Control system security experts have long warned that it was coming. Now it is here.
The first malware to be discovered in the wild that specifically targets an industrial control system (ICS) hit the headlines last month. The so-called Stuxnet computer worm exploits a weakness in Windows operating systems and is designed to target WinCC human-machine interface/supervisory control and data acquisition (HMI/SCADA) systems and PCS7 control products supplied by Siemens, the German industrial automation giant, experts said.
“This is a real wake-up call for the SCADA and controls industry,” declared Eric Byres, chief technology officer at Byres Security Inc. (www.tofinosecurity.com), Lantzville, British Columbia, Canada. “This hacking is being done by professionals, not a bunch of kids any more.
“We’ve always been ‘collateral damage,’ as control system owners and operators. We just sort of get hit by the viruses as they go by, for the most part,” Byres added. “But now, we’re in the bull’s-eye. Whoever wrote this, wrote it specifically to go after the SCADA and control systems world. So they understand what they’re going after, and we’re no longer able to hide behind ‘security by obscurity,’ ” said Byres, who spoke as part of a July 27 Webinar sponsored by Industrial Defender Inc. (www.industrialdefender.com), a Calgary-based industrial security firm.
Highly sophisticated
“There is no question in anyone’s mind who’s taken a deep look at this, that this is the highest degree of sophistication we’ve seen, at least in terms of this type of targeted approach at industrial control systems,” noted Patrick Miller, technical director, NERC CIP practice, at ICF International (www.icfi.com), Fairfax, Va., and another participant in the Webinar.
Miller cited three characteristics of Stuxnet that he said make it particularly unusual, and indicate a high degree of sophistication. The first involves the exploitation of .lnk files, or Windows Shortcut Files, which represents a “zero-day vulnerability,” meaning it is the first time that the vulnerability has been disclosed. Most malware is designed to exploit well-known vulnerabilities; the fact that someone was willing to reveal a zero-day vulnerability with Stuxnet indicates there was “definitely some intent behind this,” Miller said.
The second is the fact that Stuxnet actually carries bogus “digital signatures” of some well-known companies. “Someone has gone through the effort to get someone else’s digital signature to allow this to quietly install on your machine,” he said. With the discovery of the worm, those signatures now have been revoked, he added.
The third unusual element is the fact that Stuxnet is targeted at a specific industrial control system vendor, and uses “some very deep technical knowledge of that industrial control system,” Miller said. “This is certainly unusual. A lot of malware is sprayed at a particular service or an operating system, but rarely do we see this type of targeted approach.”
To some, the Stuxnet worm raises concerns over the possibility of what’s known as Advanced Persistent Threat, or APT. An Advanced Persistent Threat is not a type of attack, but is a threat actor, said Dale Peterson, director of control system security practice at Digital Bond Inc. (www.digitalbond.com), Sunrise, Fla., and another Webinar participant.
An APT is launched by someone who wants to maintain control and access to a network. They do this through multiple exploits, so that when one exploit is found and cleaned up, another unfound exploit pops up later, sometimes a few months down the road, Peterson explained. “When we look at Stuxnet, we can’t really say that it is APT, because we don’t see any evidence that it’s doing special things to be persistent,” he observed. “But it is doing reconnaissance, which is the initial phase of an attack. So I guess if you were hit by this, you’d have to ask the question, ‘Is that the only thing they did?’ ”
Information theft
The Stuxnet virus propagates through universal serial bus (USB) devices, and may also be propagated via network sharing from other infected computers. While the origins of the worm are still unknown, its intent appears to be theft of information. Once it has infected a PCS7/WinCC system, Stuxnet uses a hardcoded default WinCC password within the Siemens system to connect to the Microsoft SQL database and extract data.
When Stuxnet takes over a system, it tries to contact a pair of command and control servers in Malaysia, according to a July 22 posting on a Symantec Corp. (www.symantec.com) blog. Symantec, a Mountain View, Calif.-based anti-virus firm, redirected traffic away from those servers, thereby preventing them from controlling infected machines and retrieving stolen information. During a 72-hour period, nearly 14,000 unique Internet protocol (IP) addresses infected with Stuxnet attempted to contact the control and command server, said Symantec blogger Vikram Thakur. The largest percentage of those hits were in Iran, Indonesia and India at 58.85 percent, 18.22 percent and 8.31 percent respectively. Only 1.56 percent were in the United States.
Miller warned during the Webinar, however, that while these numbers “suggest a lot of compromised machines,” various factors can skew the numbers. The use of network address translation devices, which rotate through different IP addresses, can result in over reporting of compromised machines, he said, while IP addresses can underreport compromised machines when many compromised machines share a single address.
In a July 27 blog posting, Industrial Defender Chief Security Officer Andrew Gintner agreed that “IP addresses are not very reliable indicators of how many machines are compromised.” But Gintner notes that “experience with counting IP addresses indicates that the count is usually off by no more than 10x in either direction. What this means is that this is a relatively small set of compromised machines, by the standards of the world’s botnets,” he observes.
While the virus was reportedly first discovered on June 17 by Ukrainian anti-virus firm VirusBlokAda, Stuxnet hit the blogosphere and headlines in a big way beginning on the weekend of July 17-18. There are currently no patches available from Microsoft for the Stuxnet virus. Siemens, for its part, moved quickly after being notified of the virus on July 14, assembling a team to evaluate the situation and work with Microsoft and others, the company said.
Removal tool
On July 22, Siemens said that it was making available a tool—developed by Cupertino, Calif.. anti-virus firm TrendMicro Inc. (http://us.trendmicro.com)—to detect and remove the virus. However, Siemens advised users to work closely with customer support personnel before using the tool, to avoid any adverse effects on their systems. In product information dated July 26, Siemens said it was only aware of the two customer cases worldwide of infected computers. A production plant had so far not been affected, the company said.
Among various recommendations, participants in the Industrial Defender-sponsored Webinar advised continued vigilance and use of sound cyber-security practices by control-systems users. Byres said it is “highly likely” that there is other malware loose in the wild that targets industrial control systems that has not yet been discovered.
While the Stuxnet virus makes use of a hardcoded default password within the Siemens system that that cannot be changed by users, this is not an uncommon situation with other control systems, the experts said. And in many cases, users fail to change default passwords—even when they can—and they fail to follow other recommended vendor security practices, Webinar panel members pointed out.
In the future, users should push vendors to eliminate the use of hard-coded passwords, said Digital Bond’s Peterson. And he warned that non-Siemens control systems users must also stay on their toes. “There’s a lot of things that could have been in that [virus] payload, and unfortunately for Siemens, at this point, they decided to target them, but the rest of us shouldn’t [rest] easy, whether we’re vendors or users,” Peterson advised.