Network admins must beware of Stuxnet: A SCADA System worm
By Mark Underwood
July 20, 2010, 12:42 PM PDT
Takeaway: Learn why Mark Underwood looks at Stuxnet as a new kind of threat that network admins should not simply classify with the regular barrage of security advisories. Find out more about this worm and its target.
Sometimes with mind-numbing frequency, patches and security advisories from Microsoft, Adobe, and Apple compete for an ever-increasing amount of attention from administrators. Little wonder then, that most will have greeted with a mild yawn the latest announcement of another zero day attack — this one named the “Stuxnet Attack.” Just as I was about to file this latest message under “Priority - To Be Reviewed,” the sender’s name jarred me to attention: Managing Automation.
Managing Automation is a periodical with a healthy web presence that tends to cover topics from the supply chain, manufacturing, process control, and product lifecycle management. Over the past five years or more, the editorial focus has branched out to cover additional topics more familiar to network administrators: e.g., security event management for industrial systems, defenses against industrial espionage, etc. Despite this new coverage area, Managing Automation topics are rarely vehicles for malware notification. It was noteworthy then, to see author Chris Chiappinelli’s story begin with:
Manufacturers worldwide have been put on notice that an insidious virus targeting supervisory control and data acquisition (SCADA) systems is on the loose.
The targets of the malware are Siemens’ SIMATIC WinCC and PCS7 software, integral components of the distributed control and SCADA systems that facilitate production operations in many process manufacturing companies…
Those not in the manufacturing and process engineering fields may be unaware of Siemens SIMATIC and PCS7 software. How important was this emerging threat, in a field rife with worries that are sometimes alarmist and self-serving? Important. This time there is legitimate cause for concern.
Wired’s Kim Zetter wrote in a post the same day as the Managing Automation announcement that “the emergence of malware targeting a SCADA system is a new and potentially ominous development for critical infrastructure protection.” Network World’s Ms. Smith quotes F-Secure’s warning that the vulnerability poses “a risk of virus epidemic at the current moment.” Finally, it may be standard lingo for such announcements, but Microsoft’s July 16th announcement of Security Advisory 2286198 advised customers to visit Microsoft’s general support portal and to “contact the national law enforcement agency in their country.”
All of this was more than enough to get my attention.
While SCADA systems are often not regularly connected to the Internet, they are networked and are subject to the usual array of vulnerabilities. (Promotional web copy for the Siemens product that is the target of this attack explicitly mentions Ethernet switches and wireless LANs.) Public officials such as Richard Clarke have warned about risks to SCADA systems, but there have been few examples to rally the troops. While the particular vulnerability — a hard-coded password allowing access to the Siemens software’s back end data base — is not especially remarkable (though it does both date the software and call into question software quality review processes at Siemens), the malware packs a punch.
Thought to mainly spread by USB stick, or possibly by network shares, it cannot be defeated by simply turning off Windows autorun; simply viewing an infected file system will install the malware. A security specialist at Tofino believes that this zero-day attack, which affects all versions of Windows, may have been in the wild for a month or more. Preliminary assessments indicate that the malware does not appear designed to cripple infrastructure, but rather to steal information from SIMATIC WinCC / PCS7 implementations — i.e., some form of industrial espionage. Of course that espionage could later be used to wreak havoc on these same or similarly configured systems.
Recent press and analyst coverage has addressed both the threats to SCADA networks, and also the broader Windows vulnerability which the worm uses to spread (it exploits a code that interprets Windows shortcuts, i.e., .lnk files). As Microsoft noted in their analysis of the exploit, which has been named the “Stuxnet” threat, this is a new method of propagation which leverages a flaw in the way the Windows Shell “parses shortcuts.” Stuxnet has been cataloged as CVE-2010-2568 at Mitre’s CVE. For its part, Microsoft has proposed a workaround of sorts, and updated its own detection engines.
As if that wasn’t enough, the attack also involved theft of a signed Verisign digital certificate owned by Realtek Semiconductor. This certificate was used to authenticate drivers needed by Stuxnet when it self-installs, though Microsoft has since persuaded Verisign and Realtek to revoke the certificate. This was the icing on the trojan’s cake.
The Dependency Syndrome
What does all this mean? One lesson — not new, but that is borne out by this incident — is that the Internet-centric orientation of most malware models could miss certain types of threats. SCADA vulnerabilities are just that sort of threat. And while infections might not spread directly from them to general purpose networks, those general purpose networks depend upon SCADA systems for connectivity, power — and even human habitability. The “Dependency Syndrome” asserts that connections between traditional networks such as those managed every day by network administrators, and nontraditional networks such as those hosting SIMATIC WinCC / PCS7, will sooner or later be impossible to detect — and defend against.
