|Stuxnet – cyber security and SCADA networks
DA VINCI CODE OR CYBER SECURITY THREAT?
A rumour that Israel was behind Stuxnet gained strength when the word ‘myrtus’ was found in the worm’s code and linked to Queen Esther, said to have saved the Persian Jews from genocide in the 4th century BC. The Israeli theory persisted into 2011 and in January, the New York Times gave it more teeth with evidence that Stuxnet ‘was an American-Israeli project to sabotage the Iranian nuclear program. Indeed all five attacks between June 2009 and May 2010 had been on organisations with a presence in Iran. The media speculation and hype had already gone into overdrive in 2010: the potent mix of cyber spies, designer viruses and nuclear power was simply irresistible. This was unfortunate because the risks posed by Stuxnet and similar types of malware are very real: the worm had in fact infiltrated SCADA systems all the way from Germany to India.
Yet designer Trojans like Stuxnet aren’t new or rare. ‘Anyone who looks at it carefully can build something like it’ according to Ralph Langner. Designer Trojans are typical of the Advanced Persistent Threat (APT) attacks we’ve seen in growing numbers in the last few years. APT campaigns are highly targeted, sophisticated, persistent and very hard to stop or even detect with traditional IT security systems.
In a previous White Paper e-Espionage-How Real is the Risk?, we discussed highly organised attacks against high value public and private sector targets, from governments to finance and resource companies. Critical national infrastructure such as communications and logistic hubs, power stations, and industrial plants are obvious next targets.
ISLANDS NO MORE
Long before the Internet, industrial networks and their control systems were quarantined from the rest of a plant’s network. ‘Security through obscurity’ was provided by specialised protocols and proprietary program codes connecting physical assets via Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). That changed in the 1990’s when the makers of SCADA systems embraced Windows PC platforms as operational front-ends to gain richer functionality and reduce duplication and cost.
Industrial systems were soon connected to business systems to make operational data more accessible to maintenance teams, plant managers and business units. Today, most industrial networks are connected to corporate IP networks. While this has resulted in business and system efficiencies, it has also exposed SCADA and ICS systems to internet-borne attacks.
OLD WORLD SECURITY
As the Stuxnet story unfolded, it was revealed that Siemens’ SCADA systems operated on hard-coded default passwords. Security analysts shook their heads in dismay when Siemens warned that changing these passwords could make its systems inoperable. In the old world when SCADA systems were islands, hard-coded passwords weren’t a problem; in a connected environment, this is unacceptable practice.
Any security newbie knows that removable media pose the highest risk in cyber security. A recent example was IBM handing out infected USB sticks to attendees of the 2010 AusCERT conference. For historic reasons, SCADA systems are typically upgraded via removable media like USB drives, and Stuxnet was designed specifically to exploit this anachronism.
In reality, engineers apply patches only when absolutely necessary since SCADA systems control crucial water supplies, power grids and gas pipelines in real time. In this scenario, a faulty patch could lead to ‘a multi-billion dollar disaster with hundreds of dead, injured and long term disabled people’. It follows that rigorous processes for patch updates are in place that include
• Control systems to be updated only by authorised staff;
• Systems updates to be carried out under strict supervision;
• Removable media for SCADA upgrade to be scanned beforehand; and
• The number of files contained to be verified with the CRC or hash totals for each file.