Post on 23-Feb-2016
description
S
Stuxnet: The Future of Malware?
Stephan Freeman
Theme
Systems physically controlling something…
Getting hacked… Disasters averted. Just. The reality isn’t so different…
Previous Incidents
Slammer disables safety systems at Ohio Davis-Besse Nuclear Plant in US for five hours in 2003
Blaster affects US powergrid during 2003 blackout Disgruntled employee in Australia logs in over WiFi at his old
employers and releases over a million litres of raw sewage 14 year-old in Lodz, Poland, derails trams after taking over
the signaling system in 2008 Many more undisclosed
Previous Incidents
All either accidental/side effects of non-targeted attacks
Or bored/disgruntled individuals Stuxnet signifies something new:Malware specifically targeted at a country’s
physical infrastructure.
What is it?
Windows-based malware, targeting very specific configurations
Used four zero-day vulnerabilities Is the first Process Control-specific malware seen Almost certainly state-sponsored Possibly an insight into the future of malware
Process Control Systems
Systems used to bridge the logical and physical interface
Several types of components, used in industrial environments (PLCs, DCSs…)
Manufactured by Siemens, GE, ABB, Westinghouse Often referred to as SCADA systems (Supervisory
Control And Data Acquisition)
SCADA
Controls almost anything, e.g.: Traffic signals Train signals Amusement parks rides Water processing systems Power station generators Factory assembly lines Electrical substations
Vulnerabilities
COTS components used with known vulnerabilities Lag between patches being released and being certified
for a particular system Poorly-written OS or TCP/IP stack on individual components Lack of understanding of the risk Multiple 3rd parties involved in integration of large-scale
systems
Stuxnet - Detail
Targeted Windows PCs connected to Siemens PLCs (specifically S7-300)
Spread via USB sticks and over the Internet using 4 zero-day vulnerabilities
Installs itself as a rootkit in Windows, using stolen driver signing certificates
Modified the Step-7 application used to reprogram PLCs Installs itself on the Siemens PLC
What is a PLC?
Stuxnet - Detail
Once on the PLC, checks whether either Vacon (Finnish) or Fararo Paya (Iranian) frequency converter drives are attached
Checks what frequency they’re running at: if they’re between 807 Hz and 1210 Hz, it changes the frequency of the drives periodically.
The frequencies happen to correspond to those needed for gas centrifuges, such as those used in the enrichment of uranium
Done in such a way as to hide any error messages being passed back to the controller
Automatically deletes itself on the 24th of June 2012
Target?
Iranian uranium enrichment centrifuges, inspected by President Ahmedinejad
Stuxnet - Infections
From Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
Impact
US not affected – very few infections Possible links to 10 large-scale explosions in
Iranian oil and petrochemical plants Affected numerous centrifuges at Iran’s main
uranium processing plant in Natanz Could have caused “large scale accidents and loss
of life” in Iran, according to AP
Why do it?
Deniability Physical distance Stealth Unclear response
Stuxnet – Author?
Difficult to tell who wrote it Common consensus is that it was
state-sponsored Too much technical knowledge to
be casual hackers
This may have happened before…
Pipeline explosion in former Soviet Union in 1982 CIA alleged to have deliberately sabotaged SCADA
equipment destined for the Trans-Siberian Pipeline, stolen by the KGB
Supposedly used a logic-bomb Resultant explosion had a force of three-kilotons of
TNT
What does the future hold?
More targeted attacks Private companies on the front-line Over 30 countries have cyber-warfare
programmes More hacktivists General need to “batten down the hatches”
32%
16%8%
6%
5%
33%Public SectorManufacturingFinanceIT ServicesEducationOther
Who receives targeted attacks?
24
Worldwide industry sector since 2008
Targeted Attacks - Infosec
18172 targeted attacks during 2010
What can we do?
Loads of advice available Organisations should think hard about
the threats they face Take a holistic approach, looking at physical security as
well as information security Accept that it may not be possible to defend networks
against concerted, well funded attack and consider keeping the most critical information offline.
Further reading
http://www.computerworld.com/s/article/84510/Blaster_worm_linked_to_severity_of_blackout?taxonomyId=083
http://www.scadasecurity.org http://www.theregister.co.uk/2008/01/11/tram_hack/ http://www.cpni.gov.uk/advice/infosec/business-systems/scada/ http://news.yahoo.com/s/nm/20110417/ts_nm/
us_iran_nuclear_stuxnet_1 http://www.symantec.com/connect/blogs/stuxnet-breakthrough
Stephan Freeman BSc MSc MBCS CITPInformation Security ManagerLondon School of Economics & Political Science
Secretary, ISSA UK
s.freeman@lse.ac.uk / stephan.freeman@issa-uk.org
Thank You