Defending Against the Next Stuxnet

Experts agree that defense in depth is the best approach to guard against future cyber attacks targeting industrial control system networks. Here's a look at two emerging technologies that may provide added tools for defense-in-depth strategies.

Aw 427 1010 Securea
The controls security community was rocked this summer by the discovery of the Stuxnet worm, the first known malware designed specifically to target an industrial control system (ICS). And now that one such worm has been found in the wild, many believe that others are certain to emerge.

“Someone has proven the concept that you can launch a targeted attack on an industrial control system carrying a control-system-oriented payload, and not only have they demonstrated it in theory, but they’ve actually done it. So I think it’s almost inevitable that we’re going to see more of these,” observes Eric Cosman, an engineering solutions information technology (IT) consultant at The Dow Chemical Co., Midland, Mich., who serves as co-chair of the International Society of Automation’s ISA99 Industrial Automation and Control Systems Security committee.

While Stuxnet specifically targeted control systems supplied by Siemens, the German industrial giant, the worm gained access by exploiting a previously unknown Microsoft vulnerability. And experts warn that any vendor’s control systems could become targets in the future, particularly given the prevalence of Microsoft technologies throughout the ICS space.

What steps should automation owner/operators take to protect their control system assets? Because the Stuxnet worm infected systems via USB (Universal Serial Bus) sticks, a strict management policy for USB devices within the control environment—or simply disabling all USB ports—might have been effective against this particular malware, some experts say. But there is no single measure that can protect against all attacks, industry sources agree. Future attack vectors are unknown. And there is the possibility of other so-called “zero-day” attacks that—like Stuxnet—may exploit previously unknown system vulnerabilities for which there is no current antivirus defense.

Defense in depth

In general, industrial cyber security practitioners recommend defense-in-depth strategies as the best approach to keeping bad guys from penetrating ICS networks. The concept involves the use of layers of defense and diverse defensive strategies, so that if an attacker gets through one layer or defense, subsequent layers or defensive tactics will then present additional challenges that the attacker must overcome. Commonly used defensive approaches include physical controls, personnel policies and administrative controls, and electronic measures such as firewalls, encryption and antivirus tools.

A number of electronic defenses have been developed and refined in recent years to combat ICS cyber intruders and malware. Various industrial cyber security consultants, as well as control systems vendors, can help users with deployment of the latest techniques and technologies that have been proven for control system environments.

In this article, we will focus on a couple of emerging technologies that are still quite new to the ICS networking space. One is known as application whitelisting, which proponents contend would have been effective against Stuxnet. The second is typically called unidirectional, or one-way, communication, or simply data diode technology—for the hardware devices on which it is based.
  
Neither approach can provide a “silver bullet” to mitigate all kinds of cyber threats. But both are receiving more interest and attention lately in some industry segments, such as electric utilities. And in some situations, these methods may provide additional tools for consideration for use in ICS defense-in-depth deployments.

Whitelisting

The concept of application whitelisting is straightforward. Unlike antivirus software, which relies on a “blacklist” of known threats to detect and mitigate malware, application whitelisting software relies on a list of known good executables—and refuses to allow execution of those that are not on the list.

Writing in a recent White Paper on Stuxnet, Andrew Ginter, chief security officer at Industrial Defender Inc., a Foxborough, Mass., industrial security firm, explains the technology this way: “Whitelisting…provides a cryptographic hash for all approved executables in the filesystem on a machine. Whenever the operating system tries to load an executable file, including DLL libraries and other kinds of executables, the hash is recalculated and compared to the list of approved hashes. If there is no entry for the hash, it means the file being loaded is either not approved to execute, or has been tampered with.”
 
By ensuring that only clean, approved applications can execute, application whitelisting blocks all kinds of unauthorized applications, including zero-day exploits such as Stuxnet that were previously unknown, proponents say. This is unlike an antivirus blacklist approach, which first requires knowledge of an exploit in order to develop a “signature” against it;  this signature can then be subsequently downloaded into systems for future protection against that particular malware.

