How to Stop Stuxnet’s Children

Wednesday, March 14, 2012 @ 05:03 PM gHale

Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.

By Eric Byres
Recent well-designed ICS worms and cyber attacks such as Night Dragon, Duqu and Nitro have been revealed. Each of them has focused on stealing intellectual property such as oil field bids, SCADA operations data, design documents and other information that could cause business harm. This focus on industrial data compromise is new, and signals a new era of industrial malware.

When most people consider the motivation of worm creators and hackers, they think of the destructive focus of early cyber events like the Slammer worm or Mafia-Boy attacks. Nitro and Duqu show a different focus – subtle and persistent attempts to steal valuable information. This information could then be used to make a competitive or counterfeit product, out-bid a rival for an oil or mineral exploration lease, or coordinate a marketing campaign against a competitor’s new product.

Justifying Security Investment
Defense in Depth: No Singular Approach
Time for a Revolution
Users Need to Push Security

Theft of process information for commercial espionage is nothing new. It has been around long before networks and cyber security showed up. Today, the profit potential for IP theft can be enormous. One consumer products company estimates that IP theft from its operations results in a nearly a billion dollars of counterfeit product produced and sold every year. This is money the company will never see.

These worms could also be precursors to later destructive attacks against automation systems. Clearly the Stuxnet designers collected detailed process information on their victim prior to actually creating their worm. Could the Duqu worm be a forerunner to a more destructive attack? Symantec certainly thinks so.

It is worth noting that the goal of Stuxnet was to impact production (of enriched uranium) rather than cause an explosion and kill people. So it is possible that the goal of this next generation of malware is to quietly stop production at a plant or utility somewhere in the world. Impacting the production of a competitor, short selling the shares of a company or extorting money under the threat of a disruption are all profitable activities for a criminal or nation-state group.

Security experts suggest the only solution is to go back to the days of completely isolated automation systems. Unfortunately, walling off a control system just isn’t feasible today. Modern industry and the technologies it depends on need a steady diet of electronic information from the outside world to operate. Cut off one source of data into the plant floor and another (potentially riskier) “sneaker-net” source replaces it.

Now industry and government can try to battle this trend by banning technologies and mandating complex and onerous procedures. We see this sort of strategy every time we try to board a plane and wait in long lines to take our shoes off and get our hair shampoo confiscated. Frankly, I don’t think it is effective or efficient security for air travel. It is even worse for companies that ultimately need to be profitable if they are going to stay in business.

Is the situation hopeless? No, but ICS/SCADA security practices must improve significantly. First, the industry needs to accept the idea that complete prevention of control system infection is probably impossible. Determined worm developers have so many pathways available to them that over the life of a system some assets will suffer compromise. The owners and operators need to adjust their security programs accordingly. In particular, security programs need to:

• Consider all possible infection pathways and have strategies for mitigating those pathways, rather than focusing on a single pathway such as USB keys
• Recognize no protective security posture is perfect, and take steps to aggressively segment control networks to limit the consequences of compromise
• Install ICS-appropriate intrusion detection technologies to detect attacks and raise an alarm when equipment suffers compromise or is at risk of compromise
• Look beyond traditional network layer firewalls, toward firewalls capable of deep packet inspection of key SCADA and ICS protocols
• Focus on securing last-line-of-defense critical systems, particularly safety integrated systems (SIS)
• Include security assessments and testing as part of the system development and periodic maintenance processes. Identify and correct potential vulnerabilities, thereby decreasing the likelihood of a successful attack
• Demand secure control products from automation systems vendors
• Work to improve the culture of industrial security amongst management and technical teams.

Implementing these changes will improve the “defense in depth” posture for all industrial control systems. They are needed urgently. If not, your operation might show up on TV, as the lead story in the news about a successful cyber attack.

Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.

Leave a Reply

You must be logged in to post a comment.