SlideShare a Scribd company logo

Mission Critical Security in a Post-Stuxnet World Part 1

Byres Security Inc.
Byres Security Inc.

This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security. The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.

TechnologyBusiness
1 of 39
Download to read offline
What Does Stuxnet Mean for Industrial Control Systems? The Future of Critical Infrastructure Security Eric Byres, P.Eng. CTO, CTO Byres Security Inc Inc.
Some Acknowledgements Acknowledgements… • Presentation is based on a white paper co-authored by • Eric Byres Tofino Security • Andrew Ginter Waterfall Technologies • Joel Langill SCADAhacker.com Downloadable from http://www.tofinosecurity.com/how-stuxnet-spreads
What is Stuxnet?
The Stuxnet Worm • July, 2010: Stuxnet worm was discovered attacking Siemens PCS7 S7 PLC and WIN-CC systems PCS7, around the world • Infected 100,000 computers • Infected at least 22 manufacturing sites • Appears t have i A to h impactedt d its possible target, Iran’s nuclear enrichment program
Great - We Weren t the Target Weren’t Target… • Stuxnet infected a large US manufacturing plant • Started with two USB keys • Spread over the network to 100 WinCC HMIs communicating with about 60 OPs and about 45 S7 PLCs • Virus would modify project communication configuration for Vi ld dif j t i ti fi ti f the PLC's Ethernet ports • Impact: • Major resource drain to disinfect project files • Plant continued to experience symptoms on PLCs one month later
How Stuxnet Spreads
Isn t Isn’t a Nuclear Materials System Air Gapped? Air-Gapped? • How could Stuxnet migrate from the Internet to an isolated industrial control system? • Could the next worm do the same to a different victim?
A Trivial Scenario • Scenario: 1. 1 Joe finds a USB flash drive in the parking lot and brings it into the control room 2. Joe plugs it into the PLC programming station 3. 3 PLC programming station i f t PLC i t ti infects PLCs • Solution: 1. Ban all USB flash drives in the control room NOT Realistic!
Gap Analysis Methodology • Goal: Understanding the routes that a directed worm takes as it targets an ICS • Premise: Start with an industrial site that exactly follows the security best practices defined in vendor documents • Model: Map ways that Stuxnet could make its way through the defenses to cause physical damage
Core SIMATIC PCS 7 Control System Components Engineering System (ES) Client Operator System (OS) Client Automation System (AS) S7 PLC
PCS 7 High Security Architecture Enterprise Control Network Perimeter Manufacturing Control Operations Network Network Control C t l System Network WinCC Process PCS7 Control Historian Remote Access Network General Purpose
PCS 7 High Security Architecture Identical Firewalls Here No Firewall Between CSN and PCN WinCC PCS7 Historian Remote Access General Purpose
Stuxnet Phases Penetration Infection Propagation Detection Avoidance Target Identification Target Modification Process Impact
Penetration (aka Handoff to Target Organization) • Stuxnet handoffs were highly focused • June 2009 to May 2010 10 infiltration events • Handoffs were made to at least five separate target organizations Sample Graph of Infected Hosts Domain E / Infection initiation 2010/05/11 Courtesy of Symantec Inc
Penetration Possibilities • Employee given infected USB flash drive • Employee given Emplo ee gi en infected project files from contractor • Employee is transmitted email with “dropper” • Employees laptop infected offsite …. • Many possibilities for attackers yp DEMO
Core Propagation Methods • Via Infected Removable Drives • USB flash drives • Portable hard disks • Via Local Area Networks • Administrative and IPC Shares • Shared network drives • Print spooler services • SQL Connections • Via infected Siemens project files • WinCC files • STEP 7 files A very simplified view …
Penetrating Perimeter Network Firewalls • Many paths through firewalls: • Network printer and file shares • System Admin via VPN • WinCC SQL Server database • RPC sessions between PCS 7 systems
Stuxnet Had Many Paths to its Victim PLCs
Red R d highlights more direct paths which bypass existing Green security highlights controls infection path described in paper
