Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

First Things First: Responding to Threat such as Stuxnet


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

First Things First: Responding to Threat such as Stuxnet

  1. 1. FIRSTTHINGSFIRST<br />7 things a chemical process professional should do to secure their facility from unwanted intrusion<br />
  2. 2. John A. Cusimano<br /><ul><li>Director of Security Solutions for exida
  3. 3. President, Byres Research
  4. 4. Executive Director, Security Incidents Organization
  5. 5. ISA S99 committee (voting member)
  6. 6. ISA Security Compliance Institute (voting member)
  7. 7. Formerly with Moore Products / Siemens
  8. 8. QUADLOG Product Manager
  9. 9. Global Process Safety Business Development
  10. 10. Process Automation Market Development Manager
  11. 11. CFSE, Certified Functional Safety Expert</li></ul>Copyright © 2010 - exida<br />
  12. 12. Stuxnet Summary<br />First malware specifically targeting industrial control systems<br />First discovered in June 2010 (in circulation since June 2009)<br />© Copyright 2010 exida<br />3<br /><ul><li>Has the ability reprogram Siemens S7 PLCs
  13. 13. Infects Siemens SIMATIC software running on Win PCs
  14. 14. Uses SIMATIC software to read S7 PLC memory and overwrite FB with its own code (hidden)
  15. 15. Spreads via USB memory sticks, local networks and Step 7 project files
  16. 16. Thousands of PC’s infected worldwide (predominantly Iran, India and Indonesia)
  17. 17. Approximately 17 cases reported on SIMATIC systems</li></li></ul><li>What is Stuxnet?<br />Computer worm<br />Infects Microsoft Windows computers<br />Windows 2000<br />Windows XP<br />Server 2003<br />Vista<br />Server 2008<br />Windows 7<br />Infects Siemens SIMATIC software and embedded controllers<br />WinCC<br />PCS 7<br />SIMATIC Manager<br />Step 7<br />S7 315 and S7 417 PLC’s<br />© Copyright 2010 exida<br />4<br />
  18. 18. Actions<br />After infecting the computer, it looks for Siemens SIMATIC software (SIMATIC Manager, Step 7, WinCC, PCS 7)<br />Replaces Step 7 DLL’s to hide the PLC logic changes from the user<br />Looks for connected PLC’s (S7-315 and S7-417 models)<br />Reads PLC, looking for specific configuration information<br />If found, injects code into the PLC (replaces PROFIBUS driver, OB1, OB35 and injects additional FB’s)<br />Waits for a trigger (0xDEADF007) then executes <br />Self-propagates (see “Propagation”)<br />© Copyright 2010 exida<br />5<br />
  19. 19. Consequences<br />Appears to be to reprogram and sabotage very specific targets<br />Little effect on Windows systems that are not running SIMATIC software<br />Modifies offline configuration files on systems running SIMATIC software but not connected to a PLC<br />Monitors and reprograms connected PLC’s (S7-315 & S7-417 models)<br />Execute modified program if it finds its target and trigger condition exists – consequences unknown<br />© Copyright 2010 exida<br />6<br />
  20. 20. Propagation<br />Infected USB Memory Sticks<br />Uses shortcut vulnerability (MS10-046)<br />Earlier versions used Autorun exploit<br />Local Networks<br />Network shares<br />Print spooler vulnerability (MS08-061)<br />Server service vulnerability (MS08-067)<br />WinCC using hardcoded passwords to log into SQL server<br />SIMATIC Project Files<br />Copies itself into STEP 7 project files (*.S7P, *.MCP and *.TMP) and auto-execute when project is opened<br />© Copyright 2010 exida<br />7<br />
  21. 21. Spread<br />Versions of the Stuxnet were first detected in March of 2009 according to Microsoft<br />Under continued development, authors added additional components, encryption and exploits<br />© Copyright 2010 exida<br />8<br /><ul><li>Approximately 100,000 infected hosts as of late September, 2010