_____________________________________Some reader comments from the above:
Alert Code Red
While the will not apply to the majority of IT personnel, it serves as a good awareness of what is happening in the other sectors, especially since the "brain" behind a SCADA system is a computer.
It might not affect us as IT jockeys per se, however, its use in controlling water treatment plants, sewerage systems, electrical power transmission and large communication system makes it important for us to at least know something about it.
Other Systems that I see as attack vectors
Besides the SCADA system, I see problems comming on the horizon with BACnet, Zigee, and all these SMART Meters all the power companies are installing. Imagine, someone can shut down your business' HVAC, power, and even other SMART devices.
You and your entire family
I work for a Public water supply (PSD) We have Siemens Equipment in the plant, and from one end of the system to the other. Lots of it on the INTERNET as a comm. link. Used to control chemical feed pumps, monitor water quality at remote system sites. etc etc.....I won't go into any more detail.I'm sure you can see the
potential for a large number people. As a SCADA field Tec let me invite you to go to the kitchen, run out a glass of water and really think about this while you drink it.
Did it taste a little different this time??
Fire is - potentially - everywhere...
Our company producing paper is controlled by SCADA systems from electical energy supply (utility and own generators), through wood processing machines (chippers) and whole production line to waste and water treatment plants. With very little effort (in software) you can destroy whole mill: exceed some parameters (pressure or something else), let it explode and rip some equipment carrying strong chemicals (for example HCl = hydrochloric acid). That carried by wind and/or water will kill local population...
In case of emergency ALL personel including contractors have gas masks. Mine is in the drawer below computer here. It is only to escape. Many windsocks around indicate direction to chose. In the town people don't have all of that. They don't have to have computers to be afected. OS is also irrelevant...
It's not about the system or sector that STUXNET is attacking. It's abou the concept that an undetectable piece of malware is attacking a network or system that no one probably worried about. I doubt there is NORTON A/V that you run on this stytem. So think about your own network. What non-microsoft, non-mainstream systems to you deploy. How about that new car you bought with built-in bluetooth technology? Your kid d/l's a file on their IPOD and links it to the car stereo. Then when the file is accessed, a code is sent to the cars computer via the link between them for speed volume control. By the way that code was to disable the brakes and increase the throttle. Is this likely, no, but possible. We forget that although some devices may not be directly connected to the internet, they are connected to a network, or become connected at some point. The bad guys understand this and are finding ways to infect these sytems that we thought where "secure". That is Everyday IT as you put it.
RE: Network admins must beware of Stuxnet: A SCADA System worm
Interesting article. Few days ago I was shocked when I found out that a lot of powerplants in my country still keep their 70s dinosaurs in working order. I understand them now. Properly set-up obsolete mainframe is way better than running plant by hand if SCADA viruses start spreading and making real damage.
We have industrial espionage now. How far away are viruses which will actually attempt to sabotage industrial complexes, especially in most critical moments?
Preparing for cyber war: Bernd Debusmann
Wed Mar 19, 2008 11:07am EDT
(Bernd Debusmann is a Reuters columnist. The opinions expressed are his own)
By Bernd Debusmann
WASHINGTON (Reuters) - At the height of the Cold War, a Soviet oil pipeline blew up in an explosion so huge that the American military suspected a nuclear blast. A quarter of a century later, the incident serves as an object lesson in successful cyber warfare.
The pipeline blew up, with disastrous consequences for the Soviet economy, because its pumps, valves and turbines were run by software deliberately designed to malfunction. Made in the U.S. and doctored by the CIA, it passed into Soviet hands in an elaborate game of deception that left them unaware they had acquired "bugged" software.
"The pipeline software...was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welts. The result was the most monumental non-nuclear explosion ever seen from space," Thomas C. Reed, a former air force secretary, wrote in his 2004 memoir.
The pipeline explosion was probably the first major salvo in what has since become known as cyber warfare. The incident has been cropping up in increasingly urgent discussions in the U.S. on how to cope with attacks on military and civilian computer networks and control systems - and how and when to strike back.
