SlideShare a Scribd company logo

Spanish1.jpgSpanish2.jpgSpanish3.jpgSpanish4.jpg.docx

Download as DOCX, PDF
R
rafbolet0

Spanish/1.jpg Spanish/2.jpg Spanish/3.jpg Spanish/4.jpg Spanish/5.jpg Spanish/6.jpg Spanish/7.jpg Focus MAY/JUNE 2011 1540-7993/11/$26.00 © 2011 IEEE COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES 49 Stuxnet: Dissecting a Cyberwarfare Weapon completely new approach that’s no longer aligned with conven- tional con!dentiality, integrity, and availability thinking. Con- trary to initial belief, Stuxnet wasn’t about industrial espionage: it didn’t steal, manipulate, or erase information. Rather, Stuxnet’s goal was to physically destroy a military target—not just meta- phorically, but literally. Let’s see how this was done. SCADA and Controllers 101 Much has been (and still is) writ- ten about Stuxnet being an at- tack on SCADA systems, but this simply isn’t true. In a nutshell, a SCADA system is a Windows ap- plication that allows human op- erators to monitor an industrial process and to store and analyze process values. True, a SCADA application played a small role in the Stuxnet attack, but mainly as a means of distribution. The real at- tack wasn’t against SCADA soft- ware—it was aimed at industrial controllers that might or might not be attached to a SCADA sys- tem. To get rid of another mis- conception, the attack wasn’t remotely controlled, either—it was completely stand-alone and didn’t require Internet access. The command-and-control servers that Stuxnet contacted appear to have been used primarily for evidence of compromise. We can think of a controller as a small, real-time computer system that manipulates electrical outputs based on the condition of electri- cal input signals and program log- ic. Devices such as pumps, valves, drives (motors), thermometers, and tachometers are electrically connected (hardwired) to a con- troller, either directly or by what’s called a !eldbus connection. While a computer program only oper- ates on information, a controller program—sometimes called ladder logic—operates on physics. This is an interesting and important point, especially for cybersecurity considerations: manipulations of a controller have less to do with the con!dentiality, integrity, and availability of information and more to do with the performance and output of a physical produc- tion process. In the worst case, controller manipulations could lead to physical damage. Stuxnet was the worst case, as it was care- fully designed by experts to do just that with the utmost determi- nation. RALPH LANGNER Langner CommunicationsL ast year marked a turning point in the history of cybersecurity—the arrival of the !rst cyber- warfare weapon ever, known as Stuxnet. Not only was Stuxnet much more complex than any other piece of malware seen before, it also followed a Distribution and Target Determination The attackers tried their best to limit Stuxnet’s spread. They didn’t choose conventional worm tech- nology but instead relied on lo- cal distribution, m.