Industrial Defender, for its part, on June 23 introduced its Host Intrusion Protection System (HIPS) product based on whitelisting technology from CoreTrace Corp., an Austin, Texas-based application whitelisting technology supplier. And during an Aug. 19 Webinar on Stuxnet, Industrial Defender Vice President of Security Solutions Walt Sikora provided a demonstration that showed the Stuxnet worm being blocked when an infected USB device was inserted into an unprotected machine. “Whitelisting is the only thing that would have prevented it,” Sikora contended.

Though the application whitelisting concept has been around for a number of years, it has been somewhat slow to catch on in the IT networking space, due to management issues related to frequent changes, say industry sources. This includes the need in the IT world for frequent patches and downloads of new virus signatures. Each time a change is made, the change must be added to the whitelist. “If I’m watching my PC (personal computer) on my desktop and it’s constantly getting new applications and new software, that can make whitelisting a misery,” says Eric Byres, chief technology officer at Byres Security Inc., a Lanzville, British Columbia, Canada, industrial security firm.

But application whitelisting “actually has a nice fit” in the control systems space, Byres notes, due to traditional tight ICS change control policies, and the fact that control applications change more slowly than those in the IT space. “When you’ve got something like an HMI (human-machine interface) that might stay unchanged for six to eight months, and where you have very deliberate, controlled patch cycles, then I think whitelisting has some real potential,” Byres observes.

Slow change

“The beauty of whitelisting for control systems is that it’s not a constantly changing description of what’s bad. It’s a static description of what’s approved, and that list of what’s approved changes only very slowly, so you don’t have these issues with new [antivirus] signatures coming around a couple of times a day,” adds Industrial Defender’s Ginter. “You bless your software and you run it, and that’s it. It doesn’t have to change.”

In agreement is Tom Flowers, president of Flowers Control Center Solutions LLC, Todd Mission, Texas, who provides control center consulting to the energy sector. Whitelisting is particularly well-suited for control environments that employ segmentation to separate portions of a network, notes Flowers “When you’ve got compartmentalization, you can really get that whitelist to be very specific. You can say, ‘I only want these five applications to be running on this particular segment.’ If anything else tries to run on that segment, then it starts raising flags and alarms. It’s extremely effective.”
  
Flowers, who worked previously as control systems manager at a major utility, says he is aware of homegrown whitelisting approaches being used by leading electric power utilities as early as about 2004 or 2005. And he would not be surprised to see the emergence of more commercial whitelisting products that are aimed specifically at utilities.

One such product, in fact, comes from Emerson Process Management, the Austin, Texas-based automation supplier. Like Industrial Defender, Emerson has also partnered with CoreTrace, and offers the company’s whitelisting technology as part of its Ovation Security Center (OSC), which is sold to the power generation and water/wastewater treatment industries.

“Realizing the defense-in-depth concept, we have various solutions as part of OSC to enhance overall security status. The CoreTrace product is one of them, for malware protection. And we have other tools to address patch management and security information management,” explains Roger Pan, Ovation Security program manager in Emerson’s Power & Water Solutions division. The first OSC systems shipped in the fall of 2009, and Emerson currently has about a dozen OSC systems in the field in North America, according to Pan.

Less frequent patching

Carl Staab, manager of network and security technology, product development, for the same Emerson division, points out that the whitelisting approach has proven particularly attractive to electric utilities looking to meet the anti-malware requirements of NERC CIP—the Critical Infrastructure Protection (CIP) standards covering the power industry, which are administered by the North American Electric Reliability Corp. (NERC).

