Defending Against Industrial MalwareAyed Alqarta | Arabesque Group

2

Agenda

The emergence of new cyber weapons Case Study: Stuxnet Industrial malware mitigations SCADA security standards Conclusions

3

The emergence of new cyber weapons

4

Stuxnet

5

“Worlds First Cyber Weapon” Targets Siemens S7/WinCC products, compromises S7 PLC's to sabotage

physical process Exploited 4 Windows zero-day vulnerabilities Spreads via:

• USB/Removable Media• 3 Network Techniques• S7 Project Files• WinCC Database Connections

Drivers digitally signed with legitimate (stolen) RealTek and JMicron certificates

Installs cleanly on W2K through Win7/2008R2 Conventional OS rootkit, detects and avoids major anti-virus products Advanced reverse-engineering protections

6

How Stuxnet Spreads

7

Damaging Impact in Four StepsTo develop protective measures against Stuxnet-like attacks, a basic understanding of the worm’s activities is essential. It unfolds its damaging impact in four steps on different layers:

1. Infection of Windows PCs: Stuxnet utilizes a total of four zero-day exploits of previously unknown vulnerabilities

2. Abuse and Manipulation of Automation Software: Stuxnet abuses and manipulates any found WinCC databases and STEP 7 project files. It also renames (s7otbxdx.dll) to (s7otbxdsx.dll) and replaces it with a DLL of its own.

3. Injection of Malicious Code into Controllers: This manipulated DLL enables Stuxnet to infiltrate malicious code into the projected PLCs. The malicious code is combining denial-of-control and denial-of-view techniques.

4. Communication with Command & Control Servers on the Internet: Infected computers will contact C&C servers to upload collected information from the target and its environment to those servers as well as new instructions and updates to the worm can be received and executed.

8

Industrial Malware Mitigations

9

Industrial Malware Mitigations

Secure EnclavesLogically group networks, assets, the operations that they perform, and even the users who are responsible for those operations.

Perimeter defenses like firewalls, Network IDS, and IPS, Router Access Control Lists can be configured to isolate the defined members of an enclave.

Enclaves protect the internal systems from insider attacks/or an attack that somehow circumvents the established perimeter defenses (USB Flash drives)

10

Industrial Malware Mitigations - Cont

Patch ManagementEstablish a patch management enclave, to provide an additional barrier between online patch management and the systems requiring upgrades

The patch management methodology: Download required vendor/applications patches Verify the integrity of these patches and scan them for viruses Archive the validated files to a read-only media Install patches on test systems to verify the ramifications of the

update Install on production systems

11

Patch Management - Cont Patch Management Methodology

12

Patch Management - Cont

13

Industrial Malware Mitigations - Cont

Blacklisting

A “blacklist” solution compares the monitored object to a list of what is known to be bad. Traditional HIDs, Antivirus, IPS depend on blacklisting

Two Issues with blacklisting: A blacklist must be continuously updated as new threats are

discovered There is no way to detect or block certain attack such as zero-

days (Stuxnet)

14

Industrial Malware Mitigations - Cont

Application Whitelisting (AWL)

Creates a list of what is known to be good and applies very simple logic: if it is not on the list block it

No signatures or virus definitions (Stuxnet lived for a year before it was detected by AV vendors)

AWL can block zero-day industrial malware like Stuxnet

15

AWL - Cont

Symantec Security Response: W32.Stuxnet Dossier v1.4

16

Industrial Malware Mitigations

Firewalls

• Block access to Internet from workstations which configure and control PLCs (This prevent any interaction with C&C servers)

• Block access to Internet hosts with bad reputation (Threat Intelligence feed and IP Blacklists)

• Block IP addresses which generate abnormal network traffic until you investigate the incident (External/Internal)

• Block connections to un-used protocol or service • Implement SCADA-aware firewalls to control traffic

17

SCADA Security Standards

18

Standards Organizations

North American Reliability Corporation (NERC)

The North American Reliability Corporation is tasked by the Federal Energy Regulatory Commission (FERC) to ensure the reliability of the bulk power system in North America. NERC enforces several reliability standards, including the reliability standard for Critical Infrastructure Protection (NERC CIP). In addition to these standards, NERC publishes information, assessments and trends concerning bulk power reliability, including research of reliability events as they occur. The NERC CIP standards are comprised of nine standards documents, all of which are available from NERC’s website at:

http://www.nerc.com/page.php?cid=2|20

19

Standards Organizations - Cont

The United States Nuclear Regulatory Commission (NRC)The United States Nuclear Regulatory Commission is responsible for the safe use of radioactive materials, including nuclear power generation and medical applications of radiation. The NRC publishes standards and guidelines for Information Security, as well as general information and resources about nuclear materials and products, nuclear waste materials, and other concerns.