Education
1 of 14
Spanish/1.jpg Spanish/2.jpg Spanish/3.jpg Spanish/4.jpg Spanish/5.jpg Spanish/6.jpg Spanish/7.jpg Focus MAY/JUNE 2011 1540-7993/11/$26.00 © 2011 IEEE COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES 49 Stuxnet: Dissecting a Cyberwarfare Weapon completely new approach that’s no longer aligned with conven- tional con!dentiality, integrity, and availability thinking. Con- trary to initial belief, Stuxnet wasn’t about industrial espionage: it didn’t steal, manipulate, or erase information. Rather, Stuxnet’s
goal was to physically destroy a military target—not just meta- phorically, but literally. Let’s see how this was done. SCADA and Controllers 101 Much has been (and still is) writ- ten about Stuxnet being an at- tack on SCADA systems, but this simply isn’t true. In a nutshell, a SCADA system is a Windows ap- plication that allows human op- erators to monitor an industrial process and to store and analyze process values. True, a SCADA application played a small role in the Stuxnet attack, but mainly as a means of distribution. The real at- tack wasn’t against SCADA soft- ware—it was aimed at industrial controllers that might or might not be attached to a SCADA sys- tem. To get rid of another mis- conception, the attack wasn’t remotely controlled, either—it was completely stand-alone and didn’t require Internet access. The command-and-control servers that Stuxnet contacted appear to have been used primarily for evidence of compromise. We can think of a controller as a small, real-time computer system
that manipulates electrical outputs based on the condition of electri- cal input signals and program log- ic. Devices such as pumps, valves, drives (motors), thermometers, and tachometers are electrically connected (hardwired) to a con- troller, either directly or by what’s called a !eldbus connection. While a computer program only oper- ates on information, a controller program—sometimes called ladder logic—operates on physics. This is an interesting and important point, especially for cybersecurity considerations: manipulations of a controller have less to do with the con!dentiality, integrity, and availability of information and more to do with the performance and output of a physical produc- tion process. In the worst case, controller manipulations could lead to physical damage. Stuxnet was the worst case, as it was care- fully designed by experts to do just that with the utmost determi- nation. RALPH LANGNER Langner CommunicationsL ast year marked a turning point in the history
of cybersecurity—the arrival of the !rst cyber- warfare weapon ever, known as Stuxnet. Not only was Stuxnet much more complex than any other piece of malware seen before, it also followed a Distribution and Target Determination The attackers tried their best to limit Stuxnet’s spread. They didn’t choose conventional worm tech- nology but instead relied on lo- cal distribution, mainly via USB sticks and local networks. While Stuxnet infected any Windows PC it could !nd, it was much pickier about controllers. It tar- geted only controllers from one speci!c manufacturer (Siemens); upon !nding them (attached to an infected Windows box via Ether- net, Pro!bus, or Siemens’ propri- etary communication link called MPI), it went through a complex process of !ngerprinting to make sure it was on target. This process included checking model num- bers, con!guration details, and even downloading program code from the controller to check if it was the “right” program. Stuxnet did all of this by exploiting the vendor’s driver DLL, which both the SCADA product and the pro-
gramming software use to talk to the controller. When it found a match, Stuxnet’s dropper loaded rogue code to the controller. Be- cause this is done only if an exact !ngerprint match is found, we haven’t seen controller infections anywhere but those con!rmed by Iran in its Natanz uranium en- richment plant. In contrast, the dropper itself spread to roughly 100,000 infections worldwide. It is even possible to infer by this fact that Natanz must have been Stuxnet’s one and only target, because this is the only installa- tion globally where controller in- Focus 50 IEEE SECURITY & PRIVACY MAY/JUNE 2011 fections have been reported. The rogue driver DLL contained three controller code sets: two destined for a Siemens 315 controller, and the third looking for a 417 con- troller. The !rst two were almost identical and will be treated as one digital warhead in the fol- lowing discussion. The 417 attack code was much more complex and four times the size of the 315 at-
tack code. For starters, the 417 is Siemens’ top-of-the-line control- ler product, whereas the 315 is a small, general- purpose controller. Controller Hijacking Once Stuxnet found a matching controller target, it loaded rogue code on the controller from one of its three code sets, along with any data blocks that the rogue code was working on. The rogue code was logically structured in a set of subfunctions; the attackers’ goal was to get any of these func- tions called. Stuxnet achieved this goal by injecting code into an executive loop. Both the 315 and the 417 attack codes used the main cycle for this purpose— the 315 also injected code into the 100-ms timer. (The 100-ms timer is like an interrupt handler that the operating system calls automatically every 100 millisec- onds.) We can think of a control- ler’s main cycle as the main() function in a C program, with the notable di"erence being that the operating system automati- cally executes the main cycle, hence the name. The code injections got Stux- net in business—it could then do its thing and prevent legitimate
controller code from doing any- thing useful. However, it didn’t. Stuxnet was a stealth control sys- tem that resided on the controller alongside legitimate code, which continued to be executed; Stux- net only occasionally took over. Both on the 315 and on the 417, the attacks were implemented as state machines that didn’t require any interaction with command- and-control servers. Instead, the attacks were triggered by com- plex timer and process condi- tions. In the initial state, attack code just stayed put and let the legitimate controller code do its thing, although it monitored it closely. When strike time came, rogue code took control with- out the legitimate controller code noticing. During the attack, the legitimate code was simply dis- abled. How this happened dif- fered considerably for the 315 and the 417 attacks. For the 315 attack, execution of legitimate code simply halted during the strike condition, which can take up to 50 minutes. This is the infamous DEADFOOT condition that I !rst discovered and published on 16 Septem-
ber 2010 (www.langner.com/ en/2010/09/16/stuxnet-logbook -sep-16-2010-1200-hours-mesz). DEADFOOT is an aviation ad- age; if an engine quits in a twin- engine airplane, the pilot can determine which one died by us- ing the concept “dead foot = dead engine.” Determining the dead engine in propeller-driven aircraft isn’t easy because the propeller keeps spinning; the only option is to cut fuel to the dead engine and feather the propeller. In an engine-out situation, more than one pilot has turned o" the good engine and ended up crashing. The 417 attack code followed a di"erent concept. At strike time, legitimate controller code kept running, but it was isolated from real I/O. The 417 attack imple- mented a man-in-the-middle at- tack on the controller, intercepting the interaction between the legiti- mate control program and physical I/O. In a modern controller, con- trol logic operates on a “process image” of physical I/O. This is similar to a computer application that does not directly access any physical interface registers of an I/O chip (such as Ethernet, USB, or serial), but would use data from
the driver’s bu"er. The 417 attack code exploited this, intercepting physical I/O and providing the legitimate program code with a fake process image. In computer terms, it acted like a fake driver. But it gets even weirder: the fake data that the 417 attack code fed to the legitimate controller pro- gram was recorded from real, un- suspicious inputs. It’s just like in a Hollywood movie, where the bad guys feed observation cameras with unsuspicious prerecorded in- put. In the same manner, Stuxnet replayed prerecorded input to the legitimate code during the attack. Threat Outlook and Mitigation Opportunities Many people who followed the IT press closely in December were under the impression that with Microsoft’s last Stuxnet-related se- curity patch, the threat was gone. Unfortunately, this is a severe misconception. The Microsoft patches only a"ect the dropper part of Stuxnet; the digital war- heads are a completely di"erent story. The vulnerabilities that they exploit can’t be patched because they aren’t software or !rmware It’s just like in a Hollywood movie, where the bad guys feed
observation cameras with unsuspicious prerecorded input. In the same manner, Stuxnet replayed prerecorded input to the legitimate code during the attack. Focus www.computer.org/security 51 defects, but legitimate product features. In other words, these vulnerabilities are here to stay un- til the vendor comes out with a new product generation and asset owners replace the installed base with such new products before the scheduled end of lifetime, a sce- nario that will take many, many years. Within this timeframe, at- tackers can use the same digital warheads again, given they use a new dropper, and new droppers are comparatively easy to obtain. The digital warheads as such can’t be disarmed if they make it on controllers. Industrial control- lers don’t have antivirus software, and the controller exploits that Stuxnet uses can’t be “patched.” They’re fully functional as long as the present product generation is in use, which could be another
20 years. Although many argue that Stuxnet makes a point for bet- ter defense in depth, this is actu- ally a bit misleading. True, defense in depth never hurts, but it’s no recipe for a world that’s immune against Stuxnet-inspired mal- ware. The major vulnerability that Stuxnet exploits is that present controllers don’t allow for digital code signing. A controller treats code—as long as it’s syntactically correct—as legitimate, no matter where it came from. A digital sig- nature would enable the controller to make sure that the code loaded originated from a legitimate en- gineering station. Because this check needs only to be done once after load time, it isn’t time critical (runtime is real time on a control- ler, prohibiting compute-intense calculations). The next best solution to verify code and con!guration integrity is to monitor controllers for any change. For the products attacked by Stuxnet, this can be done eas- ily via the network. The essential requirement here is not to use the vendor’s driver DLL, which might be compromised. If the monitor-
ing solution uses an independent driver, it can check for changes reliably by !ngerprinting the con- trollers’ con!guration in a way similar to Stuxnet. Once a change is detected, the operator or main- tenance engineer can then deter- mine if the change is legitimate. This way, even changes can be detected that originate from au- thorized engineering stations but occurred accidentally or weren’t reported, which is a frequent prob- lem with contractors in real pro- duction environments. Ralph Langner is the founder and CEO of Langner Communications, a German software and consulting company that focuses on control system security. He has more than 20 years’ experience with computing and control systems and be- came recognized worldwide as the !rst researcher who determined that Stux- net was a directed cyberwarfare attack against the Iranian nuclear program. Contact him at [email protected] Selected CS articles and columns are also available for free at http://ComputingNow.computer.org. KEEP YOUR COPY OF IEEE SOFTWARE
FOR YOURSELF! Give subscriptions to your colleagues or as graduation or promotion gifts— way better than a tie! IEEE Software is the authority on translating software theory into practice. www.computer.org/ software/SUBSCRIBE : < ) : * 9 0) , �; 6 + ( @
Spanish1.jpgSpanish2.jpgSpanish3.jpgSpanish4.jpg.docx

