Stuxnet malware worse than expected, hides injected code on a PLC: all automation control systems at risk!
by Nick Denbow, Industrial Automation Insider (Sept 2010 Issue)
We have covered this topic twice already first in July, “Security threat to the control system world!” and the Andrew Bond’s article in August: ‘ “Zero day” attack on Siemens control system software shows alarming new level of malware sophistication.‘ This article by Nick Denbow the new Editor of Industrial Automation Insider continues the analysis.
We are adding dated articles and blogs on this worm in the box on the right – latest at the top.
After the Stuxnet worm, all industrial control systems, PLCs and RTUs with embedded systems now have to be regarded as at risk. So says Walt Sikora of Industrial Defender Inc (ID) – but then he would say that, wouldn’t he, as vice president of security solutions at Industrial Defender? However a recent webcast by Sikora presents an excellent outline of the capabilities of the Stuxnet worm as known at present, and gives a timeline presenting the events of the past two months, as evidence for his assertion that “This is a very sophisticated, very scary piece of malware.”
In his webcast, first presented on 19 August, Sikora explains that the malware attacks the control system, and can insert itself into the internal communications to the PLC, being dubbed the first rootkit for a PLC device.
While the Siemens PCS7 is the target in this instance, the Stuxnet worm is not the result of a bored schoolboy prankster – it is described as a sophisticated cyber-war weapon, with a payload targeted at a specific industrial control system. The conclusion is that control systems are to be the targets for future worms: despite any future fast response from Microsoft, Siemens and AV suppliers, their actions can only slam doors shut after an attack has been successful.
The time-line for this story started over a year ago, when apparently the Stuxnet virus was launched. It was then discovered first June 17 by a Belarus AV development company, VirusBlockAda.
July 15 Frank Boldewin, a security researcher, decrypted the worm and found it targeted Siemens WinCC and PCS7 control systems
July 22 Siemens posted a tool to identify and repair systems, followed by similar actions from AV vendors.
July 27 ID hosted their first panel discussion in a webcast, hosted in order to disseminate all available knowledge about the worm.
Aug 2 Microsoft issued the emergency patch. While Microsoft has acted very promptly, demonstrating their commitment to support of the industrial control systems sector by issuing an emergency patch for .lnk files on the software systems that they regard as current operating systems, older systems such as Windows 2000, NT, or XP service pack 1/2, are no longer supported, and not included. Plus inevitably it will take time, resources and commitment by operators to test, approve and install this patch on even the new systems where it is needed.
August 6 however, in Sikora’s words: “Symantec found that the malware itself, the payload, was worse than what we even thought…the worm itself had the capability of being controlled from a computer outside, it would allow the attacker to take control and write values to the control system itself, and that is very very scary. All automation control systems are at risk today.” The August 6 posting on the Symantec website by Nicolas Falliere, a senior software engineer, explains that “Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.”
Beware of sleeping code blocks
Falliere continues with an unattributed example of the effects of these hidden, sleeping code blocks. He explains that by writing code to the PLC, the Stuxnet malware can potentially control or alter how the system operates. A previous historic example includes a reported case of stolen code that impacted a pipeline. Code was secretly ‘Trojanized’ to function properly, and only some time after installation, instruct the host system to increase the pipeline’s pressure beyond its capacity. This, [he asserts] resulted in a three kiloton explosion, about 1/5 the size of the Hiroshima bomb. Thus, in addition to cleaning up the Stuxnet malware, administrators with machines infected with Stuxnet need to audit for unexpected code in their PLC devices. Falliere adds “We are still examining some of the code blocks to determine exactly what they do and will have more information soon on how Stuxnet impacts real-world industrial control systems.”
HIPS protection against Stuxnet
In the ID webcast Sikora continues with a demonstration of the Stuxnet, and then goes on to show that the new Industrial Defender HIPS [Host Intrusion Prevention System – see side panel] would stop the Stuxnet worm penetrating a protected system. HIPS is therefore offered as a valid method for indepth protection of industrial control systems against such malware. This is a part of the ‘Defense in Depth’ strategy promoted by Industrial Defender. HIPS only allows good executables, from a “whitelist” of programmes allowed to run. It uses intrusion prevention and access management, and has no regular scanning issues, such as the scans used by AV software that tie up a computer or system for extended timescales. Sikora claims that HIPS would have prevented the Stuxnet worm accessing the known infected control systems.
Geographic spread of Stuxnet
Separately a white paper on the ID website gives further background, which also shows the major infection levels by the Stuxnet worm.
On July 15 Kaspersky Labs in Russia, the AV vendor, reported 5000 compromised machines.
By July 23 there were 45,000 infected machines reported, with main concentrations, according to Kaspersky, in India, Indonesia and Iran. The population infected in the USA is not known (as Kaspersky does not have much market penetration there, and other data is not available). Symantec data summarises that the major infections are in SE Asia, and that 48% of hits reported have been on Windows XP SP2 systems, for which there is no official Microsoft emergency patch.
- A recorded version of the Sikora August 19 webcast is available on the Industrial Defender website, presenting his review of the development of current knowledge about the Stuxnet worm, and is recommended viewing!
- Industrial Defender has also announced Compliance Manager, a security process automation and information management system that enables control system managers in the utility, chemical, oil, gas, water and transportation industries to cost-effectively implement and sustain best practices that assure system security, availability and compliance to corporate and industry security standards.“Utilities are being overwhelmed by the amount of information, events and tasks that they need to manage as they continue to enhance their critical system security processes”, said Brian M. Ahern, president and ceo ofIndustrial Defender. “Industrial Defender’s Compliance Manager automates data collection and analysis tasks that would otherwise require extensive manual operations, while providing the tools needed to improve systemintegrity and meet the extensive compliance auditing requirements of NERC CIP cyber security standards.”
Compliance Manager and the associated Industrial Defender sensor and collector technologies are specifically built to operate with both mission critical automation systems (e.g., SCADA, EMS/DMS, DCS/ PCS) and industrial end-point devices without impacting system performance and availability. It automates the collection, retention, analysis and reporting of a comprehensive set of system and security management information. It consolidates and analyzes device inventories, event logs, system configurations, software/patch status and user accounts, as well as archives of log and configuration files for automation control applications, operating systems, firewalls, network devices and end-point industrial devices.
This is just one of many items packed into the September Issue of Indiustrial Automation Insider (IAI), it is an essential read for all Automation Professionals.
And tell them the Read-out Signpost sent you!