NRC Title 10 CFR 73.54 NRC Title 10 of the Code of Federal Regulations, Part 73.54 regulates the “Protection of digital computer and communication systems and networks” used in member Nuclear Facilities. More information on CFR 73.54 is available from NRC’s website at: http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html

20

Standards Organizations - Cont

The United States Nuclear Regulatory Commission (NRC)

NRC RG 5.71

The United States Nuclear Regulatory Commission’s Regulatory Guide 5.71 offers guidance on how to protect digital computer and communication systems and networks. RG 5.71 is not a regulatory standard but rather guidance on how to comply with the standard, which is Title 10 of the Code of Federal Regulations, Part 73.54. Information on RG 5.71 is available from NRC’s website at: http://nrc-stp.ornl.gov/slo/regguide571.pdf

21

Standards Organizations - Cont

United States Department of Homeland Security (DHS)

The Department of Homeland Security’s (NHS) mission is to protect the United States from a variety of threats including (but not limited to) counter-terrorism and cyber security. One area where cyber security concerns and anti-terrorism overlap is in the protection of chemical facilities, which are regulated under the Chemical Facilities Anti-Terrorism Standards (CFATSs). CFATS includes a wide range of security controls, which can be measured against a set of Risk-Based Performance Standards (RBPSs).

Chemical Facilities Anti-Terrorism Standard

The Chemical Facility Anti-Terrorism Standards (CFATSs) are published by the United States Department of Homeland Security, and they encompass many areas of chemical manufacturing, distribution and use including cyber security concerns. More information on CFATS can be found on the DHS’s website at:

http://www.dhs.gov/files/laws/gc_1166796969417.shtm

22

Standards Organizations - Cont

United States Department of Homeland Security (DHS)

CFATS Risk-Based Performance Standards

The United States Department of Homeland Security also publishes recommendations in the form of Risk-Based Performance Standards (RBPSs) for CFATS. These standards provide guidance for the compliance to the Chemical Facility Anti-Terrorism Standards. More information on the CFATS RBPS can be found on the DHS’s website at:

http://www.dhs.gov/xlibrary/assets/chemsec_cfats_riskbased_performance_standards.pdf

23

Standards Organizations - Cont

International Standards Association (ISA)

The International Standards Association (ISA) and the American National Standards Institute (ANSI) have published three documents concerning industrial network security under the umbrella of ISA-99. These documents are: ANSI/ISA-99.02.01-2009, “Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program”; ANSI/ISA-99.00.01-2007, “Security for Industrial Automation and Control Systems: Concepts, Terminology and Models”; and ANSI/ISA-TR99.00.01-2007, “Security Technologies for Manufacturing and Control Systems.”

These documents, as well as additional information and resources relevant to ISA-99 are available at the ISA website, at:

http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821

24

Standards Organizations - Cont

The International Standards Organization (ISO) and International Electrotechnical Commission (IEC)

The International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) produced the ISO/IEC 27002:2005 standard for “Information technology—Security techniques—Code of practice for information security management.” While ISO/IEC 27002:2005 does not apply exclusively to SCADA or industrial process control networks, it provides a useful basis for implementing security in industrial networks, and is also heavily referenced by a variety of international standards and guidelines. More information on the ISO/IEC 27002:2005 can be found on the ISO website at:

http://www.iso.org/iso/catalogue_detail?csnumber=50297

25

Conclusions

Security through obscurity no longer works with SCADA

The belief that PLCs are not vulnerable because they are not connected to the Internet is not true

SCADA security standards and industrial security solutions can decrease attacks

Stuxnet cyberweapon looks to be one on a production line

26

27

28

Thank You

Email: Ayed@arabesque.com.kwLinkedin: http://kw.linkedin.com/in/aalqartaTwitter: @aqarta