Recommended

FocusMAYJUNE 2011 1540-799311$26.00 © 2011 IEEE COPUBLI.docx
FocusMAYJUNE 2011 1540-799311$26.00 © 2011 IEEE COPUBLI.docxFocusMAYJUNE 2011 1540-799311$26.00 © 2011 IEEE COPUBLI.docx
FocusMAYJUNE 2011 1540-799311$26.00 © 2011 IEEE COPUBLI.docxbudbarber38650
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
SCADA White Paper March2012
SCADA White Paper March2012SCADA White Paper March2012
SCADA White Paper March2012James Collinge, CISSP
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Tiffany Sandoval
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Cisco Canada
 
Module 7 (sniffers)
Module 7 (sniffers)Module 7 (sniffers)
Module 7 (sniffers)Wail Hassan
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtityAhmed Sallam
 

Recommended

FocusMAYJUNE 2011 1540-799311$26.00 © 2011 IEEE COPUBLI.docx
FocusMAYJUNE 2011 1540-799311$26.00 © 2011 IEEE COPUBLI.docxFocusMAYJUNE 2011 1540-799311$26.00 © 2011 IEEE COPUBLI.docx
FocusMAYJUNE 2011 1540-799311$26.00 © 2011 IEEE COPUBLI.docxbudbarber38650
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
SCADA White Paper March2012
SCADA White Paper March2012SCADA White Paper March2012
SCADA White Paper March2012James Collinge, CISSP
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Tiffany Sandoval
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Cisco Canada
 
Module 7 (sniffers)
Module 7 (sniffers)Module 7 (sniffers)
Module 7 (sniffers)Wail Hassan
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtityAhmed Sallam
 
Cyber security
Cyber securityCyber security
Cyber securityAman Pradhan
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
 
