Stuxnet Analysis

Published: 2010-11-14
Last Updated: 2010-11-14 23:58:20 UTC
by Marcus Sachs (Version: 1)
7 comment(s)

We normally don't write diaries about analysis published by others since most readers also use rss, Twitter, Facebook, and countless other alerting services.  By the time we note an article it's already "old news."  But I want to take exception to our internal policy and point out a very interesting analysis by Symantec of the Stuxnet malware.  In particular, watch the demonstration they put together that shows how it works.  While the demo is for Stuxnet, it brings home many of the techniques that have been perfected over the past two years to bypass firewalls, intrusion detection systems, and other classic defense mechanisms. 

Why is this important?  Well, we need to start rethinking how we are going to defend our networks in the coming years and decades.  Layers of defense are, of course, important - but what should those layers be?  I'm afraid that many organizations are still defending themselves as though it's 1998.  Firewalls and other "blinking light" mechanisms are not enough.  Neither is patching, changing passwords,  shutting off unneeded services, or any of the primary best practices we've been preaching as as security professionals for many years.  We need a new "layer" to add to our defensive strategies.  But what is that layer?  If you have ideas, please use the comment link below to add them to this diary.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: Stuxnet
7 comment(s)


Traditionally, defense strategies are focused or mapped to a specific OSI layer. They are mostly focused on stopping or eradication strategies. Perhaps, there is a model where the system can evolve incorporating the "malware", similar to the way which an eukaryotic cell incorporated microchronia as its own.
The variable speed drives mentioned in the article are used in a lot of the infrastructure necessary to maintain civilization. Water systems come to mind.

I have observed that many SCADA system operators do not trust IT. There are good reasons for this. Some of the stuff IT requires is not compatible with the very touchy SCADA software and hardware. Unplanned change is bad. Uptime is critical and patching systems creates downtime and change. A critical patch could very well disable the SCADA system or a critical piece of hardware. More downtime and change. SCADA system operators need IT's expertise in security and the trick is getting the two together establishing ground rules and trust.

Although Stuxnet is very specific, certain CPUs, buses, and hardware (such as frequency converters from only two vendors), there is no reason that other control systems couldn't also be targeted.

My current location has an building access system that is controlled by a PC. This system could also be attacked to grant access to unauthorized individuals. Granted, not much of a target, but ...

Other potential dedicated computer targets for specialized attacks could be the power grid, banks, etc. Just because this Stuxnet is targeting specific systems should only make this an eye-opener for everyone to look at other systems that they have that could also be attacked by a dedicated group.

Once you recognize a potential vector for an attack then you can do something about it. A much better attitude than hiding your head in the sand with "What me worry? I don't have any PLC controllers!"
Heh, SCADA will have to get used to the real world and deal with it or die. The industry has been living in a fool's paradise for way too long. Get ready for a lot of unscheduled downtime in your future.
@Sean, I'm sure you meant to say Industrial Control Systems (ICS) or Process Control Systems (PCS). (Things that use Programmable Logic Controllers (PLC)). Either that or you might want to look up the difference between them and Supervisory Control and Data Acquisition (SCADA).

Cheers, Adrien
The scada system is just that -data acquasition ,although the scada system does have RBAC controls and can change ( only at the engineer level) specific control registers used by VFD /VSD drives .
The malware would have to be aware of the specific scada interface ,the specific plc it was supervising /monitoring and the key control registers ,the attack vectors would have to be specifically designed for a particular type of network ,plc and scada topology ,the attackers would have to have inside knowledge and also target the infected programming terminal of the engineers responsible for plc code changes .
This is a wake up call for system managers and re-enforces the security by layer principles and standards.
There wasn't anything really "new" in this threat, other than what it was targetting, and that it was the first real overt salvo in cyber-warfare. The techniques it used to spread and infect were things we've seen before. I hope it is a wake-up call to those companies making these systems, and those that are installing them into their networks.

Diary Archives