One more Stuxnet post before we move on. A few different issues and thoughts to cover so I’ll number them.
1. ICS-CERT Failed The Biggest Test Yet
The community expected ICS-CERT to lead not follow far behind in informing us about control system security vulnerabilities. We were told ICS-CERT had the domain expertise, industry contacts and lab to investigate and verify vulnerabilies. They failed miserably on the biggest test to date.
It took ICS-CERT way too long to issue their initial bulletin, and it only included detail already available. If it is only going to be a delayed clipping service then domain expertise is not needed.
Even more damning is they did not publish any information on the impact of Stuxnet on the PLC. Why didn’t they in the early weeks use their vast resources to get a copy of Simatic and a S7 PLC in the lab – – if they don’t already have one? If they do have the equipment it is even worse because they were unable to uncover the information.
INL and DHS have some talented people working there. So another possibility is they knew what Stuxnet did and could not clear the bureaucratic hurdles required to release more information. Whatever the problem was, if ICS-CERT can’t perform then shut it down.
2. Siemens: Hiding Info or Didn’t Know?
Another failing grade. Prior to a September 17th update there was little information from Siemens about the impact on their PLC’s. The focus was on dealing with the Microsoft issues and replacing the Siemens modified DLL’s in Simatic and WinCC.
Did Siemens know what Stuxnet actually did prior to Ralph’s disclosure last week and choose not to disclose it to customers? Or did Siemens only learn about what Stuxnet did with the S7 PLC’s after Ralph posted it – – because there is no information beyond what Ralph posted available from Siemens? It is hard to say which is worse, but this group at Siemens has a lot of work to do to prove to customers that is competent to deal with future incidents. What is going to be different next time?
3. Langner Communications and Symantec Were Stars
I have been effusive in my praise for Ralph and the team at Langner Communications. After waiting weeks for Siemens or ICS-CERT to investigate the impact on Siemens systems, Ralph did the work that ICS-CERT should have done.
Symantec also deserves praise for their analysis of Stuxnet, and they continue. The latest is their revelation that Stuxnet has a P2P updating capability in anticipation that the command and control servers would be eventually taken offline.
4. Nation State and Other Sophisticated Threat Actors Will Grow
I have assumed for years now that the US, Israel, China, Russia, UK and most other countries with a cyber skills have a rapidly developing offensive capabilities against control systems. Why wouldn’t they? At this point is just a theory that a nation state, namely Israel, launched the attack against Bushehr. If it is not Israel and Bushehr, wouldn’t they be wondering why they did not to this type of attack?
Stuxnet will be an eye opener for many government officials on the possibilities of attacking critical infrastructure control systems. They may have ignored previous briefings on the subject as wild theory. Their experts will now be briefing policy makers with a practical example and the ideas and scenarios will flow.
Side Note: The press accepted that a cyber attack knocked out power in Brazil with no evidence except an unnamed administration source said power was knocked out in a foreign country and Brazil had a power outage that year. The WSJ ran a story with no evidence of the contents of the attack, make and model of systems that were attacked, or the location where the attack was most prevalent, all of which we have with Stuxnet. The cherry on top of this sundae is President Obama then referenced the WSJ story in a speech or press conference as a reason we needed more cyber security.
5. Is Your System Already Compromised?
I was teaching a class last week, and the students were asking how to stop an attack like Stuxnet. Of course, egress filtering, background checks, proper vetting of anything allowed inside the security perimeter, … but none of these answers were very reassuring to me.
PLC’s and other field devices are easily exploited today. If you can connect to them, you can load whatever you want whether it be new points, ladder logic or firmware. A talented and motivated attacker will hide their compromise, like Stuxnet did, until they are ready to use it, and this is were it gets really frightening.
If you run a critical infrastructure system that a government or other organization with cyber talent would like to disrupt, how do you know your system has not already been compromised? We did it in our labs with Rockwell Automation’s ControlLogix and other vendor field devices by loading our own firmware and not disrupting the legitimate program. There are others in the community who know how to do this. Why not the bad guys? Or good guys depending on your politics?
I would like to see the field device vendors come up with an answer. How can an asset owner test his or her PLC’s to verify the integrity of all software elements? Checking the version number of firmware or checksums is not sufficient because an attacker can simply write a function to return the expected value.
6. Is Stuxnet All of the Attack? Or is it APT?
Stuxnet is advanced, actually very advanced. So it meets the A=Advanced criteria of APT. However for this attacker to be Persistent, the P in APT, they would need to have a number of different attacks and compromises on the target control system. So when Stuxnet is finally purged by clearing out and completely reprogramming the PLC’s and infected PC’s, the attacker can launch a second and third different type of attack from systems on the network that were not attacked by Stuxnet.
I would wonder what else, if anything, was loaded onto any system in the same security perimeter as Stuxnet infected? Why wouldn’t an attacker who was smart enough to provide all those capabilities in Stuxnet also infect a few other systems with unrelated attacks?