Malware Freak Show
Malware Freak ShowMalware Freak Show
Malware Freak Shown|u - The Open Security Community
 
Malware freak show
Malware freak showMalware freak show
Malware freak showsr1nu
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the futureHardeep Bhurji
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
 
Hacking
Hacking Hacking
Hacking SahilGothoskar
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244Tom King
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection systemMaulana Arif
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection systemDuwinowo NT
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-ArticleCondition Zebra (CONZebra)
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot EssentialsAnton Chuvakin
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Networks
 
APT - Project
APT - Project APT - Project
APT - Project Dev Lavaniya
 
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseMag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseNeelabh Rai
 
Summarize the key ideas of each of these texts and explain how they .docx
Summarize the key ideas of each of these texts and explain how they .docxSummarize the key ideas of each of these texts and explain how they .docx
Summarize the key ideas of each of these texts and explain how they .docxrafbolet0
 
Submit, individually, different kinds of data breaches, the threats .docx
Submit, individually, different kinds of data breaches, the threats .docxSubmit, individually, different kinds of data breaches, the threats .docx
Submit, individually, different kinds of data breaches, the threats .docxrafbolet0
 

More Related Content

Similar to Spanish1.jpgSpanish2.jpgSpanish3.jpgSpanish4.jpg.docx

Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
 
Malware freak show
Malware freak showMalware freak show
Malware freak showsr1nu
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the futureHardeep Bhurji
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244Tom King
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection systemMaulana Arif
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection systemDuwinowo NT
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkitsUltraUploader
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Networks
 
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseMag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseNeelabh Rai
 

Similar to Spanish1.jpgSpanish2.jpgSpanish3.jpgSpanish4.jpg.docx (20)

Cyber security
Cyber securityCyber security
Cyber security
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLC
 
Malware Freak Show
Malware Freak ShowMalware Freak Show
Malware Freak Show
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
 
Hacking
Hacking Hacking
Hacking
 
packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244packet-sniffing-switched-environment-244
packet-sniffing-switched-environment-244
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
 
Network intrusi detection system
Network intrusi detection systemNetwork intrusi detection system
Network intrusi detection system
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
 
APT - Project
APT - Project APT - Project
APT - Project
 
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet CaseMag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
Mag-Securs No.29, 2011 - Validy: Learning from the Stuxnet Case
 

More from rafbolet0

Summarize the key ideas of each of these texts and explain how they .docx
Summarize the key ideas of each of these texts and explain how they .docxSummarize the key ideas of each of these texts and explain how they .docx
Summarize the key ideas of each of these texts and explain how they .docxrafbolet0
 
Submit, individually, different kinds of data breaches, the threats .docx
Submit, individually, different kinds of data breaches, the threats .docxSubmit, individually, different kinds of data breaches, the threats .docx
Submit, individually, different kinds of data breaches, the threats .docxrafbolet0
 
Submit your personal crimes analysis using Microsoft® PowerPoi.docx
Submit your personal crimes analysis using Microsoft® PowerPoi.docxSubmit your personal crimes analysis using Microsoft® PowerPoi.docx
Submit your personal crimes analysis using Microsoft® PowerPoi.docxrafbolet0
 
Submit two pages (double spaced, 12 point font) describing a musical.docx
Submit two pages (double spaced, 12 point font) describing a musical.docxSubmit two pages (double spaced, 12 point font) describing a musical.docx
Submit two pages (double spaced, 12 point font) describing a musical.docxrafbolet0
 
Submit the rough draft of your geology project. Included in your rou.docx
Submit the rough draft of your geology project. Included in your rou.docxSubmit the rough draft of your geology project. Included in your rou.docx
Submit the rough draft of your geology project. Included in your rou.docxrafbolet0
 
Submit your paper of Sections III and IV of the final project. Spe.docx
Submit your paper of Sections III and IV of the final project. Spe.docxSubmit your paper of Sections III and IV of the final project. Spe.docx
Submit your paper of Sections III and IV of the final project. Spe.docxrafbolet0
 
Submit the finished product for your Geology Project. Please include.docx
Submit the finished product for your Geology Project. Please include.docxSubmit the finished product for your Geology Project. Please include.docx
Submit the finished product for your Geology Project. Please include.docxrafbolet0
 
Submit the Background Information portion of the final project, desc.docx
Submit the Background Information portion of the final project, desc.docxSubmit the Background Information portion of the final project, desc.docx
Submit the Background Information portion of the final project, desc.docxrafbolet0
 
Submit Files - Assignment 1 Role of Manager and Impact of Organizati.docx
Submit Files - Assignment 1 Role of Manager and Impact of Organizati.docxSubmit Files - Assignment 1 Role of Manager and Impact of Organizati.docx
Submit Files - Assignment 1 Role of Manager and Impact of Organizati.docxrafbolet0
 
