Stuxnet Report III: Worm Selects Site

Wednesday, March 9, 2011 @ 04:03 PM gHale

EDITOR’S NOTE: A system needs hardening to help ward off any attacks like Stuxnet. But what does that system look like? After analyzing Stuxnet, it is easy to see how it was one of the most complex and well-engineered worms ever seen. Security professionals Eric Byres, Andrew Ginter and Joel Langill teamed to publish a white paper entitled “How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems.” This is the third part in a series of stories detailing just how the Stuxnet worm was able to infiltrate a system, and how automation professionals can design their systems to be resilient when the next advanced attack comes.

By Eric Byres, Andrew Ginter and Joel Langill

Stuxnet’s goal from Day One was to destroy a specific industrial process. Earlier in this series we looked at the Swiss Army Knife of techniques that Stuxnet had to carry out the attack. Now it is time to turn the table and ask “How might this target protect itself from a worm like Stuxnet?”

To answer that question, we invented a hypothetical site that is the worm’s target. Then we assumed the site is following all the guidance provided for “high security” sites in Siemens’ “Security Concept PCS 7 and WinCC – Basic Document.” In other words, a site using every recommended state-of-practice technology and procedure to protect itself.

Part I: Stuxnet attacked the Siemens SIMATIC PCS 7; Why that system?
Part II: How did Stuxnet infect a system?
Part III: A “high security site” targeted by Stuxnet or the Next Gen of Stuxnet-like worms.
Part IV: How Stuxnet infected a minor computer and then got deep inside a control system.
Part V: What should this mean for security of industrial control systems in the future?
Download the complete White Paper at Tofino Security.
Talk to Me: Stuxnet: Joint Operation Nets Victim

Of course, assuming the target is following all the Siemens guidance perfectly is hopelessly optimistic. We all know the gap between guidance and reality in the ICS world is often large. However, for once assuming the best is good idea – if Stuxnet can still penetrate the victim’s defenses and destroy the process, then this highlights that current “best practices” in ICS security might still have a way to go.

It is important to understand we selected the Siemens recommendations for protecting control systems because the Stuxnet worm specifically targeted Siemens PLCs. As well, the Siemens recommendations are a good example of existing “best-practice” recommendations. Nothing in our analysis should imply Siemens control systems are less secure than any of the competing control system solutions. In fact, it is our opinion a majority of industrial sites have much less protection than the hypothetical Siemens site described here.

The hypothetical ICS network architecture.
The hypothetical ICS network architecture.

High Security Site Networks
According to the Siemens documentation, our high security site is separated into at least four security zones as follows:

  1. The “Enterprise Control Network” (pink) zone is the corporate network. It hosts the business users and corporate accounting and planning systems. The corporate IT group typically manages security of this zone.
  2. The “Manufacturing Operations Network” (yellow) zone hosts the SIMATIC IT servers that exchange information between the control system and applications on the Enterprise Control Network (such as an Enterprise Resource Planning (ERP) system).
  3. The “Perimeter Network” (Brown) zone hosts servers that manage equipment in the control system, as well as servers that provide information to end users on the Enterprise Control Network. This is a common location for servers responsible for providing software patches and updates, including Windows security updates and anti-virus updates. Many of the servers within this zone provide information to end users via web servers and web services. People sometimes refer to this zone as a “demilitarized zone” or DMZ.
  4. The final security zone hosts two networks: The green “Process Control Network” and the blue “Control System Network.” The Process Control Network hosts the 24×7 plant operators on their Human Machine Interface (HMI) workstations. It also connects to the WinCC/PCS 7 control system servers. The Control System Network connects to the Programmable Logic Controllers (PLCs). It also connects directly to the WinCC/PCS 7 control system servers.

In a large facility, there are frequently multiple “green” zones, one for each control center or operating area. For example, a large chemical plant may have as many as twenty or thirty operating areas, each with their own SIMATIC PCS 7 system, and each controlling a large portion of the facility with input and output storage facilities to help decouple operational disturbances between areas. These areas are able to operate independently of other portions of the large facility for some period of time. The facility may have many control rooms and corresponding server rooms, each hosting one or more control centers or operating areas.

The corporate wide area network (WAN) connects sites to one another, and connects different security zones within sites. Corporate IT manages the various enterprise networks and the corporate firewalls that protect enterprise network segments.

It is important to note while the Process Control Network and the Control System Network are different networks, they are both in the same security zone. WinCC and PCS 7 control system servers have at least two network interfaces, one for each kind of network.

As explained in Eric Byres blog, the dual interfaces are not a security technology. Thus the two networks are separate for performance and technological reasons, not security reasons. In other words, the Control System Network focuses on traffic specifically related to “automation” and “control” such as traffic to/from process controllers/PLCs and servers, while traffic on the Process Control Network is for “information” and “display” such as that between HMI’s and servers.

Internet Security and Acceleration Servers
In the recommended architecture, all traffic between security zones passes through Microsoft Internet Security and Acceleration (ISA) Servers. These protect the plant zones from the WAN and protect zones from each other. Each ISA server hosts a number of functions, such as firewall services, network address translation, web proxies, virus scanning and secure web server publishing.

