Stuxnet: Are We Safe Now? Of Course Not...

Tuesday, January 31, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

Once again I draw inspiration from the arguments over "Stuxnet" on which much is being read on the web at this time, and a lot of which will be discussed in the years to come.

Stuxnet was defined a deadly weapon, but what if any direct damages recorded are comparable to those of other malware? The answer to the question is in the nature of the malware that has been designed with a detailed analysis of a final target environment.

Behind Stuxnet it is apparent that a meticulous intelligence effort was at play that for the first time in history has embraced the world of information technology in the design of what is considered the first real cyber weapon.

No one dares to speculate on the paternity of the agent, but it is clear that it was designed with the intent to strike the Iranian nuclear program, and even more clear is who has always opposed such a program: U.S. and Israel

And consider also that the technological skill necessary to develop a weapon with the observed architecture is really high. Personally I find extremely important two factors af the event:

  • the choice of control systems as target of the malware
  • the conception of the virus as an open project, a modular system for which it was designed a development platform used to assemble the deadly cyber weapons in relation to the final targets

The first factor leads to an important consideration - those who developed Stuxnet have long known of the vulnerabilities of industrial control systems, an aspect of which the whole world has become aware only after the event.

Today we can count how many SCADA systems are exposed on the internet, vulnerable because many of them are badly configured or have design flaws. The control systems are the Achilles heel of the strategic plants with invulnerable perimeter security, they represent an open a door that only the insiders know.

Not only that, Stuxnet has provided evidence of a deep knowledge of the systems present in the target nuclear plant as a demonstration of a meticulous intelligence action that has left no stone unturned - even in the photos published on the occasion of the visit of President Ahmadinejad some of the Iranian nuclear sites.

Regarding the second point, it has been discovered that the platform behind Stuxnet  - called a "Tilded Platform" - was used also for the development of the Duqu malware, and makes possible the development of a set of reusable tools, a true innovation that makes possible the composition of ever new and enhanced agents with modules developed to fulfill specific functions against clearly defined targets.

Another aspect that is not negligible is the public autopsy made of Stuxnet by researches all over the word that have opened the mind on a new topic, the development of a cyber weapon with those specific features. Security professionals now have a much clearer idea of how this kind of cyber weapon works, and this opened discussion into dangerous future scenarios.

The victims themselves for sure will work in the same way to attack western facilities - are we ready to prevent this kind of offensive? Let me say not yet - I speak for Italy, a nation that is facing with serious economic problems like other European Countries. ENISA has proposed several guidelines, but we are far from implementing them, and we are exposed to a big threat.

According to several interviews with security specialist Ralph Lagner, considered the father of the Stuxnet experts, we are under attack and we have no idea of the potentiality of those agents that theatrically could remain in stealth mode inside the target, avoiding security systems for several years, gathering information and preparing the final attack.

These types of attacks are usually carried out over a long period covertly to avoid the the malware's activity being noticed. We need to improve forensic techniques to identify the threats and eradicate them - today major installations and critical infrastructure really are not prepared, at least that it the thought of Lagner.

Lagner is convinced that we presently don’t have Intrusion detection systems (IDS) that are able to detect the advanced malware. We are fighting with an invisible enemy, and so from a technology point of view we have to develop a solution to the problem, and create a product that would be capable of doing this. 

Another aspect not to overlook is the belief that the control systems of the major manufacturers, common in every industry sector, are absolutely secure. This belief, and the lack of information about risks associated with their use is the basis of a lack of awareness of the threat. Lagner argues that a more humble and collaborative approach by companies like Siemens would no doubt help to combat the threat more effectively.

Contrary to much of the public reporting on Stuxnet, however, Langner said that the worm was not designed to destroy the Natanz facility, but rather to secretly and stealthily control the process and steer it into a virtual ditch.

The analysis conducted by Lagner has revealed that we are faced with an incredibly deep understanding of the functioning of the Siemens Simatic software and the centrifuges that the Iranians relied on.  

Langner said :

"These guys know the centrifuges better than the Iranians,” Langner said of the Stuxnet authors. “The know everything. They know the timing, they known the inputs, and they know it by heart."

Suxnet's authors haven't used such a sophisticated hack, they simply took advantage of a disputable design decision made by Siemens to make the controller input process image read-write instead of read only, allowing it to store process inputs and execute them using the PLC controller interface. 

This event must alert the entire industry community to the threat, because those control systems are vulnerable due to design flaws.

In conclusion, we can raise serious doubts on the immediate effectiveness of preventive measures against this new generation of cyber weapons because the industry in general is still too vulnerable. Possible evolutions of malware could cause serious damage to infrastructures that use the systems in question.

The only way to emerge unscathed from this awkward situation is with close collaboration between industry, leading manufacturers of control systems and governments, hoping that security will become a requirement in the design phase.

References

Cross-posted from Security Affairs

Possibly Related Articles:
17209
SCADA
Industrial Control Systems
SCADA malware Iran Cyberwar Stuxnet Infrastructure Siemens IDS/IPS ICS cyber weapon Ralph Langner Industrial Control Systems DUQU exploit Pierluigi Paganini
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.