Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mission Critical Security in a Post-Stuxnet World Part 1


Published on

This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.

The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.

Published in: Technology, Business

Mission Critical Security in a Post-Stuxnet World Part 1

  1. 1. What Does Stuxnet Meanfor Industrial ControlSystems?The Future of Critical Infrastructure SecurityEric Byres, P.Eng.CTO,CTO Byres Security Inc Inc.
  2. 2. Some Acknowledgements Acknowledgements…• Presentation is based on a white paper co-authored by • Eric Byres Tofino Security • Andrew Ginter Waterfall Technologies • Joel Langill Downloadable from
  3. 3. What is Stuxnet?
  4. 4. The Stuxnet Worm• July, 2010: Stuxnet worm was discovered attacking Siemens PCS7 S7 PLC and WIN-CC systems PCS7, around the world• Infected 100,000 computers• Infected at least 22 manufacturing sites• Appears t have i A to h impactedt d its possible target, Iran’s nuclear enrichment program
  5. 5. Great - We Weren t the Target Weren’t Target…• Stuxnet infected a large US manufacturing plant • Started with two USB keys • Spread over the network to 100 WinCC HMIs communicating with about 60 OPs and about 45 S7 PLCs • Virus would modify project communication configuration for Vi ld dif j t i ti fi ti f the PLCs Ethernet ports• Impact: • Major resource drain to disinfect project files • Plant continued to experience symptoms on PLCs one month later
  6. 6. How Stuxnet Spreads
  7. 7. Isn tIsn’t a Nuclear Materials System Air Gapped? Air-Gapped?• How could Stuxnet migrate from the Internet to an isolated industrial control system?• Could the next worm do the same to a different victim?
  8. 8. A Trivial Scenario• Scenario: 1. 1 Joe finds a USB flash drive in the parking lot and brings it into the control room 2. Joe plugs it into the PLC programming station 3. 3 PLC programming station i f t PLC i t ti infects PLCs• Solution: 1. Ban all USB flash drives in the control room NOT Realistic!
  9. 9. Gap Analysis Methodology• Goal: Understanding the routes that a directed worm takes as it targets an ICS• Premise: Start with an industrial site that exactly follows the security best practices defined in vendor documents• Model: Map ways that Stuxnet could make its way through the defenses to cause physical damage
  10. 10. Core SIMATIC PCS 7 Control SystemComponents Engineering System (ES) Client Operator System (OS) Client Automation System (AS) S7 PLC
  11. 11. PCS 7 High Security ArchitectureEnterprise Control Network PerimeterManufacturing Control Operations Network Network Control C t l System Network WinCC Process PCS7 Control Historian Remote Access Network General Purpose
  12. 12. PCS 7 High Security Architecture Identical Firewalls HereNo Firewall Between CSN and PCN WinCC PCS7 Historian Remote Access General Purpose
  13. 13. Stuxnet Phases Penetration Infection Propagation Detection Avoidance Target Identification Target Modification Process Impact
  14. 14. Penetration (aka Handoff to TargetOrganization)• Stuxnet handoffs were highly focused• June 2009 to May 2010 10 infiltration events• Handoffs were made to at least five separate target organizations Sample Graph of Infected Hosts Domain E / Infection initiation 2010/05/11 Courtesy of Symantec Inc
  15. 15. Penetration Possibilities• Employee given infected USB flash drive• Employee given Emplo ee gi en infected project files from contractor• Employee is transmitted email with “dropper”• Employees laptop infected offsite ….• Many possibilities for attackers yp DEMO
  16. 16. Core Propagation Methods• Via Infected Removable Drives • USB flash drives • Portable hard disks• Via Local Area Networks • Administrative and IPC Shares • Shared network drives • Print spooler services • SQL Connections• Via infected Siemens project files • WinCC files • STEP 7 files A very simplified view …
  17. 17. Penetrating Perimeter Network Firewalls• Many paths through firewalls: • Network printer and file shares • System Admin via VPN • WinCC SQL Server database • RPC sessions between PCS 7 systems
  18. 18. Stuxnet Had Many Paths to its Victim PLCs