Some Lessons Learned • A modern ICS or SCADA system is highly complex and interconnected • Multiple potential pathways exist from the outside world to the process controllers • Assuming an air-gap between ICS and corporate networks is unrealistic • Focusing security efforts on a few obvious pathways F i it ff t f b i th (such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense
The Death of “Security by Obscurity”
A Typical Month for SCADA Vulnerabilities • March 15 Moscow-based Gleg Ltd. released their Agora SCADA+ exploit pack for Canvas which Canvas, included 11 0-days (now at 54 exploits) • On March 21, a security researcher from Italy “publically disclosed” 34 vulnerabilities on 4 different ICS platforms • On March 22 23 vulnerabilities 22-23, were disclosed for 2 additional ICS platforms
The Life Cycle of a ICS Exploit • ICS platforms are becoming an obvious target for attacks • “Security Researchers” focusing on SCADA/ICS because it is easy money/fame (little malicious intent) • Actors with intent have access to the weapons: • Download exploits for free (Italian list) • Purchase tool kits (Gleg) • Directed where to look for more vulnerabilities
Some Lessons Learned • SCADA and ICS are now targets of interest • Most s stems have many exploit opport nities systems ha e man e ploit opportunities • Patching is an issue for many companies • Patch dep oy e requires p a do a c deployment equ es plant downtime e • Vendor only patches most current version • Patch releases are slow • Upgrading to latest version may not be an option
Stuxnet’s Impact on PLCs
What Stuxnet Does to Its Victim 1. Locates and infects STEP 7 programming stations 2. 2 Replaces STEP 7 DLL ro tines on stations routines (so person viewing logic would not see any changes that Stuxnet later makes to the PLC) 3. Looks for specific models of Siemens PLCs (6ES7- 315-2 and 6ES7-417). 4. Indentifies 4 I d tifi a victim PLC b l ki f special i ti by looking for i l configurations and strings 5. Injects one of three STEP 7 code “payloads” into payloads PLC to change process operations
What Stuxnet Does to a PLC • PLC’s PROFIBUS driver is replaced • Main PLC program block (OB1) and the primar primary watchdog block (OB35) are significantly modified • Between17 and 32 additional function blocks and data blocks are injected into the PLC • Payloads ‘A’ and ‘B’ change the frequencies of Variable Frequency D i V i bl F Drives and th motor speed d thus t d • Payload “C’ designed to control a master system, possibly a safety system
Understanding the Payloads • Payloads A & B are well understood and are fairly specific to the victim. victim • Payload C was disabled by the designers for some reason but… • It is a far more general purpose attack
Start Cycle Basic PLC Architecture Timer Ti Send PIO Read to Inputs to Outputs PII Execute Logic
Start Cycle Timer Stuxnet Invades the PLC Send PIO to Outputs Read Inp ts Inputs to PII Overwrite Overwrite PIO PII STUXNET Execute Logic
Stuxnet s Stuxnet’s Legacy • Model for simple, destructive SCADA worms • Exploits E ploits inherent PLC design iss es issues • Applicable to almost all industrial controllers • There are no possible “patches” to the PLC patches
Some Closing Thoughts… Thoughts • Stuxnet has changed the threat landscape • ICS/SCADA is the target of sophisticated attacks • ICS/SCADA is the focus for vulnerability discovery • Industry must accept that the complete prevention of ICS infection is probably impossible • Improved defense-in-depth strategies for industrial control systems are needed urgently • Waiting for the next worm may be too late
References Siemens Automation • Security concept PCS 7 and WinCC - Basic document y p http://support.automation.siemens.com/ww/view/en/26462131/ Tofino Security White Papers and Application Notes • http://www.tofinosecurity.com/stuxnet-central • Analysis of the Siemens PCS7 “Stuxnet” Malware for Industrial Control System Professionals: http://www.tofinosecurity.com/professional/siemens-pcs7-wincc-malware • Using Tofino to Control the Spread of the Stuxnet Malware - Application Note: http://www.tofinosecurity.com/professional/using-tofino-control-stuxnet • Stuxnet Mitigation Matrix - Application Note: http://www.tofinosecurity.com/professional/stuxnet-mitigation-matrix Other White Papers and Documents • http://www.langner.com/en/ • http://www.symantec.com/content/en/us/enterprise/media/security_response/w htt // t / t t/ / / t i / di / it / hitepapers/w32_stuxnet_dossier.pdf
Mission Critical Security in a Post-Stuxnet World Part 1

