Stopping Stuxnet Attacks

Thursday, December 8, 2011 @ 01:12 PM gHale


Throughout the Industry Today, One of the Strongest Safeguards for Manufacturers Against Stuxnet-like Worms Points Toward Host-Intrusion Prevention Systems or Whitelisting

By Nicholas Sheble
The computer worm Stuxnet appeared in June 2010. Most realize that was not the first worm to attack industrial systems but it was the first discovered malware that spies on and subverts industrial systems, and also the first to include a programmable logic controller (PLC) rootkit.

The existing technology that could have provided the strongest protection against Stuxnet was (and is) HIPS (host-intrusion prevention systems) technology.

Someone designed Stuxnet to attack Siemens PLCs running on Microsoft Windows and set it to work on specific gas-centrifuge systems and the uranium enrichment infrastructure in Iran. The worm worked. It was probably the most public use of computer malware to sabotage industrial control systems (ICS).

The ICS community warns this is the beginning of malware warfare intent on usurping the control of production facilities whether for caprice, profit, or state security.

Andrew Ginter, director of industrial security at Waterfall Security Solutions and Walter Sikora, vice president of security solutions at Industrial Defender advise control-system security practitioners to become familiar with HIPS technology as soon as is possible.

They preach, even though anti-virus technologies and patches are now available to protect against Stuxnet, sites with active anti-virus and patch programs were still vulnerable during the 3–4 months the mature version of the worm circulated undetected.

During that period, virus signatures for the worm did not exist, nor did patches for four of the five Windows vulnerabilities used by the worm. Firewalls, physical security, and other perimeter security were no help either because the worm could propagate past such measures on infected USB (Universal Serial Bus) sticks carried by trusted personnel.

Disabling USB mass storage on all control systems hosts would have prevented the worm at some sites, but some functions of the targeted control system require the use of USB sticks.

In fact, Ginter and Sikora see two emerging technologies as crucial in the push to secure industrial control systems since the Stuxnet foray. They are the aforementioned host-intrusion prevention systems and compliance management systems.

Getting hip to HIPS
First, look at HIPS (host-intrusion prevention systems), which also goes by the term “whitelisting” or “application control” systems.

HIPS store cryptographic checksums of applications, libraries, and other executables on protected machines as well as rules for which applications can and cannot run.

When an application starts up or a library loads, the hash recalculates. If the executable is unchanged and still approved for execution, execution continues normally, otherwise execution is blocked.

HIPS are new in the control systems protection space. Worms, viruses and other malware are not on the approved list of software for any machine, so even if patches or new anti-virus signatures are not yet available for such malware, the malware cannot receive approval to execute, and so execution is blocked.

Better yet, HIPS are much more stable in terms of change-control programs than are anti-virus systems. Anti-virus systems require new signatures as often as several times per day. Testing these signatures for false positives is costly, but necessary to ensure the signatures do not flag legitimate control system software as malware and quarantine it.

HIPS have no signatures, but we do need to update the list of approved cryptographic hashes as part of our change control program every time we change the software on our control system hosts, Ginter and Sikora said.

Get into compliance before the fact
Ginter and Sikora also call for compliance management software to become part of the control systems space.

While compliance management systems would be new to the control systems arena, we are all aware of today’s highly regulated, standards-driven world and how organizations in quite a few industries are facing mounting pressures relating to corporate governance, risk management, and compliance.

Think ISA, ISO, HIPAA, CFR, EPA, OSHA standards and know that software exists to automate the collection of data in order to prove standards compliance and or as protection against litigation.

To reduce corporate risk and optimize performance, companies must demonstrate compliance with a growing array of standards, government regulations, and quality initiatives. The guideline the chemical industry and the controls business will focus on more with from here on out is CFATS (Chemical Facility Anti-Terrorism Standards).

DHS (Department of Homeland Security) Guidelines for CFATS security plans include maintaining an inventory of equipment on control networks. This will include an accounting of what software, firmware, and versions are running on each piece of equipment, an inventory of what services are running and what communications ports are open and further details of equipment configuration, such as users and permissions.

Further, said Ginter and Sikora, CFATS guidelines require log archiving and retention, reviewing logs and accounts regularly, and reviewing certain summary reports and other reports as part of the audits processes.

For a large facility with hundreds or thousands of components in several control systems applications, gathering, summarizing and reviewing all of these data manually is impossible.

Compliance management software automates these activities by gathering device, host, software, firmware, user, and other information daily. The system archives, inspects, summarizes, and reports logs automatically. It spotlights anomalies that require immediate attention.

Customers with even one or two large sites report savings of up to several full-time-equivalent positions after installing compliance management solutions.

Expect the DHS to more rigorously apply CFATS rules. Expect CFATS to evolve to become more prescriptive, similar to the evolution of the NERC CIP (North American Electric Reliability Company: Critical Infrastructure Protection) regulations in the electrical industry.

Further, with or without new regulations, operations personnel should expect steadily increasing scrutiny of their operations by corporate security personnel and corporate audit committees as part of a steady migration toward better corporate governance.

Finally, expect threats will become more challenging as sophisticated control-system-targeted attacks continue and probably increase in frequency.

Ginter and Sikora’s article “Cybersecurity for Chemical Engineers” is available online (you will have to create an account) at

The SANS Institute has a 26-page paper online (free, just click the link) that provides insight into implementing, configuring, and tuning of an enterprise HIPS.


Nicholas Sheble (nsheble@isssource.com) is an engineering writer and technical editor in Raleigh, NC.



One Response to “Stopping Stuxnet Attacks”

  1. […] Stoppng Stuxnet attacks (Nick Shable, ISS Source 8/12/2011) […]


Leave a Reply

You must be logged in to post a comment.