 22 Siemens posted a tool to identify and repair systems, followed by similar actions from AV vendors.
July 27 ID hosted their first panel discussion in a webcast, hosted in order to disseminate all available knowledge about the worm.
Aug 2 Microsoft issued the emergency patch. While Microsoft has acted very promptly, demonstrating their commitment to support of the industrial control systems sector by issuing an emergency patch for .lnk files on the software systems that they regard as current operating systems, older systems such as Windows 2000, NT, or XP service pack 1/2, are no longer supported, and not included. Plus inevitably it will take time, resources and commitment by operators to test, approve and install this patch on even the new systems where it is needed.
August 6 however, in Sikora’s words: “Symantec found that the malware itself, the payload, was worse than what we even thought…the worm itself had the capability of being controlled from a computer outside, it would allow the attacker to take control and write values to the control system itself, and that is very very scary. All automation control systems are at risk today.” The August 6 posting on the Symantec website by Nicolas Falliere, a senior software engineer, explains that “Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.”
Beware of sleeping code blocks
Falliere continues with an unattributed example of the effects of these hidden, sleeping code blocks. He explains that by writing code to the PLC, the Stuxnet malware can potentially control or alter how the system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly ‘Trojanized’ to function properly, and only some time after installation, instruct the host system to increase the pipeline’s pressure beyond its capacity. This, [he asserts] resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb. Thus, in addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their PLC devices. Falliere adds “We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world industrial control systems.”
HIPS protection against Stuxnet
In the ID webcast Sikora continues with a demonstration of the Stuxnet, and then goes on to show that the new Industrial Defender HIPS [Host Intrusion Prevention System – see side panel] would stop the Stuxnet worm penetrating a protected system. HIPS is therefore offered as a valid method for indepth protection of industrial control systems against such malware. This is a part of the ‘Defense in Depth’ strategy promoted by Industrial Defender. HIPS only allows good executables, from a “whitelist” of programmes allowed to run. It uses intrusion prevention and access management, and has no regular scanning issues, such as the scans used by AV software that tie up a computer or system for extended timescales. Sikora claims that HIPS would have prevented the Stuxnet worm accessing the known infected control systems.
Geographic spread of Stuxnet
Separately a white paper on the ID website gives further background, which also shows the major infection levels by the Stuxnet worm.
On July 15 Kaspersky Labs in Russia, the AV vendor, reported 5000 compromised machines.
By July 23 there were 45,000 infected machines reported, with main concentrations, according to Kaspersky, in India, Indonesia and Iran. The population infected in the USA is not known (as Kaspersky does not have much market penetration there, and other data is not available). Symantec data summarises that the major infections are in SE Asia, and that 48% of hits reported have been on Windows XP SP2 systems, for which there is no official Microsoft emergency patch.
- A recorded version of the Sikora August 19 webcast is available on the Industrial Defender website, presenting his review of the development of current knowledge about the Stuxnet worm, and is recommended viewing!
- Industrial Defender has also announced Compliance Manager, a security process automation and information management system that enables control system managers in the utility, chemical, oil, gas, water and transportation industries to cost-effectively implement and sustain best practices that assure system security, availability and compliance to corporate and industry security standards.“Utilities are being overwhelmed by the amount of information, events and tasks that they need to manage as they continue to enhance their critical system security processes”, said Brian M. Ahern, president and ceo ofIndustrial Defender. “Industrial Defender’s Compliance Manager automates data collection and analysis tasks that would otherwise require extensive manual operations, while providing the tools needed to improve systemintegrity and meet the extensive compliance auditing requirements of NERC CIP cyber security standards.”
Compliance Manager and the associated Industrial Defender sensor and collector technologies are specifically built to operate with both mission critical automation systems (e.g., SCADA, EMS/DMS, DCS/ PCS) and industrial end-point devices without impacting system performance and availability. It automates the collection, retention, analysis and reporting of a comprehensive set of system and security management information. It consolidates and analyzes device inventories, event logs, system configurations, software/patch status and user accounts, as well as archives of log and configuration files for automation control applications, operating systems, firewalls, network devices and end-point industrial devices.
This is just one of many items packed into the September Issue of Indiustrial Automation Insider (IAI), it is an essential read for all Automation Professionals.
And tell them the Read-out Signpost sent you!
Instsignpost's Blog 