Recommended

I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet wormsommerville-videos
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetSean Xie
 

Recommended

I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart StuxnetGil Megidish
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case StudyAmr Thabet
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet wormsommerville-videos
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetSean Xie
 
Stuxnet
StuxnetStuxnet
Stuxnetbueno buono good
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the futureHardeep Bhurji
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
Stuxnet
StuxnetStuxnet
StuxnetShishir Aryal
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsYury Chemerkin
 
Stuxnet
StuxnetStuxnet
StuxnetSymantec
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer wormSumaiya Ismail
 
Stuxnet
StuxnetStuxnet
Stuxnetshiva_sathish
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcampGregory Hanis
 
Malware freak show
Malware freak showMalware freak show
Malware freak showsr1nu
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTamas K Lengyel
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Sarod Paichayonrittha
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitIOSR Journals
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 
Linux Security
Linux SecurityLinux Security
Linux Securitynayakslideshare
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMITamas K Lengyel
 
Tobii T60 T120 User Manual
Tobii T60 T120 User ManualTobii T60 T120 User Manual
Tobii T60 T120 User ManualAcuity ETS Limited
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWAReScott Sutherland
 

More Related Content

What's hot

Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the futureHardeep Bhurji
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsYury Chemerkin
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Byres Security Inc.
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer wormSumaiya Ismail
 
Malware freak show
Malware freak showMalware freak show
Malware freak showsr1nu
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTamas K Lengyel
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Sarod Paichayonrittha
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitIOSR Journals
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMITamas K Lengyel
 

What's hot (20)

Stuxnet
StuxnetStuxnet
Stuxnet
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systems
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINAL
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer worm
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Compromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploitCompromising windows 8 with metasploit’s exploit
Compromising windows 8 with metasploit’s exploit
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
 

Viewers also liked

(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
Sitrain blocos de orgazação
Sitrain blocos de orgazaçãoSitrain blocos de orgazação
Sitrain blocos de orgazaçãoconfidencial
 
Apostila pcs7 v8.0 v2
Apostila pcs7 v8.0 v2Apostila pcs7 v8.0 v2
Apostila pcs7 v8.0 v2confidencial
 
Manejo de avisos y alarmas en HMI
Manejo de avisos y alarmas en HMIManejo de avisos y alarmas en HMI
Manejo de avisos y alarmas en HMIjohn piñeros
 
Sitrain introdução a ihm
Sitrain introdução a ihmSitrain introdução a ihm
Sitrain introdução a ihmconfidencial
 
Teoria s7 300-basico
Teoria s7 300-basicoTeoria s7 300-basico
Teoria s7 300-basicoGerardo Moya
 
Programación estructurada Siemens - TIA PORTAL
Programación estructurada Siemens - TIA PORTALProgramación estructurada Siemens - TIA PORTAL
Programación estructurada Siemens - TIA PORTALjohn piñeros
 
01tiaportal handson-basicov11v2-140421084257-phpapp01
01tiaportal handson-basicov11v2-140421084257-phpapp0101tiaportal handson-basicov11v2-140421084257-phpapp01
01tiaportal handson-basicov11v2-140421084257-phpapp01confidencial
 
Ejercicios de-programacic3b3n-resueltos-con-step-7
Ejercicios de-programacic3b3n-resueltos-con-step-7Ejercicios de-programacic3b3n-resueltos-con-step-7
Ejercicios de-programacic3b3n-resueltos-con-step-7Guido Carmona Girón
 
