Control system security experts have long warned that it was coming. Now it is here.

The first malware to be discovered in the wild that specifically targets an industrial control system (ICS) hit the headlines last month. The so-called Stuxnet computer worm exploits a weakness in Windows operating systems and is designed to target WinCC human-machine interface/supervisory control and data acquisition (HMI/SCADA) systems and PCS7 control products supplied by Siemens, the German industrial automation giant, experts said.

“This is a real wake-up call for the SCADA and controls industry,” declared Eric Byres, chief technology officer at Byres Security Inc. ( www.tofinosecurity.com) , Lantzville, British Columbia, Canada. “This hacking is being done by professionals, not a bunch of kids any more.

“We’ve always been ‘collateral damage,’ as control system owners and operators. We just sort of get hit by the viruses as they go by, for the most part,” Byres added. “But now, we’re in the bull’s-eye. Whoever wrote this, wrote it specifically to go after the SCADA and control systems world. So they understand what they’re going after, and we’re no longer able to hide behind ‘security by obscurity,’ ” said Byres, who spoke as part of a July 27 Webinar sponsored by Industrial Defender Inc. ( www.industrialdefender.com), a Calgary-based industrial security firm.
 
Highly sophisticated

“There is no question in anyone’s mind who’s taken a deep look at this, that this is the highest degree of sophistication we’ve seen, at least in terms of this type of targeted approach at industrial control systems,” noted Patrick Miller, technical director, NERC CIP practice, at ICF International ( www.icfi.com) , Fairfax, Va., and another participant in the Webinar.

Miller cited three characteristics of Stuxnet that he said make it particularly unusual, and indicate a high degree of sophistication. The first involves the exploitation of .lnk files, or Windows Shortcut Files, which represents a “zero-day vulnerability,” meaning it is the first time that the vulnerability has been disclosed. Most malware is designed to exploit well-known vulnerabilities; the fact that someone was willing to reveal a zero-day vulnerability with Stuxnet indicates there was “definitely some intent behind this,” Miller said.

The second is the fact that Stuxnet actually carries bogus “digital signatures” of some well-known companies. “Someone has gone through the effort to get someone else’s digital signature to allow this to quietly install on your machine,” he said. With the discovery of the worm, those signatures now have been revoked, he added.

The third unusual element is the fact that Stuxnet is targeted at a specific industrial control system vendor, and uses “some very deep technical knowledge of that industrial control system,” Miller said. “This is certainly unusual. A lot of malware is sprayed at a particular service or an operating system, but rarely do we see this type of targeted approach.”

To some, the Stuxnet worm raises concerns over the possibility of what’s known as Advanced Persistent Threat, or APT. An Advanced Persistent Threat is not a type of attack, but is a threat actor, said Dale Peterson, director of control system security practice at Digital Bond Inc. ( www.digitalbond.com), Sunrise, Fla., and another Webinar participant.

An APT is launched by someone who wants to maintain control and access to a network. They do this through multiple exploits, so that when one exploit is found and cleaned up, another unfound exploit pops up later, sometimes a few months down the road, Peterson explained. “When we look at Stuxnet, we can’t really say that it is APT, because we don’t see any evidence that it’s doing special things to be persistent,” he observed. “But it is doing reconnaissance, which is the initial phase of an attack. So I guess if you were hit by this, you’d have to ask the question, ‘Is that the only thing they did?’ ”

Information theft

The Stuxnet virus propagates through universal serial bus (USB) devices, and may also be propagated via network sharing from other infected computers. While the origins of the worm are still unknown, its intent appears to be theft of information. Once it has infected a PCS7/WinCC system, Stuxnet uses a hardcoded default WinCC password within the Siemens system to connect to the Microsoft SQL database and extract data.

When Stuxnet takes over a system, it tries to contact a pair of command and control servers in Malaysia, according to a July 22 posting on a Symantec Corp. ( www.symantec.com) blog. Symantec, a Mountain View, Calif.-based ...