Hirose: Connecting the future
Industrial Ethernet Book Issue 61 / 95
Request Further Info   Print this Page   Send to a Friend  

Stuxnet: Best practice to secure industrial control systems

THERE HAS BEEN a mistaken belief in security through obscurity as a policy option by the use of specialised systems, protocols and proprietary interfaces writes Richard Piggin.

However, information on protocols is widely available and some systems have already been specifically targeted. Examples include the Modbus protocol and the Stuxnet trojan/virus, which affected Siemens WinCC SCADA, Step 7 Programming Software and Simatic PLCs.

In the UK the Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides protective security advice to the national infrastructure. Specific SCADA advice is offered by the CPNI in a series of Process Control and SCADA security good practice guidelines. The foundation of the best practice is three guiding principles:

• Protect, Detect and Respond - Be able to detect possible attacks and respond in an appropriate manner in order to minimise the impacts;

•Defence in Depth - No single security measure itself is foolproof as vulnerabilities and weaknesses could be identified at any time. In order to reduce these risks, implementing multiple protection measures in series avoids single points of failure;

•Technical, Procedural and Managerial protection measures - Technology is insufficient on its own to provide robust protection.

In the USA, recommendations from The National Institute of Standards and Technology (NIST) include:

•Restricting physical access to the ICS network and its devices;

• Protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing; disabling all unused ports and services; restricting ICS user privileges to only those that are required; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where feasible to prevent, deter, detect, and mitigate malware;

• Maintaining functionality during adverse conditions. This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event;

•Restoring system after an incident. Incidents are inevitable: an incident response plan is essential.

Further guidance is referenced by the CPNI, much a result of the work sponsored by the US Homeland Security. These include a series of sector road maps to secure the water, electricity and chemical sectors. These follow a similar 10- year programme to assess risk, develop and implement risk mitigation measures. There is an emphasis on affordable security for legacy systems and new architecture designs.

Standards in this area are blossoming, including work being done by the International Society of Automation (ISA) which has published ISA-99 Parts 1 and 2 that deal with Industrial Automation and Control Systems Security.

Bent on sabotage

The apparent goal of Stuxnet was to sabotage real world industrial plant - not disrupt abstract IT systems. The threat has been portrayed as beyond anything seen before, and a once in a decade event. It targeted industrial control systems with the intention to reprogram PLCs in a manner that would sabotage plant, hiding the changes from programmers or users.

Stuxnet has highlighted the potential to directly attack industrial control systems used in critical national infrastructure (including energy, water and transport sectors). Research by Symantec showed that nearly 60% of the approximately 100,000 infected hosts were located in Iran, with relatively high infection rates also seen in India and Indonesia (September 2010). This has lead to speculation that Stuxnet's goal was disruption of Iran's delayed Bushehr nuclear power plant or the uranium enrichment plant at Natanz.

How does it spread?

Since PCs used for control system programming are not normally connected to the internet, Stuxnet replicates via removable USB drives exploiting a vulnerability enabling autoexecution. It then spreads across the LAN via a Windows Print Spooler vulnerability and via a Windows Server Remote Procedure Calls vulnerability. It copies and executes on remote computers through network shares, and via Siemens WinCC database servers (SCADA software).

It also copies itself into Siemens Step 7 PLC program projects and executes when a project is loaded. It updates versions via peer-to-peer communication across a LAN. Stuxnet communicates with two command and control servers originally located in Denmark and Malaysia to enable code download and execution, including updating versions and the ability to change command and control servers, although this has not been observed as yet.

Real-world actions

Stuxnet fingerprints specific PLC configurations that use the Profibus industrial network for distributed I/O. The particular configurations were gleaned using earlier versions of Stuxnet. If the fingerprint does not match the target configuration Stuxnet remains benign. If the fingerprint matches, the code on the Siemens PLCs is modified with the infected Step 7 programming software and the changes are hidden. The modified code prevents the original code from running as intended so causing the plant equipment to operate incorrectly; this potentially sabotages the system under control. This is achieved by interrupting processing of code blocks, injecting network traffic on the Profibus network and modifying Output bits of PLC I/O. How this affects the individual plant system depends on how the control system is connected to the PLC and distributed network I/O via Profibus.

Stuxnet: A most complex threat

• Four zero day exploits (those exploits that are unknown, undisclosed to the software vendor, or for which no security fix is available - a rarity for any virus which would be considered wasteful by most hackers);

• Windows rootkit - software that enables privileged access to a computer,while hiding its presence;

• First ever 'PLC rootkit' - infecting PLC programs and remaining undetectable, and with anti-virus evasion;

• Two stolen but otherwise genuine Taiwanese digital signatures;

•Complex process injection and hooking code (to prevent programmers seeing the infected code);

• Network infection routines with privilege escalation;

• Peer-to-peer updates;

• Remote command and control.

Game changing threat

The future threat Stuxnet poses is a blueprint for attacks on real-world infrastructure, providing generic methods to reprogram industrial control systems. However, the level of sophistication and complexity of Stuxnet, requiring significant resources, make it unlikely that similar threats will develop overnight.

Dr Richard Piggin is a network and security consultant working with the IEC Network & System Security and Cyber Security Working Groups. He is organising an automation security conference to be held in the spring at Bletchley Park in the UK.



Joel Langill, security consultant and staff engineer at ENGlobal Automation Group has made a video of a Stuxnet infection

Source: Industrial Ethernet Book Issue 61 / 95
Request Further Info    Print this Page    Send to a Friend  


Tailyn EN50155 Ethernet switch
DINSpace fiber optic and Cat 6 patch panels
Accelerate your HART data at the speed of Ethernet

Get Social with us:

© 2010-2019 Published by IEB Media GbR · Last Update: 23.05.2019 · 38 User online · Privacy Policy · Contact Us