Manual manejo TIA PORTAL SIEMENS
Manual manejo TIA PORTAL SIEMENSManual manejo TIA PORTAL SIEMENS
Manual manejo TIA PORTAL SIEMENSjohn piñeros
 

Viewers also liked (12)

Tobii T60 T120 User Manual
Tobii T60 T120 User ManualTobii T60 T120 User Manual
Tobii T60 T120 User Manual
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Sitrain blocos de orgazação
Sitrain blocos de orgazaçãoSitrain blocos de orgazação
Sitrain blocos de orgazação
 
Apostila pcs7 v8.0 v2
Apostila pcs7 v8.0 v2Apostila pcs7 v8.0 v2
Apostila pcs7 v8.0 v2
 
Manejo de avisos y alarmas en HMI
Manejo de avisos y alarmas en HMIManejo de avisos y alarmas en HMI
Manejo de avisos y alarmas en HMI
 
Sitrain introdução a ihm
Sitrain introdução a ihmSitrain introdução a ihm
Sitrain introdução a ihm
 
Teoria s7 300-basico
Teoria s7 300-basicoTeoria s7 300-basico
Teoria s7 300-basico
 
Programación estructurada Siemens - TIA PORTAL
Programación estructurada Siemens - TIA PORTALProgramación estructurada Siemens - TIA PORTAL
Programación estructurada Siemens - TIA PORTAL
 
01tiaportal handson-basicov11v2-140421084257-phpapp01
01tiaportal handson-basicov11v2-140421084257-phpapp0101tiaportal handson-basicov11v2-140421084257-phpapp01
01tiaportal handson-basicov11v2-140421084257-phpapp01
 
Ejercicios de-programacic3b3n-resueltos-con-step-7
Ejercicios de-programacic3b3n-resueltos-con-step-7Ejercicios de-programacic3b3n-resueltos-con-step-7
Ejercicios de-programacic3b3n-resueltos-con-step-7
 
Manual manejo TIA PORTAL SIEMENS
Manual manejo TIA PORTAL SIEMENSManual manejo TIA PORTAL SIEMENS
Manual manejo TIA PORTAL SIEMENS
 

Similar to Mission Critical Security in a Post-Stuxnet World Part 1

SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT GatewayLF Events
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Cisco Canada
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Dawn Yankeelov
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghOWASP Delhi
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...sequi_inc
 
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmRevolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmHiveMQ
 
Distributech_Presentation DTECH_2013
Distributech_Presentation DTECH_2013Distributech_Presentation DTECH_2013
Distributech_Presentation DTECH_2013Dorian Hernandez
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017Jian-Hong Pan
 
Io t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cIo t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cCharles Li
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsAgence du Numérique (AdN)
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)TI Safe
 

Similar to Mission Critical Security in a Post-Stuxnet World Part 1 (20)

SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
 
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
Industrial Control Systems Security - A Perspective on Product Design (Sequi,...
 
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmRevolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
 
Distributech_Presentation DTECH_2013
Distributech_Presentation DTECH_2013Distributech_Presentation DTECH_2013
Distributech_Presentation DTECH_2013
 
The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017The Considerations for Internet of Things @ 2017
The Considerations for Internet of Things @ 2017
 
Io t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cIo t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425c
 
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy Systems
 
IIoT Endpoint Security
IIoT Endpoint Security IIoT Endpoint Security
IIoT Endpoint Security
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Mission Critical Security in a Post-Stuxnet World Part 1

