Monday, January 17, 2011

Ralph Langner Review

Readers of this blog will be well familiar with the name of Ralph Langner who has done so much work on decoding the targeting tools of the Stuxnet worm. I’ve written about his blog posts on a number of occasions. Well, Ralph has finally combined his descriptions of the various parts of that worm into a single article available at While this article was written for control systems engineers (and thus contains a lot of ‘code injection’, data block names, and other technical information) in my opinion the most important part of the article is the less technical discussion found in the last section.

Once again Ralph makes a very strong case for his warning that the Stuxnet codes can be re-used by skilled attackers. This could allow them to craft new attack codes that could be used to attack completely different process systems. He explains that the most effective attacks would still require similar levels of target process knowledge, but that generic attacks could be executed with next to no process information. I have discussed both of these possibilities in earlier blogs, but Ralph’s technical background and detailed Stuxnet knowledge lends much more credence to this prediction.

Ralph provides a very brief description of what he thinks it will take to defend against these Stuxnet-like attacks. He briefly dismisses ‘defense-in-depth’ because it doesn’t address the issue of controller compromise. I think this dismissal may be a little overdone because these techniques may make the compromise of controllers more difficult. But Ralph is correct, current cyber security measures do not specifically prevent controller level problems.

Ralph does, however, provide a brief description of a more effective preventive measure:

“The most effective prevention of controller hijacking would be digitally signed controller code and configuration. With today's technology, this can be implemented easily [emphasis added]. It can be expected that controller vendors will see this as a major business opportunity because the outlook to replace millions of controllers before end-of-lifetime with upgraded product versions means a multi-million dollar market.”
Since English is a second language for Ralph (though he uses it better than many native speaking bloggers) it is hard to tell if the use of the term ‘implemented easily’ is sarcasm or just grossly understating the difficulties involved. He does mention the cost of the controllers, but completely ignores the process upsets that whole sale replacement of controllers would cause.

I do love the final sentence of the article, though. Ralph writes:

“Less efficient, but much cheaper solutions have just become available that detect and report configuration and code changes of network-attached S7 controllers.”
Readers of this blog will remember that Ralph’s company is the one that is selling this ‘solution’. Ralph has been clear that it does not prevent someone from modifying controller programming, but it does alert the user to any such change, hopefully allowing the controller to be shut down before there is any serious damage done to the process. Of course, in many chemical processes that shutdown may cause serious repercussions.


In any case, anyone that is responsible for security of control systems ought to read this article. I also think that congressional staffers working on cyber security legislation also need to take note of what Ralph is talking about. We can no longer afford to ignore control system cyber security when we discuss protecting computer systems.

No comments:

/* Use this with templates/template-twocol.html */