Friday, February 25, 2011

The Spread of Stuxnet

I have been following Stuxnet since news became generally available last summer. I thought that I had a pretty good understanding of the general operation (but certainly not the technical details) of Stuxnet and readers have probably gotten the idea that I have been pretty concerned with the potential threat that this worm presents for the future. Realistically I have only been mildly concerned, that is until I read a recent paper published on-line by Byres, Ginter and Langill entitled: “How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems”. Now, I’m officially very concerned.

An Overview of the ‘Attack’

What these three men have done is taken the known information about how Stuxnet operates and applied that to a theoretical industrial control system that is following the current ‘best practices’ security guidance for that system. Using that knowledge and that construct they determined the routes that Stuxnet could use in the system to get from an attacker to a specific PLC to do its dirty work. As if that weren’t enough, at each step of the spread of the infection, they posit additional pathways that could have done the same thing.

Take for example, the initial attack vector, the zero point of the attack. Their main proposal should not surprise anyone; it is very similar to what has been assumed in the standard discussions of the Stuxnet worm – an infected USB. Their attack starts with (pg 14):

“In our primary scenario, a company employee returns from an off-site visit to a contractor’s facility with an infected USB flash drive. The employee has been given the infected drive deliberately by a saboteur employed at the contractor facility.”
The alternatives get a little more creative. The final one deserves special mention for reasons that will be obvious later in this blog. They propose a spear phishing attack with an email carrying an infected attachment. They even went so far as to “construct a proof-of-concept dropper for of Stuxnet that is based on an infected PDF”. That is scary thoroughness.

That’s the last I’m going to describe of the details of their analysis of the transfer mechanisms for the Stuxnet attack. You can (and should) get the document yourself and read their analysis. It’s free (registration required) from the Tofino Security web site (Abterra Technologies, and SCADAHacker.com link back to the Tofino site). I know that there have been some complaints about requiring a registration to read the paper, but it is a very small price to pay for an important piece of Stuxnet explication. Besides, if you’re really worried about compromising your privacy, just use a disposable email address and then never use it again.

Stuxnet and Night Dragon

The authors make the point a couple of times in this paper that the system they are describing is using the commonly accepted best practices available and suggested for that system. They also note that very few SCADA systems are protected as well as the construct that they use for their analysis. Given the business that each of these gentlemen are involved in, one might be forgiven for assuming that that claim might be a little self-serving.

That is, except for the recent report released by McAfee on the multi-year Night Dragon assault on multiple, large oil and gas company cyber-assets. The Night Dragon report makes it clear that even the largest companies, ones with the resources (both financial and technical) necessary to protect those systems, were sadly lacking in their ability to prevent the compromise of their cyber assets by relatively unsophisticated attack tools.

One of the many routes of entry into the cyber security perimeter described in the Night Dragon report is the spear phishing attack on various personnel within the organization. It is always amazing how effective these targeted email attacks can be. And remember that Stuxnet dropper in a .PDF file? What better attack vector in the real world.?

If you were to read these two reports, back-to-back, like I just did, you would be struck by just how vulnerable our industrial control systems are to a concerted attack. “How Stuxnet Spreads” shows how easily the worm could navigate a well protected (at least compliant) system. Just imagine how quickly it would spread through a system that was not compliant.

No comments:

 
/* Use this with templates/template-twocol.html */