  • 1. What Does Stuxnet Mean for Industrial Control Systems? The Future of Critical Infrastructure Security Eric Byres, P.Eng. CTO, CTO Byres Security Inc Inc.
  • 2. Some Acknowledgements Acknowledgements… • Presentation is based on a white paper co-authored by • Eric Byres Tofino Security • Andrew Ginter Waterfall Technologies • Joel Langill SCADAhacker.com Downloadable from http://www.tofinosecurity.com/how-stuxnet-spreads
  • 4. The Stuxnet Worm • July, 2010: Stuxnet worm was discovered attacking Siemens PCS7 S7 PLC and WIN-CC systems PCS7, around the world • Infected 100,000 computers • Infected at least 22 manufacturing sites • Appears t have i A to h impactedt d its possible target, Iran’s nuclear enrichment program
  • 5. Great - We Weren t the Target Weren’t Target… • Stuxnet infected a large US manufacturing plant • Started with two USB keys • Spread over the network to 100 WinCC HMIs communicating with about 60 OPs and about 45 S7 PLCs • Virus would modify project communication configuration for Vi ld dif j t i ti fi ti f the PLC's Ethernet ports • Impact: • Major resource drain to disinfect project files • Plant continued to experience symptoms on PLCs one month later
  • 7. Isn t Isn’t a Nuclear Materials System Air Gapped? Air-Gapped? • How could Stuxnet migrate from the Internet to an isolated industrial control system? • Could the next worm do the same to a different victim?
  • 8. A Trivial Scenario • Scenario: 1. 1 Joe finds a USB flash drive in the parking lot and brings it into the control room 2. Joe plugs it into the PLC programming station 3. 3 PLC programming station i f t PLC i t ti infects PLCs • Solution: 1. Ban all USB flash drives in the control room NOT Realistic!
  • 9. Gap Analysis Methodology • Goal: Understanding the routes that a directed worm takes as it targets an ICS • Premise: Start with an industrial site that exactly follows the security best practices defined in vendor documents • Model: Map ways that Stuxnet could make its way through the defenses to cause physical damage
  • 10. Core SIMATIC PCS 7 Control System Components Engineering System (ES) Client Operator System (OS) Client Automation System (AS) S7 PLC
  • 11. PCS 7 High Security Architecture Enterprise Control Network Perimeter Manufacturing Control Operations Network Network Control C t l System Network WinCC Process PCS7 Control Historian Remote Access Network General Purpose
  • 12. PCS 7 High Security Architecture Identical Firewalls Here No Firewall Between CSN and PCN WinCC PCS7 Historian Remote Access General Purpose
  • 13. Stuxnet Phases Penetration Infection Propagation Detection Avoidance Target Identification Target Modification Process Impact
  • 14. Penetration (aka Handoff to Target Organization) • Stuxnet handoffs were highly focused • June 2009 to May 2010 10 infiltration events • Handoffs were made to at least five separate target organizations Sample Graph of Infected Hosts Domain E / Infection initiation 2010/05/11 Courtesy of Symantec Inc
  • 15. Penetration Possibilities • Employee given infected USB flash drive • Employee given Emplo ee gi en infected project files from contractor • Employee is transmitted email with “dropper” • Employees laptop infected offsite …. • Many possibilities for attackers yp DEMO
  • 16. Core Propagation Methods • Via Infected Removable Drives • USB flash drives • Portable hard disks • Via Local Area Networks • Administrative and IPC Shares • Shared network drives • Print spooler services • SQL Connections • Via infected Siemens project files • WinCC files • STEP 7 files A very simplified view …
  • 17. Penetrating Perimeter Network Firewalls • Many paths through firewalls: • Network printer and file shares • System Admin via VPN • WinCC SQL Server database • RPC sessions between PCS 7 systems
  • 18. Stuxnet Had Many Paths to its Victim PLCs
  • 19. Red R d highlights more direct paths which bypass existing Green security highlights controls infection path described in paper
  • 20. Some Lessons Learned • A modern ICS or SCADA system is highly complex and interconnected • Multiple potential pathways exist from the outside world to the process controllers • Assuming an air-gap between ICS and corporate networks is unrealistic • Focusing security efforts on a few obvious pathways F i it ff t f b i th (such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense
