The Secret War: Stuxnet, Duqu and Flame
The highly complex computer worm called Stuxnet, targeted at sophisticated industrial control systems, was first identified in July of 2010. The arrival of Stuxnet changed everything…as it was a harbinger of the shape of things to come.
Stuxnet sparked international press coverage and exposed to the business community the digital face of cyber espionage, cyber warfare, sabotage and electronic diplomatic sanctions. For industry leaders, it raised the specter of international industrial competition fueled by the theft of proprietary trade secrets, intellectual property, business, government and military secrets, and the potential loss of all the advantages of an advanced technological society.
Stuxnet targeted SCADA (Supervisory Control and Data Acquisition) control systems. SCADA and other legacy control systems have been used for decades in power plants and distribution grids, oil and gas refineries, air traffic and railroad management, pipeline pumping stations, pharmaceutical production, chemical plants, industrial processes, automotive assembly lines, automated food and beverage lines, water treatment plants, major dams, and many other forms of automation and production.
Stuxnet was likely released a full year before its discovery. It was designed to replicate itself while searching for very specific industrial software applications that run behind Microsoft Windows operating systems.
Stuxnet was followed in 2012 by the discovery of two closely related forms of malware, the Duqu worm and Flame. Duqu searches for information that could be useful in attacking industrial control networks and smuggles password information back to its command and control center. Flame existed several years before being discovered, and can also record Bluetooth communications.
A Clear and Present Danger
The worms Stuxnet, Duqu and Flame have been captured, quarantined, dissected and studied in captivity. The worm segments have been analyzed and published in reports, whitepapers, blogs, chats and bulletin boards. Unfortunately, the result of all the published scrutiny is that the building blocks of Stuxnet exploit code are out there and available to be used to potentially harm the rest of us. A knowledgeable hacker can use those bits and pieces like modular building blocks to create newer, better malware.
|Summary of Critical Infrastructure Incident Reports to ICS-CERT, 2012|
The hacking incidents listed in “Hacking the Industrial Network” (Part I) spanned 12 years and contained 29 publicly reported incidents. The hacking incidents specifically listed here in Part II span only 4 years and contains over 55 notably disturbing incidents affecting thousands of companies. The pandemic rate of infection is accelerating.
Why We're Vulnerable
Some may still believe that their SCADA networks are not susceptible to eavesdropping, hacking or virus propagation because industrial SCADA systems are difficult for an outsider to understand -- or that their networks are “air-gapped” to separate them from the Internet. It is not true. Access to the Programmable Logic Controllers (PLCs) used throughout your industrial network, including critical U.S. infrastructure, is possible from indeterminate remote locations outside the country, without ever visiting your site, through multiple routes into the heart of your network.
In August of 2011, Dillon Beresford of NSS Labs presented a demonstration at a security conference in Las Vegas. Beresford had no previous industrial control system expertise and limited resources. Working primarily from the bedroom of his apartment, within a few weeks he identified a “maintenance” backdoor with a permanent, hard-coded password within Siemens PLCs. Hundreds of thousands are installed. They are widely used in the energy sector.
Beresford was able to obtain full control, delete files, dump memory and execute commands, retrieve sensitive information, capture passwords, report false data back to the operator, lock the operator out of the PLC, and completely disable the PLC at will. Security consultants believe that PLCs from other manufacturers also have security weaknesses. ICS-CERT Alerts have been issued for 57 suppliers.
A bulletin board posting on the Internet in 2011 by an Italian security researcher with zero previous SCADA experience, provided thirty-four free exploits for common SCADA software produced by Siemens, Iconics, 7-Technologies, and Datac. Iconics systems are often used in the oil & gas industry in North America. Datac is popular in the water and wastewater sector. Siemens is used everywhere.
A SCADA toolbox exploit pack has been offered for sale on the Internet by a Russian information security company. It consolidates all known SCADA vulnerabilities into one package.
Beresford’s experimentation had been deliberately conducted at home on a limited budget to demonstrate that unlimited finances and man-hours were not required. “It’s not just the spooks who have these capabilities. Average guys sitting in their basements can pull this off,” said Beresford after his chilling demonstration.
The existing SCADA vulnerabilities and some precautionary measures are well described in whitepapers by Idaho and Lawrence Livermore National Labs. A simple solution involves implementing layers of defense referred to as “defense in depth.”
Leading commercial antivirus software can work well to create layers of protection in the front office of an organization, an area not adversely affected by the continuous updating of virus signatures needed to keep up with new virus variants created every few seconds. Some IT routers and switches can also provide Virtual Private Network (VPN) protection in clean, air-conditioned rooms within production areas. In harsh environments, however, with heat, dirt, moisture and vibration, standard telecommunications equipment fails rapidly. And at the lower echelons of production, the very basic PLCs and legacy industrial controls do not have the chip sets and processing capability to authenticate commands or identify malware. In a 24/7 production environment, it is risky to allow third-party software to constantly introduce updates that have not been vetted in isolation before being implemented, as these may produce other unintended consequences.
|Idaho National Laboratory: Complete Defense in Depth|
As identified in “Hacking the Industrial Network” (Part I), four years ago there were listed a handful of companies offering potential solutions applicable to the factory floor. Most of these have not updated their products or advanced technically and have not succeeded in significant market penetration. I consider only two of the listed products to be the most viable as they offer the kind of security features that would be required. These are the Innnominate mGuard® system, now also available from Phoenix Contact and the Tofino device, now available from Hirschmann/Belden.
Let’s run down the checklist of desired security features quickly. The following table contains a summary. Other technical reasons for selecting security equipment for industrial applications are explained in greater detail in Part I.
|List of Required Industrial Network Security Equipment Capabilities|
SCADA Security Outlook
State-sponsored theft of proprietary trade secrets, intellectual property, business, economic, government and military secrets, and all the advantages of a technological society are already being siphoned away at an alarming rate, with the losses measured in billions of dollars as we hemorrhage away the advanced products of our intellect. Hacking is the current province of criminal organizations, nation states, foreign competitors, and cyber terrorists.
There is no reason for this lack of implementation of industrial network security other than inertia. The security technology already exists, and simple, economical solutions are readily available. The risks are clear, and the activity is escalating. We can either act now to prepare for the next wave, or delay and procrastinate, and be perpetually behind the curve when the next bad thing occurs…and those other procrastinators are “overtaken by events” for which there is no time to respond.
A detailed study of specific recommendations and technical solutions is contained in the full white paper “Hacking the Industrial Network”(Part I) and the full version of this white paper (Part II). Complete copies, including footnotes, clickable Internet links and detailed research references can be downloaded from the International Society of Automation(www.ISA.org) and from www.innominate.com.
Frank Dickman, BSMAE, RCDD, is a widely experienced engineering consultant and former delegate to NEMA, TIA/EIA, ISO, CENELEC and the BICSI Codes & Standards Committees. He is a technical consultant to a number of leading data communications firms and is a recognized expert on U.S. and International physical infrastructure network standards. Beyond telecommunications, his experience includes consulting engineering work for petroleum refineries, chemical plants, conventional and nuclear power plants, auto manufacturers and the aerospace industry. He can be reached at [email protected].