310 likes | 556 Views
Stuxnet : The Future of Malware?. Stephan Freeman. Theme. Systems physically controlling something… Getting hacked… Disasters averted. Just. The reality isn’t so different…. Previous Incidents.
E N D
Stuxnet: The Future of Malware? Stephan Freeman
Theme • Systems physically controlling something… • Getting hacked… • Disasters averted. Just. • The reality isn’t so different…
Previous Incidents • Slammer disables safety systems at Ohio Davis-Besse Nuclear Plant in US for five hours in 2003 • Blaster affects US powergrid during 2003 blackout • Disgruntled employee in Australia logs in over WiFi at his old employers and releases over a million litres of raw sewage • 14 year-old in Lodz, Poland, derails trams after taking over the signaling system in 2008 • Many more undisclosed
Previous Incidents • All either accidental/side effects of non-targeted attacks • Or bored/disgruntled individuals • Stuxnet signifies something new: Malware specifically targeted at a country’s physical infrastructure.
What is it? • Windows-based malware, targeting very specific configurations • Used four zero-day vulnerabilities • Is the first Process Control-specific malware seen • Almost certainly state-sponsored • Possibly an insight into the future of malware
Process Control Systems • Systems used to bridge the logical and physical interface • Several types of components, used in industrial environments (PLCs, DCSs…) • Manufactured by Siemens, GE, ABB, Westinghouse • Often referred to as SCADA systems (Supervisory Control And Data Acquisition)
SCADA • Controls almost anything, e.g.: • Traffic signals • Train signals • Amusement parks rides • Water processing systems • Power station generators • Factory assembly lines • Electrical substations
Vulnerabilities • COTS components used with known vulnerabilities • Lag between patches being released and being certified for a particular system • Poorly-written OS or TCP/IP stack on individual components • Lack of understanding of the risk • Multiple 3rd parties involved in integration of large-scale systems
Stuxnet - Detail • Targeted Windows PCs connected to Siemens PLCs (specifically S7-300) • Spread via USB sticks and over the Internet using 4 zero-day vulnerabilities • Installs itself as a rootkit in Windows, using stolen driver signing certificates • Modified the Step-7 application used to reprogram PLCs • Installs itself on the Siemens PLC
Stuxnet - Detail • Once on the PLC, checks whether either Vacon (Finnish) or FararoPaya (Iranian) frequency converter drives are attached • Checks what frequency they’re running at: if they’re between 807 Hz and 1210 Hz, it changes the frequency of the drives periodically. • The frequencies happen to correspond to those needed for gas centrifuges, such as those used in the enrichment of uranium • Done in such a way as to hide any error messages being passed back to the controller • Automatically deletes itself on the 24th of June 2012
Target? Iranian uranium enrichment centrifuges, inspected by President Ahmedinejad
Stuxnet - Infections From Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
Impact • US not affected – very few infections • Possible links to 10 large-scale explosions in Iranian oil and petrochemical plants • Affected numerous centrifuges at Iran’s main uranium processing plant in Natanz • Could have caused “large scale accidents and loss of life” in Iran, according to AP
Why do it? • Deniability • Physical distance • Stealth • Unclear response
Stuxnet – Author? • Difficult to tell who wrote it • Common consensus is that it was state-sponsored • Too much technical knowledge to be casual hackers
This may have happened before… • Pipeline explosion in former Soviet Union in 1982 • CIA alleged to have deliberately sabotaged SCADA equipment destined for the Trans-Siberian Pipeline, stolen by the KGB • Supposedly used a logic-bomb • Resultant explosion had a force of three-kilotons of TNT
What does the future hold? • More targeted attacks • Private companies on the front-line • Over 30 countries have cyber-warfare programmes • More hacktivists • General need to “batten down the hatches”
Who receives targeted attacks? Worldwide industry sector since 2008 18172 targeted attacks during 2010 Targeted Attacks - Infosec
What can we do? • Loads of advice available • Organisations should think hard aboutthe threats they face • Take a holistic approach, looking at physical security as well as information security • Accept that it may not be possible to defend networks against concerted, well funded attack and consider keeping the most critical information offline.
Further reading • http://www.computerworld.com/s/article/84510/Blaster_worm_linked_to_severity_of_blackout?taxonomyId=083 • http://www.scadasecurity.org • http://www.theregister.co.uk/2008/01/11/tram_hack/ • http://www.cpni.gov.uk/advice/infosec/business-systems/scada/ • http://news.yahoo.com/s/nm/20110417/ts_nm/us_iran_nuclear_stuxnet_1 • http://www.symantec.com/connect/blogs/stuxnet-breakthrough
Thank You Stephan Freeman BSc MSc MBCS CITP Information Security Manager London School of Economics & Political Science Secretary, ISSA UK s.freeman@lse.ac.uk / stephan.freeman@issa-uk.org