  • 21. The Death of “Security by Obscurity”
  • 22. A Typical Month for SCADA Vulnerabilities • March 15 Moscow-based Gleg Ltd. released their Agora SCADA+ exploit pack for Canvas which Canvas, included 11 0-days (now at 54 exploits) • On March 21, a security researcher from Italy “publically disclosed” 34 vulnerabilities on 4 different ICS platforms • On March 22 23 vulnerabilities 22-23, were disclosed for 2 additional ICS platforms
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28. The Life Cycle of a ICS Exploit • ICS platforms are becoming an obvious target for attacks • “Security Researchers” focusing on SCADA/ICS because it is easy money/fame (little malicious intent) • Actors with intent have access to the weapons: • Download exploits for free (Italian list) • Purchase tool kits (Gleg) • Directed where to look for more vulnerabilities
  • 29. Some Lessons Learned • SCADA and ICS are now targets of interest • Most s stems have many exploit opport nities systems ha e man e ploit opportunities • Patching is an issue for many companies • Patch dep oy e requires p a do a c deployment equ es plant downtime e • Vendor only patches most current version • Patch releases are slow • Upgrading to latest version may not be an option
  • 31. What Stuxnet Does to Its Victim 1. Locates and infects STEP 7 programming stations 2. 2 Replaces STEP 7 DLL ro tines on stations routines (so person viewing logic would not see any changes that Stuxnet later makes to the PLC) 3. Looks for specific models of Siemens PLCs (6ES7- 315-2 and 6ES7-417). 4. Indentifies 4 I d tifi a victim PLC b l ki f special i ti by looking for i l configurations and strings 5. Injects one of three STEP 7 code “payloads” into payloads PLC to change process operations
  • 32. What Stuxnet Does to a PLC • PLC’s PROFIBUS driver is replaced • Main PLC program block (OB1) and the primar primary watchdog block (OB35) are significantly modified • Between17 and 32 additional function blocks and data blocks are injected into the PLC • Payloads ‘A’ and ‘B’ change the frequencies of Variable Frequency D i V i bl F Drives and th motor speed d thus t d • Payload “C’ designed to control a master system, possibly a safety system
  • 33. Understanding the Payloads • Payloads A & B are well understood and are fairly specific to the victim. victim • Payload C was disabled by the designers for some reason but… • It is a far more general purpose attack
  • 34. Start Cycle Basic PLC Architecture Timer Ti Send PIO Read to Inputs to Outputs PII Execute Logic
  • 35. Start Cycle Timer Stuxnet Invades the PLC Send PIO to Outputs Read Inp ts Inputs to PII Overwrite Overwrite PIO PII STUXNET Execute Logic
  • 36. Stuxnet s Stuxnet’s Legacy • Model for simple, destructive SCADA worms • Exploits E ploits inherent PLC design iss es issues • Applicable to almost all industrial controllers • There are no possible “patches” to the PLC patches
  • 37. Some Closing Thoughts… Thoughts • Stuxnet has changed the threat landscape • ICS/SCADA is the target of sophisticated attacks • ICS/SCADA is the focus for vulnerability discovery • Industry must accept that the complete prevention of ICS infection is probably impossible • Improved defense-in-depth strategies for industrial control systems are needed urgently • Waiting for the next worm may be too late
  • 38. References Siemens Automation • Security concept PCS 7 and WinCC - Basic document y p http://support.automation.siemens.com/ww/view/en/26462131/ Tofino Security White Papers and Application Notes • http://www.tofinosecurity.com/stuxnet-central • Analysis of the Siemens PCS7 “Stuxnet” Malware for Industrial Control System Professionals: http://www.tofinosecurity.com/professional/siemens-pcs7-wincc-malware • Using Tofino to Control the Spread of the Stuxnet Malware - Application Note: http://www.tofinosecurity.com/professional/using-tofino-control-stuxnet • Stuxnet Mitigation Matrix - Application Note: http://www.tofinosecurity.com/professional/stuxnet-mitigation-matrix Other White Papers and Documents • http://www.langner.com/en/ • http://www.symantec.com/content/en/us/enterprise/media/security_response/w htt // t / t t/ / / t i / di / it / hitepapers/w32_stuxnet_dossier.pdf