SSChaSimple RegressionSimple Regressionpter C.docx
SSChaSimple RegressionSimple Regressionpter C.docxSSChaSimple RegressionSimple Regressionpter C.docx
SSChaSimple RegressionSimple Regressionpter C.docxrafbolet0
 
SRF Journal EntriesreferenceAccount TitlesDebitsCredits3-CType jou.docx
SRF Journal EntriesreferenceAccount TitlesDebitsCredits3-CType jou.docxSRF Journal EntriesreferenceAccount TitlesDebitsCredits3-CType jou.docx
SRF Journal EntriesreferenceAccount TitlesDebitsCredits3-CType jou.docxrafbolet0
 
srcCommissionCalculation.javasrcCommissionCalculation.javaimpo.docx
srcCommissionCalculation.javasrcCommissionCalculation.javaimpo.docxsrcCommissionCalculation.javasrcCommissionCalculation.javaimpo.docx
srcCommissionCalculation.javasrcCommissionCalculation.javaimpo.docxrafbolet0
 
SPSS Assignment Data.savWeek 6, Using Marketing Channel.docx
SPSS Assignment Data.savWeek 6, Using Marketing Channel.docxSPSS Assignment Data.savWeek 6, Using Marketing Channel.docx
SPSS Assignment Data.savWeek 6, Using Marketing Channel.docxrafbolet0
 
SQLServerFilesCars.mdf__MACOSXSQLServerFiles._Cars.mdf.docx
SQLServerFilesCars.mdf__MACOSXSQLServerFiles._Cars.mdf.docxSQLServerFilesCars.mdf__MACOSXSQLServerFiles._Cars.mdf.docx
SQLServerFilesCars.mdf__MACOSXSQLServerFiles._Cars.mdf.docxrafbolet0
 
Square, Inc. is a financial services, merchant services aggregat.docx
Square, Inc. is a financial services, merchant services aggregat.docxSquare, Inc. is a financial services, merchant services aggregat.docx
Square, Inc. is a financial services, merchant services aggregat.docxrafbolet0
 
SQL SQL 2) Add 25 CUSTOMERSs so that you now have 50 total..docx
SQL SQL 2) Add 25 CUSTOMERSs so that you now have 50 total..docxSQL SQL 2) Add 25 CUSTOMERSs so that you now have 50 total..docx
SQL SQL 2) Add 25 CUSTOMERSs so that you now have 50 total..docxrafbolet0
 
SPSS InputStephanie Crookston, Dominique.docx
SPSS InputStephanie Crookston, Dominique.docxSPSS InputStephanie Crookston, Dominique.docx
SPSS InputStephanie Crookston, Dominique.docxrafbolet0
 
Spring  2015  –  MAT  137  –Luedeker       Na.docx
Spring  2015  –  MAT  137  –Luedeker       Na.docxSpring  2015  –  MAT  137  –Luedeker       Na.docx
Spring  2015  –  MAT  137  –Luedeker       Na.docxrafbolet0
 
Springdale Shopping SurveyThe major shopping areas in the com.docx
Springdale Shopping SurveyThe major shopping areas in the com.docxSpringdale Shopping SurveyThe major shopping areas in the com.docx
Springdale Shopping SurveyThe major shopping areas in the com.docxrafbolet0
 
Springfield assignment InstructionFrom the given information, yo.docx
Springfield assignment InstructionFrom the given information, yo.docxSpringfield assignment InstructionFrom the given information, yo.docx
Springfield assignment InstructionFrom the given information, yo.docxrafbolet0
 

More from rafbolet0 (20)

Summarize the key ideas of each of these texts and explain how they .docx
Summarize the key ideas of each of these texts and explain how they .docxSummarize the key ideas of each of these texts and explain how they .docx
Summarize the key ideas of each of these texts and explain how they .docx
 
Submit, individually, different kinds of data breaches, the threats .docx
Submit, individually, different kinds of data breaches, the threats .docxSubmit, individually, different kinds of data breaches, the threats .docx
Submit, individually, different kinds of data breaches, the threats .docx
 
Submit your personal crimes analysis using Microsoft® PowerPoi.docx
Submit your personal crimes analysis using Microsoft® PowerPoi.docxSubmit your personal crimes analysis using Microsoft® PowerPoi.docx
Submit your personal crimes analysis using Microsoft® PowerPoi.docx
 
Submit two pages (double spaced, 12 point font) describing a musical.docx
Submit two pages (double spaced, 12 point font) describing a musical.docxSubmit two pages (double spaced, 12 point font) describing a musical.docx
Submit two pages (double spaced, 12 point font) describing a musical.docx
 
Submit the rough draft of your geology project. Included in your rou.docx
Submit the rough draft of your geology project. Included in your rou.docxSubmit the rough draft of your geology project. Included in your rou.docx
Submit the rough draft of your geology project. Included in your rou.docx
 
Submit your paper of Sections III and IV of the final project. Spe.docx
Submit your paper of Sections III and IV of the final project. Spe.docxSubmit your paper of Sections III and IV of the final project. Spe.docx
Submit your paper of Sections III and IV of the final project. Spe.docx
 