  19. 19. Red R d highlights more direct paths which bypass existing Green security highlights controls infection pathdescribed in paper
  20. 20. Some Lessons Learned• A modern ICS or SCADA system is highly complex and interconnected• Multiple potential pathways exist from the outside world to the process controllers• Assuming an air-gap between ICS and corporate networks is unrealistic• Focusing security efforts on a few obvious pathways F i it ff t f b i th (such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense
  21. 21. The Death of“Security by Obscurity”
  22. 22. A Typical Month for SCADA Vulnerabilities• March 15 Moscow-based Gleg Ltd. released their Agora SCADA+ exploit pack for Canvas which Canvas, included 11 0-days (now at 54 exploits)• On March 21, a security researcher from Italy “publically disclosed” 34 vulnerabilities on 4 different ICS platforms• On March 22 23 vulnerabilities 22-23, were disclosed for 2 additional ICS platforms
  23. 23. The Life Cycle of a ICS Exploit• ICS platforms are becoming an obvious target for attacks• “Security Researchers” focusing on SCADA/ICS because it is easy money/fame (little malicious intent)• Actors with intent have access to the weapons: • Download exploits for free (Italian list) • Purchase tool kits (Gleg) • Directed where to look for more vulnerabilities
  24. 24. Some Lessons Learned• SCADA and ICS are now targets of interest• Most s stems have many exploit opport nities systems ha e man e ploit opportunities• Patching is an issue for many companies • Patch dep oy e requires p a do a c deployment equ es plant downtime e • Vendor only patches most current version • Patch releases are slow • Upgrading to latest version may not be an option
  25. 25. Stuxnet’s Impact on PLCs
  26. 26. What Stuxnet Does to Its Victim1. Locates and infects STEP 7 programming stations2.2 Replaces STEP 7 DLL ro tines on stations routines (so person viewing logic would not see any changes that Stuxnet later makes to the PLC)3. Looks for specific models of Siemens PLCs (6ES7- 315-2 and 6ES7-417).4. Indentifies4 I d tifi a victim PLC b l ki f special i ti by looking for i l configurations and strings5. Injects one of three STEP 7 code “payloads” into payloads PLC to change process operations
  27. 27. What Stuxnet Does to a PLC• PLC’s PROFIBUS driver is replaced• Main PLC program block (OB1) and the primar primary watchdog block (OB35) are significantly modified• Between17 and 32 additional function blocks and data blocks are injected into the PLC• Payloads ‘A’ and ‘B’ change the frequencies of Variable Frequency D i V i bl F Drives and th motor speed d thus t d• Payload “C’ designed to control a master system, possibly a safety system
  28. 28. Understanding the Payloads• Payloads A & B are well understood and are fairly specific to the victim. victim• Payload C was disabled by the designers for some reason but…• It is a far more general purpose attack
  29. 29. Start CycleBasic PLC Architecture Timer Ti Send PIO Read to Inputs to Outputs PII Execute Logic
  30. 30. Start Cycle TimerStuxnet Invades the PLC Send PIO to Outputs Read Inp ts Inputs to PII Overwrite Overwrite PIO PII STUXNET Execute Logic
  31. 31. Stuxnet sStuxnet’s Legacy• Model for simple, destructive SCADA worms• Exploits E ploits inherent PLC design iss es issues• Applicable to almost all industrial controllers• There are no possible “patches” to the PLC patches
  32. 32. Some Closing Thoughts… Thoughts• Stuxnet has changed the threat landscape• ICS/SCADA is the target of sophisticated attacks• ICS/SCADA is the focus for vulnerability discovery• Industry must accept that the complete prevention of ICS infection is probably impossible• Improved defense-in-depth strategies for industrial control systems are needed urgently• Waiting for the next worm may be too late
  33. 33. ReferencesSiemens Automation• Security concept PCS 7 and WinCC - Basic document y p Security White Papers and Application Notes•• Analysis of the Siemens PCS7 “Stuxnet” Malware for Industrial Control System Professionals:• Using Tofino to Control the Spread of the Stuxnet Malware - Application Note:• Stuxnet Mitigation Matrix - Application Note: White Papers and Documents•• htt // t / t t/ / / t i / di / it / hitepapers/w32_stuxnet_dossier.pdf