The default configuration of all ISA servers is to block connections originating in less-trusted networks, such as the corporate WAN. The ISA servers allow connections, such as web services connections, from clients on less-trusted networks to selected servers, such as web servers, in the Perimeter Network.

Servers that receive connections from less-trusted networks are specifically hardened. The ISA servers manage connections to servers in the Perimeter Network, and allow VPN and web connections only for authorized users with legitimate credentials via the WAN.

The ISA servers also have configuration to allow machines inside the protected networks to initiate connections “outward” to specific machines and services on less trusted networks. Those connections may pass through the corporate WAN to external servers such as vendor websites on the public Internet. However, it does not allow connections from protected equipment to arbitrary sites on the Enterprise Control Network or the Internet. Just like inbound connections, the outbound connections through the ISA firewalls are “deny by default,” with only specific, approved connections to external servers permitted.

Virtual Private Network Connections
ISA servers also mediate Virtual Private Network (VPN) connections into protected zones. From time to time, workstations and laptops can connect to protected networks through the ISA servers. Such connections are “support stations” in the above graphic. Usually support stations see use for remote engineering activities or vendor support activities. These support stations may be at the site, or at a remote corporate site, connected indirectly to the corporate WAN, with their access into corporate networks other than the WAN mediated by either corporate firewalls or the ISA servers. The vendors may also be at other “non-corporate” remote sites, connecting directly to the ISA servers from quarantine zones served by routers.

When these support stations access protected network zones through an ISA firewall, the firewall authenticates the VPN connection. If the vendor uses WinCC or other process applications that require access to the Process Control Network, the firewall allows a small number of connections, including WinCC and STEP 7 database connections, to protected servers. For broader access to protected networks, the ISA server allows only VPN connections to remote access servers running Microsoft Terminal Services or Remote Desktop Services. These connections, or “jump hosts,” should provide isolation between the untrusted hosts, such as support laptops, and the trusted hosts such as the servers and workstations on protected networks.

Host Hardening and Malware Prevention
In addition to the firewall and perimeter protections, a variety of host hardening and malware prevention mechanisms are also in place at our ideal site. On the Enterprise Control Network, all hosts are part of a comprehensive patch management program that provides automated and managed installation of critical software patches and hot fixes. All hosts have anti-virus and anti-spyware products installed, and signatures for these products distribute out to all hosts immediately upon receipt from the anti-malware vendors.

Since this is the ideal facility, all computers only have those applications installed and services enabled that are essential to business functions. Enterprise workstations have access to the open Internet, but all web, ftp and email traffic into the Enterprise Control Network is scanned for spam and malware at the Enterprise Control Network firewall. Select workstations on the Enterprise Control Network have VPN access configured to hosts on the Manufacturing Operations Network and hosts on the Perimeter Network, but no workstations on the Enterprise Control Network have VPN access directly into the Process Control or Control System Networks.

On the Manufacturing Operations Network and the Perimeter Network all hosts are part of the security program implemented at the corporate level. All hosts are current with Siemens patches, Microsoft operating system and application patches, third party application patches, anti-virus and anti-spyware signatures, and all hosts have undergone review to ensure that only applications and services needed for the correct operation of the host and appropriate network are running.

On the Process Control Network and Control System Network, hosts are hardened and are running anti-virus software, but the hosts are not part of the corporate patch management system. The operations team manages patches on these critical networks, and subjects all new Siemens, Microsoft and third-party patches to a rigorous testing process before approving the patches for deployment on critical system components.

The Microsoft Windows Server Update Services (WSUS) servers manage deployment of approved patches, and such deployment occurs in stages. The WSUS servers also allow the team to configure the timing and sequencing of installation in order to minimize any risk associated with patch rollout. This ensures that equipment that develops unexpected problems because of new patches and signature sets can be taken offline and repaired without affecting the overall performance of the control system.

Finally, the operations team manages the anti-virus (AV) servers for Process Control and Control System Networks. Testing all new signature sets is conducted before they are approved for deployment, and deployment of signature sets is staged, just like patch deployment. The combined patch and AV signature rollout process ensures that equipment that develops unexpected problems because of new patches and signature sets can be taken offline and repaired without affecting the overall performance of the control system.

All combined, the target industrial site has some very impressive defenses. It has at least four separate security zones, firewalls between all these zones and a VPN system for securing remote access. It also has a comprehensive patch and AV signature roll-out program.

Given the well-secured industrial control system described above, how could a worm like Stuxnet ever penetrate all the way to the PLCs? Next time, we look at how the battle between worm and the defenses evolves.

Part IV: Stuxnet slithers in.

Eric Byres, P. Eng., ISA Fellow, is the chief technology officer at Byres Security Inc. (eric@byressecurity.com); Andrew Ginter, CISSP, is the chief technology officer at Abterra Technologies (aginter@abterra.ca) and Joel Langill, CEH, CPT, CCNA, is the chief security officer at SCADAhacker.com (joel@scadahacker.com) and Dept. of Critical Infrastructure Officer with The Cyber Security Forum Initiative (csfi.us).