Submit the finished product for your Geology Project. Please include.docx
Submit the finished product for your Geology Project. Please include.docxSubmit the finished product for your Geology Project. Please include.docx
Submit the finished product for your Geology Project. Please include.docx
 
Submit the Background Information portion of the final project, desc.docx
Submit the Background Information portion of the final project, desc.docxSubmit the Background Information portion of the final project, desc.docx
Submit the Background Information portion of the final project, desc.docx
 
Submit Files - Assignment 1 Role of Manager and Impact of Organizati.docx
Submit Files - Assignment 1 Role of Manager and Impact of Organizati.docxSubmit Files - Assignment 1 Role of Manager and Impact of Organizati.docx
Submit Files - Assignment 1 Role of Manager and Impact of Organizati.docx
 
SSChaSimple RegressionSimple Regressionpter C.docx
SSChaSimple RegressionSimple Regressionpter C.docxSSChaSimple RegressionSimple Regressionpter C.docx
SSChaSimple RegressionSimple Regressionpter C.docx
 
SRF Journal EntriesreferenceAccount TitlesDebitsCredits3-CType jou.docx
SRF Journal EntriesreferenceAccount TitlesDebitsCredits3-CType jou.docxSRF Journal EntriesreferenceAccount TitlesDebitsCredits3-CType jou.docx
SRF Journal EntriesreferenceAccount TitlesDebitsCredits3-CType jou.docx
 
srcCommissionCalculation.javasrcCommissionCalculation.javaimpo.docx
srcCommissionCalculation.javasrcCommissionCalculation.javaimpo.docxsrcCommissionCalculation.javasrcCommissionCalculation.javaimpo.docx
srcCommissionCalculation.javasrcCommissionCalculation.javaimpo.docx
 
SPSS Assignment Data.savWeek 6, Using Marketing Channel.docx
SPSS Assignment Data.savWeek 6, Using Marketing Channel.docxSPSS Assignment Data.savWeek 6, Using Marketing Channel.docx
SPSS Assignment Data.savWeek 6, Using Marketing Channel.docx
 
SQLServerFilesCars.mdf__MACOSXSQLServerFiles._Cars.mdf.docx
SQLServerFilesCars.mdf__MACOSXSQLServerFiles._Cars.mdf.docxSQLServerFilesCars.mdf__MACOSXSQLServerFiles._Cars.mdf.docx
SQLServerFilesCars.mdf__MACOSXSQLServerFiles._Cars.mdf.docx
 
Square, Inc. is a financial services, merchant services aggregat.docx
Square, Inc. is a financial services, merchant services aggregat.docxSquare, Inc. is a financial services, merchant services aggregat.docx
Square, Inc. is a financial services, merchant services aggregat.docx
 
SQL SQL 2) Add 25 CUSTOMERSs so that you now have 50 total..docx
SQL SQL 2) Add 25 CUSTOMERSs so that you now have 50 total..docxSQL SQL 2) Add 25 CUSTOMERSs so that you now have 50 total..docx
SQL SQL 2) Add 25 CUSTOMERSs so that you now have 50 total..docx
 
SPSS InputStephanie Crookston, Dominique.docx
SPSS InputStephanie Crookston, Dominique.docxSPSS InputStephanie Crookston, Dominique.docx
SPSS InputStephanie Crookston, Dominique.docx
 
Spring  2015  –  MAT  137  –Luedeker       Na.docx
Spring  2015  –  MAT  137  –Luedeker       Na.docxSpring  2015  –  MAT  137  –Luedeker       Na.docx
Spring  2015  –  MAT  137  –Luedeker       Na.docx
 
Springdale Shopping SurveyThe major shopping areas in the com.docx
Springdale Shopping SurveyThe major shopping areas in the com.docxSpringdale Shopping SurveyThe major shopping areas in the com.docx
Springdale Shopping SurveyThe major shopping areas in the com.docx
 
Springfield assignment InstructionFrom the given information, yo.docx
Springfield assignment InstructionFrom the given information, yo.docxSpringfield assignment InstructionFrom the given information, yo.docx
Springfield assignment InstructionFrom the given information, yo.docx
 

Recently uploaded

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 

Recently uploaded (20)

