Stuxnet - The First Worm of Many for SCADA?

Dominic Storey, Technical Director, Sourcefire EMEA. August 2010

Stuxnet - What is it?

In early July, a new type of attack emerged that grabbed the attention of security managers across the world and also, for the first time, those managing industrial networks and the systems that comprise the national critical infrastructure. Their interest was gained because the new attack – called Stuxnet– targeted Siemens Supervisory Control and Data Acquisition (SCADA) systems.

There are quite a few noteworthy items about Stuxnet:

• It exploits a Microsoft Windows vulnerability in the processing of shortcuts (e.g. desktop shortcut icons)

• It bypasses user account restrictions, so running a limited access account offers no protection.

• Although it’s observed entry point in the network so far has been via USB media, it’s infection vector also works on any network attached storage

• A user does not have to run anything – simply opening an infected folder and viewing the file icons is enough to infect their machine

• It targets Siemens Simatec WinCC and PCS 7 industrial process management software and attempts to access those systems databases by using known passwords

• It is designed to transmit any information gathered to an external source

What seemed to surprise many people was that although Siemens responded with a fix, they advised their customers not to change the passwords of these systems. This advice makes sense when you consider what these systems do – control industrial processes in power stations, chemical plants, hospitals and so on. Their concern was that due to the complex distributed nature of these critical systems, a hastily implemented password change could cause system authentication failures and knock-on effects that could adversely affect process operation with potentially catastrophic consequences.

This highlights the problems plaguing organizations that run process control networks. Network connectivity has increased, but network security has not matched it. The proprietary devices that control, sense and manage these processes have been replaced by common off-the-shelf (COTS) components running Microsoft Windows and Linux and although these devices have their own internal levels of security, their communications protocols such as Modbus and DNP3 offer little protection against attack. In particular, security researchers are concerned about:

• The lack of concern about security and authentication in the design, deployment and operation of existing SCADA networks

• The belief that SCADA systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces

• The belief that SCADA networks are secure because they are physically secured

• The belief that SCADA networks are secure because they are disconnected from the Internet

Many of these beliefs are unfounded and with the advent of Stuxnet, managers are coming to the realisation that this is the case. Stuxnet raises the bar on sophistication and has been widely considered by the security community to be the first of many types of weaponised malware structured for industrial espionage

What actions can be taken to protect these networks? A defense in-depth strategy is recommended, with multiple layers of defence, such as encryption, firewalls, access control, intrusion detection, compliance enforcement and anti-virus protection. And of course, awareness is everything.

Increasing Awareness, Retrofitting Security

Sourcefire in particular can help managers understand what is happening on their network. Sourcefire provides three key products that are especially useful in a process control environment:

• Sourcefire 3D sensor running Snort™ for intrusion detection. Snort sensors can be deployed passively with zero impact on the process control network, or in-line to provide intrusion prevention. Amongst IPS systems, Snort has a clear advantage in the fact that rules are transparent and open; indeed the Snort rules language has become the de-facto method of exchanging intrusion detection rules between systems. Many government national critical infrastructure bodies publish Snort rules that can be imported into Sourcefire 3D systems to provide protection. Sourcefire 3D IPS includes a set of SCADA rules to identify common problems and already has a rule protect against WinCC database access attempts using the default password.

• Sourcefire 3D sensor running Real-time Network Awareness™. RNA provides network discovery with zero risk on process control networks by acquiring information about hosts by totally passive means. RNA can identify operating system and service vendor and versions for common equipment using built-in rules that can be easily extended to deal with proprietary process control hardware and software. Most importantly, the discovery process happens in real-time and can be correlated by the Defense Center to perform impact correlation and data reduction of events on the process control network.

• Sourcefire Defense Center (DC). The DC is roughly equivalent to a combined HMI and PLC, in that it provides control over a distributed network of sensors, acquires data from them and interfaces that data to the human operators. The DC includes powerful analytics and a rules processor, enabling it to perform functions such as network behavioural analysis and process control device network compliance enforcement. The DC can also interface to many other devices in the network, from SNMP-based monitoring systems, directory servers, mail servers and other monitoring systems to switches, firewalls, routers and other network control systems providing managers ultimate flexibility in integrating network security with their process control network .

Sourcefire 3D has also been widely adopted by organizations who need to protect their corporate networks against sophisticated attacks and has fast become the de facto standard for large financial, pharmaceutical and government institutions across the world. If your organization falls into this camp, there is added benefit in standardizing on Sourcefire for your process control network – cost of ownership can be reduced and management can be simplified. And since the DC supports multi-tiered operation and role-based administration, process control engineers will no longer have to fight the IT department for access, or give up their autonomy in the environment they work in,

Summary

As process control networks become increasingly connected to the Internet, their exposure to a wider range of sophisticated attacks grows. Sourcefire has a powerful solution that can be applied to corporate and process control network alike. As Struxnet has shown, the problem is only going to get worse, but with Sourcefire 3D protection can be extended to encompass both networks.