For utilities, having an application whitelisting solution in place can mitigate the need to install patches and antivirus updates as frequently as would otherwise be required, Staab says. CIP-007 requires that new patches and updates must be evaluated and tested within 30 days after they become available. With whitelisting, the evaluations must still be performed within the 30-day window, but the whitelisting mitigates the need to install them until regularly scheduled maintenance or outages, providing more flexibility for users, Staab says.

In other words, according to J.T. Keating, vice president of marketing at CoreTrace, even if a worm, Trojan or other malware has wiggled through defenses and infiltrated a machine, the whitelisting software will prevent it from executing. “Because it’s not on the whitelist, it can’t run, which gives customers the ability to respond back to NERC and say, ‘Yeah, we’re going to get to that vulnerability, but we’ll get to it at a measured and well-tested pace,’ ” Keating explains.

Not surprisingly, perhaps, Keating declares that his company sees application whitelisting as “the antivirus of the future.” But in line with defense-in-depth concepts, he also believes that the two technologies will coexist. “Whitelisting is going to be the primary enforcement mechanism, and [antivirus] blacklisting will be used for reporting and clean-up,” Keating predicts.

Emerson’s Staab agrees. “The problem we see in the field is that if someone is adding an OSC to an existing system, that existing system may already have a rootkit or a virus on it that they’re not aware of. And if you whitelist that machine, you’ve just added that rootkit or virus to your permitted applications,” he says. “So there’s very definitely a purpose for using a blacklist or several blacklist applications to assure yourself that the machine you’re protecting is, in fact, clean.” By using antivirus only as a one-time scan to clean a machine, as opposed to using it in a real-time execution scanning mode, users can also avoid system performance issues that plague classic blacklisting approaches, Staab adds.

Who’s trusted?

Application whitelisting proponents contend that the system performance impact of whitelisting is negligible, especially when compared to traditional blacklisting antivirus products. And CoreTrace’s Keating says that his company has also overcome earlier whitelisting issues associated with change management. The CoreTrace product, known as Bouncer, employs a “Trusted Change” process by which users can designate which employees are trusted to make changes or add applications. Likewise, applications such as patch management systems or Windows updaters, can be trusted to make automatic changes at the discretion of the user.

Despite the perceived advantages for whitelisting, Pan reports that about three quarters of Emerson’s OSC customers are running both whitelisting and antivirus in a real-time mode on their control system platforms. This is in part because some customers already had antivirus technology in place prior to installing OSC application whitelisting, he says. Another factor is confusion about the wording in the CIP standards, which require “signature” updates—terminology that some interpret to mean antivirus software, he explains. Upcoming revisions to the CIP standards may erase that confusion, however, by eliminating the “signature” terminology to instead refer simply to “software updates,” Pan adds.

In any case, industry sources agree that the need to comply with the NERC CIP standard has so far been a driver for application whitelisting in the utility space. “We wouldn’t have put whitelisting on our systems without the regulatory compliance push to do something like that,” confirms the control systems security manager at one major electric utility, who declined to be named.

However, this manager does see the technology as a valuable defense-in-depth tool. “We use both AV (antivirus) and whitelisting, but if I had to pick one or the other, I would probably pick the whitelisting,” he says, “because we’re patching, and we’ve got a very strong electronic perimeter, which means that there’s probably not going to be a common, everyday virus in here that your AV would pick up.” And for zero-day viruses such as Stuxnet, he says, “the whitelisting has a better chance of stopping it.”

Data diodes

While application whitelisting has attracted more attention lately, another technology that is also coming up for more frequent discussion involves unidirectional, or one-way, communication using hardware devices typically known as data diodes. “We’re installing them at our nuclear plants and we’re evaluating them for certain big [fossil-fueled] power plants,” says the same utility security manager quoted above.
   
The concept is simple: As a way to ensure security, one-way data diodes are deployed that allow data flow in only one direction over a network connection. The one-way flow is enforced not by software, as in a firewall, but by the laws of physics. One side of the connection contains a transmitter but no receiver; the other side, a receiver but no transmitter. “One of the things that unidirectionality can promise is that it’s impossible to hack. There is no return channel. Packets only move one way,” declares Colin Blou, sales director for Waterfall Security Solutions Ltd., an Israel-based supplier of unidirectional systems that entered the North American market in 2008.