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 

Spanish1.jpgSpanish2.jpgSpanish3.jpgSpanish4.jpg.docx

  • 1. Spanish/1.jpg Spanish/2.jpg Spanish/3.jpg Spanish/4.jpg Spanish/5.jpg Spanish/6.jpg Spanish/7.jpg Focus MAY/JUNE 2011 1540-7993/11/$26.00 © 2011 IEEE COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES 49 Stuxnet: Dissecting a Cyberwarfare Weapon completely new approach that’s no longer aligned with conven- tional con!dentiality, integrity, and availability thinking. Con- trary to initial belief, Stuxnet wasn’t about industrial espionage: it didn’t steal, manipulate, or erase information. Rather, Stuxnet’s
  • 2. goal was to physically destroy a military target—not just meta- phorically, but literally. Let’s see how this was done. SCADA and Controllers 101 Much has been (and still is) writ- ten about Stuxnet being an at- tack on SCADA systems, but this simply isn’t true. In a nutshell, a SCADA system is a Windows ap- plication that allows human op- erators to monitor an industrial process and to store and analyze process values. True, a SCADA application played a small role in the Stuxnet attack, but mainly as a means of distribution. The real at- tack wasn’t against SCADA soft- ware—it was aimed at industrial controllers that might or might not be attached to a SCADA sys- tem. To get rid of another mis- conception, the attack wasn’t remotely controlled, either—it was completely stand-alone and didn’t require Internet access. The command-and-control servers that Stuxnet contacted appear to have been used primarily for evidence of compromise. We can think of a controller as a small, real-time computer system
  • 3. that manipulates electrical outputs based on the condition of electri- cal input signals and program log- ic. Devices such as pumps, valves, drives (motors), thermometers, and tachometers are electrically connected (hardwired) to a con- troller, either directly or by what’s called a !eldbus connection. While a computer program only oper- ates on information, a controller program—sometimes called ladder logic—operates on physics. This is an interesting and important point, especially for cybersecurity considerations: manipulations of a controller have less to do with the con!dentiality, integrity, and availability of information and more to do with the performance and output of a physical produc- tion process. In the worst case, controller manipulations could lead to physical damage. Stuxnet was the worst case, as it was care- fully designed by experts to do just that with the utmost determi- nation. RALPH LANGNER Langner CommunicationsL ast year marked a turning point in the history
  • 4. of cybersecurity—the arrival of the !rst cyber- warfare weapon ever, known as Stuxnet. Not only was Stuxnet much more complex than any other piece of malware seen before, it also followed a Distribution and Target Determination The attackers tried their best to limit Stuxnet’s spread. They didn’t choose conventional worm tech- nology but instead relied on lo- cal distribution, mainly via USB sticks and local networks. While Stuxnet infected any Windows PC it could !nd, it was much pickier about controllers. It tar- geted only controllers from one speci!c manufacturer (Siemens); upon !nding them (attached to an infected Windows box via Ether- net, Pro!bus, or Siemens’ propri- etary communication link called MPI), it went through a complex process of !ngerprinting to make sure it was on target. This process included checking model num- bers, con!guration details, and even downloading program code from the controller to check if it was the “right” program. Stuxnet did all of this by exploiting the vendor’s driver DLL, which both the SCADA product and the pro-
  • 5. gramming software use to talk to the controller. When it found a match, Stuxnet’s dropper loaded rogue code to the controller. Be- cause this is done only if an exact !ngerprint match is found, we haven’t seen controller infections anywhere but those con!rmed by Iran in its Natanz uranium en- richment plant. In contrast, the dropper itself spread to roughly 100,000 infections worldwide. It is even possible to infer by this fact that Natanz must have been Stuxnet’s one and only target, because this is the only installa- tion globally where controller in- Focus 50 IEEE SECURITY & PRIVACY MAY/JUNE 2011 fections have been reported. The rogue driver DLL contained three controller code sets: two destined for a Siemens 315 controller, and the third looking for a 417 con- troller. The !rst two were almost identical and will be treated as one digital warhead in the fol- lowing discussion. The 417 attack code was much more complex and four times the size of the 315 at-
  • 6. tack code. For starters, the 417 is Siemens’ top-of-the-line control- ler product, whereas the 315 is a small, general- purpose controller. Controller Hijacking Once Stuxnet found a matching controller target, it loaded rogue code on the controller from one of its three code sets, along with any data blocks that the rogue code was working on. The rogue code was logically structured in a set of subfunctions; the attackers’ goal was to get any of these func- tions called. Stuxnet achieved this goal by injecting code into an executive loop. Both the 315 and the 417 attack codes used the main cycle for this purpose— the 315 also injected code into the 100-ms timer. (The 100-ms timer is like an interrupt handler that the operating system calls automatically every 100 millisec- onds.) We can think of a control- ler’s main cycle as the main() function in a C program, with the notable di"erence being that the operating system automati- cally executes the main cycle, hence the name. The code injections got Stux- net in business—it could then do its thing and prevent legitimate
