The Spread of Stuxnet

I have been following Stuxnet since news became generally available last summer. I thought that I had a pretty good understanding of the general operation (but certainly not the technical details) of Stuxnet and readers have probably gotten the idea that I have been pretty concerned with the potential threat that this worm presents for the future. Realistically I have only been mildly concerned, that is until I read a recent paper published on-line by Byres, Ginter and Langill entitled: “How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems”. Now, I’m officially very concerned.

An Overview of the ‘Attack’

What these three men have done is taken the known information about how Stuxnet operates and applied that to a theoretical industrial control system that is following the current ‘best practices’ security guidance for that system. Using that knowledge and that construct they determined the routes that Stuxnet could use in the system to get from an attacker to a specific PLC to do its dirty work. As if that weren’t enough, at each step of the spread of the infection, they posit additional pathways that could have done the same thing.

Take for example, the initial attack vector, the zero point of the attack. Their main proposal should not surprise anyone; it is very similar to what has been assumed in the standard discussions of the Stuxnet worm – an infected USB. Their attack starts with (pg 14):

“In our primary scenario, a company employee returns from an off-site visit to a contractor’s facility with an infected USB flash drive. The employee has been given the infected drive deliberately by a saboteur employed at the contractor facility.”

The alternatives get a little more creative. The final one deserves special mention for reasons that will be obvious later in this blog. They propose a spear phishing attack with an email carrying an infected attachment. They even went so far as to “construct a proof-of-concept dropper for of Stuxnet that is based on an infected PDF”. That is scary thoroughness.

That’s the last I’m going to describe of the details of their analysis of the transfer mechanisms for the Stuxnet attack. You can (and should) get the document yourself and read their analysis. It’s free (registration required) from the Tofino Security web site (Abterra Technologies, and SCADAHacker.com link back to the Tofino site). I know that there have been some complaints about requiring a registration to read the paper, but it is a very small price to pay for an important piece of Stuxnet explication. Besides, if you’re really worried about compromising your privacy, just use a disposable email address and then never use it again.

Stuxnet and Night Dragon

The authors make the point a couple of times in this paper that the system they are describing is using the commonly accepted best practices available and suggested for that system. They also note that very few SCADA systems are protected as well as the construct that they use for their analysis. Given the business that each of these gentlemen are involved in, one might be forgiven for assuming that that claim might be a little self-serving.

That is, except for the recent report released by McAfee on the multi-year Night Dragon assault on multiple, large oil and gas company cyber-assets. The Night Dragon report makes it clear that even the largest companies, ones with the resources (both financial and technical) necessary to protect those systems, were sadly lacking in their ability to prevent the compromise of their cyber assets by relatively unsophisticated attack tools.

One of the many routes of entry into the cyber security perimeter described in the Night Dragon report is the spear phishing attack on various personnel within the organization. It is always amazing how effective these targeted email attacks can be. And remember that Stuxnet dropper in a .PDF file? What better attack vector in the real world.?

If you were to read these two reports, back-to-back, like I just did, you would be struck by just how vulnerable our industrial control systems are to a concerted attack. “How Stuxnet Spreads” shows how easily the worm could navigate a well protected (at least compliant) system. Just imagine how quickly it would spread through a system that was not compliant.

Night Dragon Analysis

Last week I wrote about the Night Dragon vulnerability report put out by DHS ICS-CERT. I did a fairly straight forward report on the ICS-CERT report, though I did note that I surprised at how simple the attack processes were. Yesterday Andrew Ginter at the Control System Security blog did a much more extensive analysis of the importance of this attack.

I want you to pay particular attention to one specific point that Andrew made. He wrote:

“The McAfee report doesn't say it outright, but it seems very likely that this same adversary could have taken over and sabotaged the physical processes behind the control systems they compromised, if they had been given that objective. The team had remote control of all the control system assets they compromised, and a remote-control tool on a computer with HMI capabilities gives the attacker control of the physical process through the HMI [human machine interface].”

That combined with the point that Andrew and I both made that this was not a sophisticated attack should cause a lot of people to be very disturbed. Stuxnet was a complex attack tool that cost a lot of money and expertise to develop. It is unlikely that criminals or terrorists could be expected to develop attacks that sophisticated. Since most facilities are not going to run afoul of State level agencies, they are at little risk of being attacked by such high-level original programs.

What Night Dragon is so effective at pointing out is that it does not require Stuxnet-level sophistication to execute an attack on a control system. There are a whole host of less sophisticated attack tools that are readily available that can be used for a Night Dragon like attack. Many of these tools are available for free download, others are for sale. More importantly there are a wide variety of people out there who are very skilled in the use of these tools who are more than willing to sell or rent their skills and expertise in this field.

Fortunately, defending against these types of attacks is also well understood. Andrew, who is in the business of defending cyber control systems, points out the basic techniques:

• “Look seriously at whitelisting/application control/HIPS protections,

• “Increase network segmentation,

• “Strengthen firewall rules, reducing the number and scope of connections,

• “Reduce the number and scope of VPN connections,

• “Install anomaly-based host and network intrusion detection systems,

• “Consider multi-factor authentication to reduce the impact of stolen or cracked passwords, and

• “Consider isolating the most critical parts of your control systems entirely with unidirectional diodes/gateways.”

ICS-CERT has an entire publication dealing with the basic security techniques designed to deal with this type of attack; Control System Security Program (CSSP) Recommended Practices.

Another important component of protecting against this common level of attack is training. So much of cyber security depends on computer users being aware of the potential types of attacks, actively watching their systems, including emails, for evidence of these attacks and taking the appropriate response.

The McAffee paper made it clear that a key tool in executing these types of attacks is phishing and spear phishing. Finding the weak link in a company security system can allow for operation behind many of the security defenses. Insuring that all computer users are adequately trained to do their part in the defending sensitive computer systems is a key part of any cyber security system. Particular attention needs to be paid to any computer user that has routine remote access to the corporate or ICS networks.

While we have been justifiably concerned with advanced attack techniques like Stuxnet, Night Dragon reminds us that more common attacks still have the potential to provide a route into our control systems.

DHS ICS-CERT Advisory on Night Dragon

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory giving a brief overview of the McAfee Night Dragon Report. This ‘Night Dragon’ (the McAfee code name) cyber attack on multiple companies in the oil and gas sector was mainly an IT system cyber espionage attack; ICS-CERT notes that data was also collected from SCADA systems.

There is an article on CNET.com that provides a better narrative about the long term operation that apparently originated from China and ICS-CERT was kind enough to give the link to the McAfee white paper about this attack. While both of those sources are worth reading, this Advisory provides a brief and concise description of the indicators of the various parts of the attack code that would allow a cyber security team to determine if their systems were similarly attacked.

There is nothing in these reports that indicates that ICS attacks did anything more than collect information from the affected control systems. However, we now know (thanks to analysis of the Stuxnet worm) that the types of information collected from SCADA systems might allow a targeted Stuxnet-like attack on those systems. More importantly, this attack methodology would apparently allow an attacker to gain the ICS system access necessary to initiate a Stuxnet-like attack.

The scariest thing about Night Dragon is not the extent of the attack, but the fact that this apparently very successful attack used no new vulnerabilities, technology or techniques. The use of spear phishing attacks to compromise VPN accounts should be of special concern to ICS security managers. It is obvious that ICS users with authorized remote access via VPN need to have recurrent training on identification and avoidance of spear fishing attacks.