Stuxnet Update

Andrew Ginter has an interesting update on the Stuxnet Worm/Trojan on the blog at FindingsFromTheField.com. A lot of his discussion is moderately technical (read – over my head) but Andrew does a good job of explaining the technical in ways that most of us who have used industrial control systems (ICS) can understand. I recommend reading the entire post if you have an interest in control system security issues. There are two points that Andrew discusses that I would like to take a little more detailed look at. DLL Wrapper Andrew opens with some news he found on a Symantec blog. He writes: “Symantec reports that the worm contains a wrapper for the Siemens ‘s7otbxdx.dll’.” This is what I mean by being over my head, but he goes on to explain: “Malware generally wraps a library when the author wants to “spoof” users of the library. Wrapping this set of functions looks to be providing the worm the ability to change data of some sort – a PLC program I think – and then hide that the data/program has changed. For instance, if it is PLC programming being changed by the worm, then any user looking at the PLC programming from a programming tool on the compromised WinCC host may not see the change. If the programming tool requests all the function blocks for display, but the return values from the library are modified by the wrapper to exclude the malicious function blocks, those blocks would be invisible to the programming tool.” Now PLCs are the muscles of the ICS. They are the tools that the system uses to accomplish physical control of the system. In a chemical system, for instance, they control the operation of pumps and valves. If the Stuxnet Worm allows an outsider to change the directions (programming) given to these devices there are some potentially serious dangerous operations that an outside could direct. It is not unusual at specialty chemical manufacturers for incompatible chemicals to be physically piped to the same reaction vessel. They may be used in different processes in the same vessel or even in a single process at different times where their reactivity is not a problem. To prevent the two chemicals from being added at the same time it is a common practice to interlock the valves so that when valves for one of the chemicals is opened the other cannot be opened. If someone could surreptitiously change that programming to open them at the same time, there could be catastrophic consequences. Many security experts dismiss this possibility because of the supposed difficulty in identifying the requisite controls and programming. Actually, many process engineers use quite clear naming conventions for valves and other controls and interlock loops are readily recognizable. It would not be a trivial exercise, but it would certainly be doable if someone had access to the programming. Terrorist Operations Andrew spends most of the time on this post answering questions from a recent Stuxnet Webinar. I have not had the time to sit down and review this webinar, but I have heard a number of positive comments about the content and presentation. One of the questions that he addresses in this blog post is of particular interest here.

Question: Don’t you think that this was an initial foray that we just happened to catch, not by a military arm or foreign government, but by a terrorist organization? Answer: I have no information as to who the authors of the worm are. Common wisdom is that terrorist organizations are not at this level of sophistication in their cyber-assaults. Common wisdom has it that a rocket-propelled grenade shot at an industrial site would be the terrorists’ preferred method of operation.

Andrew is of course correct in his assessment of ‘common wisdom’. The gap in level of sophistication between the development of this ‘attack vector’ and firing rockets at storage tanks is quite a gulf to overcome. Unfortunately, this analysis overlooks two important points; Stuxnet may be available for sale/rent and there are a number of disaffected petrochemical engineers in the Jihadist Movement. I doubt that this Trojan was developed by a terrorist organization. It required a level of sophistication and access to control systems that is not typically associated with such organizations. While it may have been developed by a bored process engineer, it could just have well been developed by a cyber criminal organization (it would be a great industrial blackmail tool) or a cyber warfare organization of some government (take your pick of the enemy of the day). In either case an argument could be made that providing access to the tool to an appropriate terrorist organization could be beneficial to the developing organization. I must admit that I would be more concerned about a criminal organization being able to use this tool for industrial blackmail purposes. Causing a conspicuous industrial control system accident and then quietly demanding protection payments from other facilities would not be an unusual criminal enterprise. In any case, as I have mentioned before if nothing else the Stuxnet Trojan surely destroys the myth of protection via complexity that has surrounded control systems. This is perhaps the first ICS Trojan, but, if history is any guide, it certainly won’t be the last.