S

Stuxnet: The Future of Malware?

Stephan Freeman

Theme

Systems physically controlling something…

Getting hacked…

Disasters averted. Just.

The reality isn’t so different…

Previous Incidents

Slammer disables safety systems at Ohio Davis-Besse Nuclear Plant in US for five hours in 2003

Blaster affects US powergrid during 2003 blackout

Disgruntled employee in Australia logs in over WiFi at his old employers and releases over a million litres of raw sewage

14 year-old in Lodz, Poland, derails trams after taking over the signaling system in 2008

Many more undisclosed

Previous Incidents

All either accidental/side effects of non-targeted attacks

Or bored/disgruntled individuals

Stuxnet signifies something new:

Malware specifically targeted at a country’s physical infrastructure.

What is it?

Windows-based malware, targeting very specific configurations

Used four zero-day vulnerabilities

Is the first Process Control-specific malware seen

Almost certainly state-sponsored

Possibly an insight into the future of malware

Process Control Systems

Systems used to bridge the logical and physical interface

Several types of components, used in industrial environments (PLCs, DCSs…)

Manufactured by Siemens, GE, ABB, Westinghouse

Often referred to as SCADA systems (Supervisory Control And Data Acquisition)

SCADA

Controls almost anything, e.g.: Traffic signals Train signals Amusement parks rides Water processing systems Power station generators Factory assembly lines Electrical substations

Vulnerabilities

COTS components used with known vulnerabilities

Lag between patches being released and being certified for a particular system

Poorly-written OS or TCP/IP stack on individual components

Lack of understanding of the risk

Multiple 3rd parties involved in integration of large-scale systems

Stuxnet - Detail

Targeted Windows PCs connected to Siemens PLCs (specifically S7-300)

Spread via USB sticks and over the Internet using 4 zero-day vulnerabilities

Installs itself as a rootkit in Windows, using stolen driver signing certificates

Modified the Step-7 application used to reprogram PLCs

Installs itself on the Siemens PLC

What is a PLC?

Stuxnet - Detail

Once on the PLC, checks whether either Vacon (Finnish) or Fararo Paya (Iranian) frequency converter drives are attached

Checks what frequency they’re running at: if they’re between 807 Hz and 1210 Hz, it changes the frequency of the drives periodically.

The frequencies happen to correspond to those needed for gas centrifuges, such as those used in the enrichment of uranium

Done in such a way as to hide any error messages being passed back to the controller

Automatically deletes itself on the 24th of June 2012

Target?

Iranian uranium enrichment centrifuges, inspected by President Ahmedinejad

Stuxnet - Infections

From Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

Impact

US not affected – very few infections

Possible links to 10 large-scale explosions in Iranian oil and petrochemical plants

Affected numerous centrifuges at Iran’s main uranium processing plant in Natanz

Could have caused “large scale accidents and loss of life” in Iran, according to AP

Why do it?

Deniability

Physical distance

Stealth

Unclear response

Stuxnet – Author?

Difficult to tell who wrote it

Common consensus is that it was state-sponsored

Too much technical knowledge to be casual hackers

This may have happened before…

Pipeline explosion in former Soviet Union in 1982

CIA alleged to have deliberately sabotaged SCADA equipment destined for the Trans-Siberian Pipeline, stolen by the KGB

Supposedly used a logic-bomb

Resultant explosion had a force of three-kilotons of TNT

What does the future hold?

More targeted attacks

Private companies on the front-line

Over 30 countries have cyber-warfare programmes

More hacktivists

General need to “batten down the hatches”

32%

16%8%

6%

5%

33%Public SectorManufacturingFinanceIT ServicesEducationOther

Who receives targeted attacks?

24

Worldwide industry sector since 2008

Targeted Attacks - Infosec

18172 targeted attacks during 2010

What can we do?

Loads of advice available

Organisations should think hard aboutthe threats they face

Take a holistic approach, looking at physical security as well as information security

Accept that it may not be possible to defend networks against concerted, well funded attack and consider keeping the most critical information offline.

Further reading

http://www.computerworld.com/s/article/84510/Blaster_worm_linked_to_severity_of_blackout?taxonomyId=083

http://www.scadasecurity.org

http://www.theregister.co.uk/2008/01/11/tram_hack/

http://www.cpni.gov.uk/advice/infosec/business-systems/scada/

http://news.yahoo.com/s/nm/20110417/ts_nm/us_iran_nuclear_stuxnet_1

http://www.symantec.com/connect/blogs/stuxnet-breakthrough

Stephan Freeman BSc MSc MBCS CITPInformation Security ManagerLondon School of Economics & Political Science

Secretary, ISSA UK

s.freeman@lse.ac.uk / stephan.freeman@issa-uk.org

Thank You