Implications of the Stuxnet Worm to US Shipping Ports

When talk turns to war, amateurs discuss strategy. Professionals discuss logistics.

- Anonymous

Musings by Borepatchhttp://borepatch.blogspot.com

Stuxnet Recap A new type of Computer Worm discovered in the summer of

2010

Stuxnet breaks ground several ways: It uses multiple Day Zero exploits It reprogrammed Industrial Process Control systems from

Siemens AG. These are devices used in manufacturing automation

It is particularly stealthy, using rootkit techniques to hide its presence

It spreads via multiple vectors, before causing damage, and in a controlled manner to avoid generating suspicion (compare with the SLAMMER worm from 2003)

Speculation is that this was created by State actors as a form of Information Warfare; speculation is that Israel targeted the Iranian nuclear program

Why do we think that Stuxnet was State-on-State Information War?

The Siemens IPC systems are not unusual, but are very expensive and not typically available to the average Black Hat hacker

Most malware these days is focused on stealing money – e.g. Capturing online banking passwords – and not on industrial process control. This is a very unusual target.

Some analyses of the worm code reveal hints as to its origin, e.g. Dates supposedly referencing Iranian dissidents, etc. It is possible that these could have been planed by the worm's creator to generate suspicion at Israel, however.

The motive (disabling the Iranian nuclear program) is plausible.

Implications if this is State-on-State Information War

Automated processes are a plausible target, even if they use uncommon hardware/software. ”Security By Obscurity” is over

Air gaps (isolated networks) are no defense: it appears that the Iranian network is isolated from the Internet, and was infected via USB removable filesystems. Note that the US DoD classified network was similarly infected in 2008.

State adversaries can afford to invest millions in programming talent, and take months or possibly years to create highly sophisticated payloads. This is not something that a typical antivirus will defend against.

Impact is likely based on the value of the targeted systems. Some types of systems may be better managed, and harder to subvert.

How to you stop the US 3rd Infantry Division?

Very few State actors can counter the US military on the field of battle

But the US military units need ammunition and gasoline

Slowing the flow of supplies – or getting the wrong supplies sent – will stop the units due to lack of gas and ammunition

The ”teeth” are a very hard target. What about the logistical ”tail”?

Port of Wilmington

Two Port of Wilmington top-lifts rigged with slings work in tandem to lower a damaged vehicle onto a flatbed truck for delivery to Camp Lejeune, Sunday, April 10 [2005]. The Port is handling two ships in four days loaded with several hundred vehicles and other equipment returning from service in Operation Iraqi Freedom.

Top 10 Ports in the US

Rank Port name Total Tons

1 South Louisiana 224,187,320

2 Houston, TX 202,047,327

3 Newark, NJ 152,377,503

4 Beaumont, TX 91,697,948

5 Long Beach, CA 80,066,130

6 Corpus Christi, TX 78,924,757

7 New Orleans, LA 78,085,209

8 Huntington, WV 77,307,514

9 Port City of Texas 68,282,902

10 Baton Rouge, LA 57,082,823

Port Automation

Efficiency drives throughput, and the number of Gross Moves per hour is the key metric

Cost per move is critical for competitiveness

Specialized software is provided by multiple vendors (e.g. NAVIS) to optimize throughput and minimize cost

Your typical Black Hat hacker would not have access to these types of systems; a State Actor would

A Stuxnet-style worm targeting the major Port automation software could criple a US Military response, if unleashed in the weeks or months prior to a conflict

How do you defend against a hypothetical threat?

There is no indication that a worm targeting transportation has been created.

Harder targets are more resilient It is more difficult for a worm to penetrate a hardened system

Worm penetration will be less extensive on a hardened system

Once triggered, damage is likely less on a hardened system

The easiest way to harden systems is to focus on the COTS portion (e.g. Common OS and application layers)

Automated scanning for missing parches, misconfigurations, etc is a well understood field, with mature products an well-documented processes

Rapid gains in hardening result in a typical practice that is much closer to Best Practice

Advice from the UK's Information Security Chief

GCHQ's director has said that 80 per cent of the government's cyber security vulnerabilities can be solved through good information assurance.

Iain Lobban, the director of the signals intelligence and information security organisation, said if government departments observed basic network security disciplines, such as "keeping patches up to date", combined with the necessary attention to personnel security, their online networks would be much safer.

Source: The Register, 13 October 2010