Air traffic control, power plants, Wall Street trading systems, banks, traffic lights and emergency responder communications could all be targets of attacks that could bring the U.S. to its knees. As Michael McConnell, the Director of National Intelligence, put it in recent testimony to a Senate committee:
"Our information infrastructure - including the Internet, telecommunications networks, computer systems and embedded processors and controllers in critical industries - increasingly is being targeted...by a growing array of state and non-state adversaries." Cyber attacks, he said, had grown more sophisticated and more serious.
The Pentagon says it detects three million attempts to infiltrate its computer networks every day. There are no estimates of how many probes are successful but last year the Pentagon had to take 1,500 computers off line because of a concerted attack from unknown hackers.
POOR SECURITY, DEVASTATING CONSEQUENCES
How tight are the U.S. government's defenses? Not very, according to the Government Accountability Office, the audit and investigative arm of the U.S. Congress. In a report last week, it said an audit of 24 government agencies - including Defense and Homeland Security - had shown that "poor information security is a widespread problem with potentially devastating consequences."
Striking back at cyber attackers poses a raft of tricky questions, chiefly because cyber war cannot be waged without involving civilians. Private companies own more than 80 percent of the infrastructure McConnell talked about and without close public-private coordination, effective counter-strikes are next to impossible.
"Unlike traditional defense categories (i.e. land, sea and air), the military capabilities required to respond to an attack on U.S. infrastructure will necessarily involve infrastructure owned and operated by the private sector," according to Jody R. Westby, CEO of the Washington consulting firm Global Cyber Risk and a champion of better public-private coordination to cope with cyber attacks.(here)
Coordination between the military and civilians has yet to be tested. The military stayed away from an exercise this month that brought together experts from the U.S., Canada, Britain, New Zealand and Australia, 18 U.S. federal agencies and around 40 companies, including Microsoft and Cisco Systems. The game featured mock attacks against computer networks, pipelines and railroads.
(The exercise was described as the biggest of its kind. But "big" is relative. To get the scale into perspective: There are 233 countries connected to the Internet today, with an estimated 1.2 billion users. More than 120 countries are estimated to be developing cyber warfare capabilities).
As things stand, could the U.S. or its allies become victim of an attack similar to the Soviet pipeline blast? Probably yes. The threat comes from China, which has been placing heavy emphasis on what it calls "informationized war," and a motley array of hackers and terrorists.
Among the most potent weapons in their arsenal: "bots," malicious software robots that are the digital equivalent of terrorist sleeper cells that lie dormant for months or years before springing into destructive action. In testimony to Congress, Homeland Security's top scientist on cyber security, W. Douglas Maugham, has said that there is currently no effective antidote to bots.
How much damage could they do? Here is a scenario drawn from an interview with Westby, who is a member of the World Federation of Scientists' Permanent Monitoring Panel on Information Security. Her outline is based on the assumption that China has already implanted bots in millions of public and private computer systems.
"Bot herders" around the world unleash their malicious software bots to attack U.S. government, financial, oil and gas systems. One early victim: the U.S. Department of Commerce, which loses all communications because its internet and telephone communications use Voice over Internet Protocol networks. That means if the Internet goes down, all communications go down.
As Commerce is cut off, the U.S. collection point for inter-bank financial transactions discovers that bogus data are being inserted from both the sending and confirming side of the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system. Chaos ensues in financial markets.
The New York Stock Exchange shuts down after massive "denial of service" attacks similar to those that last year forced Estonia to close down websites run by government ministries, banks and telecommunications companies.
At the same time, systems controlling the valves of oil and gas pipelines come under attack as bogus instructions override system controls and false data is sent to control room screens. The pipelines are shut. Some explode. There are casualties.
The government decides it must block the malicious traffic and come to the assistance of the financial, gas and oil companies under cyber attack. This involves deploying classified solutions and counter attacks through the networks of various U.S. communication providers.
The problem: There is no agreement between the Pentagon and the private sector on transferring private networks to military control. Owners are reluctant to turn over their systems to the military for fear their networks and their reputation might be damaged as a result of cyber war actions not under their control. The problem could be solved by the government declaring martial law, a step it is hesitant to take.
And what about the foreign-owned networks that would have to be used to launch an effective counter attack? Does the U.S. have to ask permission before sending cyber war actions across foreign networks? Would NATO have to be involved? (The 50-year-old treaty does not cover cyber warfare). Should the U.N. charter be amended to apply to cyber war rather than only "armed attacks?"
These are all questions that require urgent answers if the U.S., more dependent on computers and the Internet than most countries, wants to protect what a writer in the latest issue of the Armed Forces Journal aptly describes as "America's digital Achilles' heel."