S

Stuxnet: The Future of Malware?

Stephan Freeman

Theme

Systems physically controlling something…

Getting hacked… Disasters averted. Just. The reality isn’t so different…

Previous Incidents

Slammer disables safety systems at Ohio Davis-Besse Nuclear Plant in US for five hours in 2003

Blaster affects US powergrid during 2003 blackout Disgruntled employee in Australia logs in over WiFi at his old

employers and releases over a million litres of raw sewage 14 year-old in Lodz, Poland, derails trams after taking over

the signaling system in 2008 Many more undisclosed

Previous Incidents

All either accidental/side effects of non-targeted attacks

Or bored/disgruntled individuals Stuxnet signifies something new:Malware specifically targeted at a country’s

physical infrastructure.

What is it?

Windows-based malware, targeting very specific configurations

Used four zero-day vulnerabilities Is the first Process Control-specific malware seen Almost certainly state-sponsored Possibly an insight into the future of malware

Process Control Systems

Systems used to bridge the logical and physical interface

Several types of components, used in industrial environments (PLCs, DCSs…)

Manufactured by Siemens, GE, ABB, Westinghouse Often referred to as SCADA systems (Supervisory

Control And Data Acquisition)

SCADA

Controls almost anything, e.g.: Traffic signals Train signals Amusement parks rides Water processing systems Power station generators Factory assembly lines Electrical substations

Vulnerabilities

COTS components used with known vulnerabilities Lag between patches being released and being certified

for a particular system Poorly-written OS or TCP/IP stack on individual components Lack of understanding of the risk Multiple 3rd parties involved in integration of large-scale

systems

Stuxnet - Detail

Targeted Windows PCs connected to Siemens PLCs (specifically S7-300)

Spread via USB sticks and over the Internet using 4 zero-day vulnerabilities

Installs itself as a rootkit in Windows, using stolen driver signing certificates

Modified the Step-7 application used to reprogram PLCs Installs itself on the Siemens PLC

What is a PLC?

Stuxnet - Detail

Once on the PLC, checks whether either Vacon (Finnish) or Fararo Paya (Iranian) frequency converter drives are attached

Checks what frequency they’re running at: if they’re between 807 Hz and 1210 Hz, it changes the frequency of the drives periodically.

The frequencies happen to correspond to those needed for gas centrifuges, such as those used in the enrichment of uranium

Done in such a way as to hide any error messages being passed back to the controller

Automatically deletes itself on the 24th of June 2012

Target?

Iranian uranium enrichment centrifuges, inspected by President Ahmedinejad

Stuxnet - Infections

From Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

Impact

US not affected – very few infections Possible links to 10 large-scale explosions in

Iranian oil and petrochemical plants Affected numerous centrifuges at Iran’s main

uranium processing plant in Natanz Could have caused “large scale accidents and loss

of life” in Iran, according to AP

Why do it?

Deniability Physical distance Stealth Unclear response

Stuxnet – Author?

Difficult to tell who wrote it Common consensus is that it was

state-sponsored Too much technical knowledge to

be casual hackers

This may have happened before…

Pipeline explosion in former Soviet Union in 1982 CIA alleged to have deliberately sabotaged SCADA

equipment destined for the Trans-Siberian Pipeline, stolen by the KGB

Supposedly used a logic-bomb Resultant explosion had a force of three-kilotons of

TNT

What does the future hold?

More targeted attacks Private companies on the front-line Over 30 countries have cyber-warfare

programmes More hacktivists General need to “batten down the hatches”

32%

16%8%

6%

5%

33%Public SectorManufacturingFinanceIT ServicesEducationOther

Who receives targeted attacks?

24

Worldwide industry sector since 2008

Targeted Attacks - Infosec

18172 targeted attacks during 2010

What can we do?

Loads of advice available Organisations should think hard about

the threats they face Take a holistic approach, looking at physical security as

well as information security Accept that it may not be possible to defend networks

against concerted, well funded attack and consider keeping the most critical information offline.

Further reading

http://www.computerworld.com/s/article/84510/Blaster_worm_linked_to_severity_of_blackout?taxonomyId=083

http://www.scadasecurity.org http://www.theregister.co.uk/2008/01/11/tram_hack/ http://www.cpni.gov.uk/advice/infosec/business-systems/scada/ http://news.yahoo.com/s/nm/20110417/ts_nm/

us_iran_nuclear_stuxnet_1 http://www.symantec.com/connect/blogs/stuxnet-breakthrough

Stephan Freeman BSc MSc MBCS CITPInformation Security ManagerLondon School of Economics & Political Science

Secretary, ISSA UK

s.freeman@lse.ac.uk / stephan.freeman@issa-uk.org

Thank You