Traditionally found in high-security environments such as defense and government classified applications, unidirectional technology is being pushed by a few vendors for use in the control system security space. And some are claiming early success, particularly in utility markets, where NERC CIP compliance is a primary driver.

At Owl Computing Technologies Inc., Ridgefield, Conn., for example, Vice President Dave Graham reports that about 30 percent of the company’s new business in unidirectional systems now comes from electric utilities. That’s up from zero just two years ago, Graham says. Founded in 1999, the company provides one-way data transfer technology licensed from Sandia National Laboratories, and claims a total of more than 1,000 systems in the field, largely in the government and defense arenas.

In the control systems space, the most common application involves data flowing one-way from a secure control system network environment to an enterprise or engineering network. This enables business and engineering personnel to tap needed information from the control network, but mitigates the possibility of a cyber attack on the ICS network from the outside.

Industrial cyber security consultants confirm that interest in unidirectional technology lately has spiked. “We’ve looked at it very carefully and have considered actually even building one,” says Byres, of Byres Security. “But we’re kind of on the fence. The beauty of the technology is that it’s very simple to understand, and as a result, to validate. It’s quite easy to prove that data flow is one way. That’s the good news,” Byres notes. “But the bad news is that in real life, nearly all of the protocols that we use are two-way.”

Double talk

To accommodate traditional two-way protocols, unidirectional technology vendors typically use specialized software and proxies on each side of the diode connection. A proxy on the plant side emulates the server on the receiving side, using two-way industrial protocols such as Modbus or OPC to obtain data from plant-side applications, then transmits the data using proprietary one-way protocols over the unidirectional link. On the receiving side, another proxy translates the data to the appropriate two-way protocols, and emulates the plant application in sending the data on to the receiving-side server. Sophisticated checksums, packet numbering and other means are deployed to enable the receiving side to ensure that data received is complete and uncorrupted.

Both Owl and Waterfall claim support for a variety of industrial protocols and applications. According to Waterfall literature, for example, the company provides connectors for Modbus, OPC, DNP3 and ICCP protocols, and for leading industrial applications/historians including OSISoft PI, GE iHistorian, GE iFix, and Siemens WinTS, among others.

Would unidirectional technology have stopped Stuxnet from penetrating a control network? The answer is no, if the worm was introduced through a USB stick inserted into a machine inside the control network perimeter. But Owl Computing’s Graham points out that with his company’s technology, Stuxnet and other malware introduced through negligence or lax policies within a secure control environment would not be able to “phone home” to command-and-control computers on the outside. That’s because Owl Computing systems strip out routable information including Internet protocol (IP) addresses prior to transmitting data over the one-way link.

While one-way data transfer systems have their advantages, they likely won’t prove attractive for widespread deployment in industrial control environments, at least in the near term, say industry consultants. The technology is expensive. And many modern enterprises today rely heavily on bidirectional communication between business and control system networks to maintain operational efficiency and business profitability.

Still, as cyber security threats increase in the future, some see data diodes playing a greater role. The technology offers another option for consideration as part of a defense-in-depth strategy for ICS cyber security, sources say, particularly for high-value installations, or where a successful cyber attack could produce dangerous consequences.

“I see it as useful in cases where you are worried about someone spending enough money to take over your firewall,” says Industrial Defender’s Ginter. “Up until a few months ago, there was really no evidence that there are people out there willing to spend large sums of money to compromise control systems,” he notes. But with the emergence of Stuxnet, a highly sophisticated exploit suspected by some to be the work of a Nation-State, the risk landscape looks to be permanently changed.

Subscribe to Automation World's RSS Feeds for Feature Articles

More in Control