  22. 22. According to the Siemens website, there are 15 known control systems that have been infected by the Stuxnet malware</li></li></ul><li>Detection & Removal<br />All major anti-virus have signatures since July 25, 2010<br />ICS-CERT has released an advisory listing primary Stuxnet indicators<br />Siemens has released a utility (Sysclean) for detecting and removing the virus and the SIMATIC Security Update patch<br />Windows patches are available for three of the vulnerabilities (MS08-067, MS10-046 and MS10-061)<br />Two other vulnerabilities that allow escalation of privilege are still unpatched (as of 8 Oct 2010)<br />© Copyright 2010 exida<br />9<br />
  23. 23. Security Lifecycle<br />© Copyright 2010 exida<br />10<br />
  25. 25. ASSESSMENT<br />Evaluate current control system design, architecture, policies and practices<br />Compare results to standards & best practices<br />Identify gaps and provide recommendations for closure<br /><ul><li>Benefits:
  26. 26. Provides management with solid understanding of current situation, gaps and path forward
  27. 27. Helps identify and prioritize investments
  28. 28. First step in developing a security management program</li></ul>© Copyright 2010 exida<br />12<br />
  29. 29. POLICY & PROCEDURE<br />Establish control system security policies & procedures<br />Scope<br />Management Support<br />Roles & Responsibilities<br />Specific Policies<br />Remote access<br />Portable media<br />Patch mgmt <br />Anti-virus management<br />Change Management<br />Backup & Restore<br />References<br />© Copyright 2010 exida<br />13<br />
  30. 30. AWARENESS & TRAINING<br /><ul><li>Make sure personnel are aware of the importance of security and company policies
  31. 31. Provide role-based training
  32. 32. Visitors
  33. 33. Contractors
  34. 34. New hires
  35. 35. Operations
  36. 36. Maintenance
  37. 37. Engineering
  38. 38. Management</li></ul>© Copyright 2010 exida<br />14<br />
  39. 39. NETWORK SEGMENTATION<br />Defense-in-Depth strategy<br />Partition the system into distinct security zones<br />Logical grouping of assets sharing common security requirements<br />There can be zones within zones, or subzones, that provide layered security<br />Zones can be defined physically and/or logically<br /><ul><li>Define security objectives and strategy for each zone
  40. 40. Physical
  41. 41. Logical
  42. 42. Create secure conduits for zone-to-zone communications
  43. 43. Install boundary or edge devices where communications enter or leave a zone to provide monitoring and control capability over which data flows are permitted or denied between particular zones.</li></ul>© Copyright 2010 exida<br />15<br />
  44. 44. SYSTEM ARCHITECTURE<br />Copyright © 2010 - exida<br />Source: ANSI/ISA 99.00.01-2007<br />
  45. 45. PARTITIONING INTO ZONES<br />Source: ANSI/ISA 99.00.01-2007<br />
  46. 46. Reference Architecture<br />Image courtesy of Byres Security<br />
  47. 47. Honeywell Reference Architecture<br />Image Courtesy of Honeywell Process Control <br />
  48. 48. Emerson Reference Architecture<br />Image Courtesy of Emerson Process Management <br />
  49. 49. Siemens Reference Architecture<br />Image Courtesy of Siemens AG <br />
  50. 50. DuPont Reference Architecture<br />Image Courtesy of DuPont<br />
  51. 51. ACCESS CONTROL<br />Control and monitor access to control system resources<br />Logical & Physical<br />AAA<br />Administration<br />Authentication<br />Authorization<br />© Copyright 2010 exida<br />23<br /><ul><li>Review
  52. 52. Who has access?
  53. 53. To what resources?
  54. 54. With what privileges?
  55. 55. How is it enforced?
  56. 56. Zone-by-zone
  57. 57. Asset-by-Asset
  58. 58. Role-by-Role
  59. 59. Person-by-Person</li></li></ul><li>SYSTEM HARDENING<br />Remove or disable unused communication ports<br />Remove unnecessary applications and services<br />Apply patches when and where possible<br />Consider ‘whitelisting’ tools<br />Use ISASecure™ certified products<br />© Copyright 2010 exida<br />24<br />
  60. 60. SYSTEM MONITORING<br />Install vendor recommended anti-virus and update signatures regularly<br />Review system logs periodically<br />Consider IDS or HIPS<br />Periodic assessments <br />© Copyright 2010 exida<br />25<br />