Stuxnet: The Future of Malware? Stephan Freeman.
-
Upload
dale-johnson -
Category
Documents
-
view
217 -
download
4
Transcript of Stuxnet: The Future of Malware? Stephan Freeman.
S
Stuxnet: The Future of Malware?
Stephan Freeman
Theme
Systems physically controlling something…
Getting hacked…
Disasters averted. Just.
The reality isn’t so different…
Previous Incidents
Slammer disables safety systems at Ohio Davis-Besse Nuclear Plant in US for five hours in 2003
Blaster affects US powergrid during 2003 blackout
Disgruntled employee in Australia logs in over WiFi at his old employers and releases over a million litres of raw sewage
14 year-old in Lodz, Poland, derails trams after taking over the signaling system in 2008
Many more undisclosed
Previous Incidents
All either accidental/side effects of non-targeted attacks
Or bored/disgruntled individuals
Stuxnet signifies something new:
Malware specifically targeted at a country’s physical infrastructure.
What is it?
Windows-based malware, targeting very specific configurations
Used four zero-day vulnerabilities
Is the first Process Control-specific malware seen
Almost certainly state-sponsored
Possibly an insight into the future of malware
Process Control Systems
Systems used to bridge the logical and physical interface
Several types of components, used in industrial environments (PLCs, DCSs…)
Manufactured by Siemens, GE, ABB, Westinghouse
Often referred to as SCADA systems (Supervisory Control And Data Acquisition)
SCADA
Controls almost anything, e.g.: Traffic signals Train signals Amusement parks rides Water processing systems Power station generators Factory assembly lines Electrical substations
Vulnerabilities
COTS components used with known vulnerabilities
Lag between patches being released and being certified for a particular system
Poorly-written OS or TCP/IP stack on individual components
Lack of understanding of the risk
Multiple 3rd parties involved in integration of large-scale systems
Stuxnet - Detail
Targeted Windows PCs connected to Siemens PLCs (specifically S7-300)
Spread via USB sticks and over the Internet using 4 zero-day vulnerabilities
Installs itself as a rootkit in Windows, using stolen driver signing certificates
Modified the Step-7 application used to reprogram PLCs
Installs itself on the Siemens PLC
What is a PLC?
Stuxnet - Detail
Once on the PLC, checks whether either Vacon (Finnish) or Fararo Paya (Iranian) frequency converter drives are attached
Checks what frequency they’re running at: if they’re between 807 Hz and 1210 Hz, it changes the frequency of the drives periodically.
The frequencies happen to correspond to those needed for gas centrifuges, such as those used in the enrichment of uranium
Done in such a way as to hide any error messages being passed back to the controller
Automatically deletes itself on the 24th of June 2012
Target?
Iranian uranium enrichment centrifuges, inspected by President Ahmedinejad
Stuxnet - Infections
From Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
Impact
US not affected – very few infections
Possible links to 10 large-scale explosions in Iranian oil and petrochemical plants
Affected numerous centrifuges at Iran’s main uranium processing plant in Natanz
Could have caused “large scale accidents and loss of life” in Iran, according to AP
Why do it?
Deniability
Physical distance
Stealth
Unclear response
Stuxnet – Author?
Difficult to tell who wrote it
Common consensus is that it was state-sponsored
Too much technical knowledge to be casual hackers
This may have happened before…
Pipeline explosion in former Soviet Union in 1982
CIA alleged to have deliberately sabotaged SCADA equipment destined for the Trans-Siberian Pipeline, stolen by the KGB
Supposedly used a logic-bomb
Resultant explosion had a force of three-kilotons of TNT
What does the future hold?
More targeted attacks
Private companies on the front-line
Over 30 countries have cyber-warfare programmes
More hacktivists
General need to “batten down the hatches”
32%
16%8%
6%
5%
33%Public SectorManufacturingFinanceIT ServicesEducationOther
Who receives targeted attacks?
24
Worldwide industry sector since 2008
Targeted Attacks - Infosec
18172 targeted attacks during 2010
What can we do?
Loads of advice available
Organisations should think hard aboutthe threats they face
Take a holistic approach, looking at physical security as well as information security
Accept that it may not be possible to defend networks against concerted, well funded attack and consider keeping the most critical information offline.
Further reading
http://www.computerworld.com/s/article/84510/Blaster_worm_linked_to_severity_of_blackout?taxonomyId=083
http://www.scadasecurity.org
http://www.theregister.co.uk/2008/01/11/tram_hack/
http://www.cpni.gov.uk/advice/infosec/business-systems/scada/
http://news.yahoo.com/s/nm/20110417/ts_nm/us_iran_nuclear_stuxnet_1
http://www.symantec.com/connect/blogs/stuxnet-breakthrough
Stephan Freeman BSc MSc MBCS CITPInformation Security ManagerLondon School of Economics & Political Science
Secretary, ISSA UK
[email protected] / [email protected]
Thank You