  • 7. controller code from doing any- thing useful. However, it didn’t. Stuxnet was a stealth control sys- tem that resided on the controller alongside legitimate code, which continued to be executed; Stux- net only occasionally took over. Both on the 315 and on the 417, the attacks were implemented as state machines that didn’t require any interaction with command- and-control servers. Instead, the attacks were triggered by com- plex timer and process condi- tions. In the initial state, attack code just stayed put and let the legitimate controller code do its thing, although it monitored it closely. When strike time came, rogue code took control with- out the legitimate controller code noticing. During the attack, the legitimate code was simply dis- abled. How this happened dif- fered considerably for the 315 and the 417 attacks. For the 315 attack, execution of legitimate code simply halted during the strike condition, which can take up to 50 minutes. This is the infamous DEADFOOT condition that I !rst discovered and published on 16 Septem-
  • 8. ber 2010 (www.langner.com/ en/2010/09/16/stuxnet-logbook -sep-16-2010-1200-hours-mesz). DEADFOOT is an aviation ad- age; if an engine quits in a twin- engine airplane, the pilot can determine which one died by us- ing the concept “dead foot = dead engine.” Determining the dead engine in propeller-driven aircraft isn’t easy because the propeller keeps spinning; the only option is to cut fuel to the dead engine and feather the propeller. In an engine-out situation, more than one pilot has turned o" the good engine and ended up crashing. The 417 attack code followed a di"erent concept. At strike time, legitimate controller code kept running, but it was isolated from real I/O. The 417 attack imple- mented a man-in-the-middle at- tack on the controller, intercepting the interaction between the legiti- mate control program and physical I/O. In a modern controller, con- trol logic operates on a “process image” of physical I/O. This is similar to a computer application that does not directly access any physical interface registers of an I/O chip (such as Ethernet, USB, or serial), but would use data from
  • 9. the driver’s bu"er. The 417 attack code exploited this, intercepting physical I/O and providing the legitimate program code with a fake process image. In computer terms, it acted like a fake driver. But it gets even weirder: the fake data that the 417 attack code fed to the legitimate controller pro- gram was recorded from real, un- suspicious inputs. It’s just like in a Hollywood movie, where the bad guys feed observation cameras with unsuspicious prerecorded in- put. In the same manner, Stuxnet replayed prerecorded input to the legitimate code during the attack. Threat Outlook and Mitigation Opportunities Many people who followed the IT press closely in December were under the impression that with Microsoft’s last Stuxnet-related se- curity patch, the threat was gone. Unfortunately, this is a severe misconception. The Microsoft patches only a"ect the dropper part of Stuxnet; the digital war- heads are a completely di"erent story. The vulnerabilities that they exploit can’t be patched because they aren’t software or !rmware It’s just like in a Hollywood movie, where the bad guys feed
  • 10. observation cameras with unsuspicious prerecorded input. In the same manner, Stuxnet replayed prerecorded input to the legitimate code during the attack. Focus www.computer.org/security 51 defects, but legitimate product features. In other words, these vulnerabilities are here to stay un- til the vendor comes out with a new product generation and asset owners replace the installed base with such new products before the scheduled end of lifetime, a sce- nario that will take many, many years. Within this timeframe, at- tackers can use the same digital warheads again, given they use a new dropper, and new droppers are comparatively easy to obtain. The digital warheads as such can’t be disarmed if they make it on controllers. Industrial control- lers don’t have antivirus software, and the controller exploits that Stuxnet uses can’t be “patched.” They’re fully functional as long as the present product generation is in use, which could be another
  • 11. 20 years. Although many argue that Stuxnet makes a point for bet- ter defense in depth, this is actu- ally a bit misleading. True, defense in depth never hurts, but it’s no recipe for a world that’s immune against Stuxnet-inspired mal- ware. The major vulnerability that Stuxnet exploits is that present controllers don’t allow for digital code signing. A controller treats code—as long as it’s syntactically correct—as legitimate, no matter where it came from. A digital sig- nature would enable the controller to make sure that the code loaded originated from a legitimate en- gineering station. Because this check needs only to be done once after load time, it isn’t time critical (runtime is real time on a control- ler, prohibiting compute-intense calculations). The next best solution to verify code and con!guration integrity is to monitor controllers for any change. For the products attacked by Stuxnet, this can be done eas- ily via the network. The essential requirement here is not to use the vendor’s driver DLL, which might be compromised. If the monitor-
  • 12. ing solution uses an independent driver, it can check for changes reliably by !ngerprinting the con- trollers’ con!guration in a way similar to Stuxnet. Once a change is detected, the operator or main- tenance engineer can then deter- mine if the change is legitimate. This way, even changes can be detected that originate from au- thorized engineering stations but occurred accidentally or weren’t reported, which is a frequent prob- lem with contractors in real pro- duction environments. Ralph Langner is the founder and CEO of Langner Communications, a German software and consulting company that focuses on control system security. He has more than 20 years’ experience with computing and control systems and be- came recognized worldwide as the !rst researcher who determined that Stux- net was a directed cyberwarfare attack against the Iranian nuclear program. Contact him at [email protected] Selected CS articles and columns are also available for free at http://ComputingNow.computer.org. KEEP YOUR COPY OF IEEE SOFTWARE
  • 13. FOR YOURSELF! Give subscriptions to your colleagues or as graduation or promotion gifts— way better than a tie! IEEE Software is the authority on translating software theory into practice. www.computer.org/ software/SUBSCRIBE : < ) : * 9 0) , �; 6 + ( @