Stuxnet continues to be in the news: control system, infosec and general. It is widely covered with fact, theory, analogies and crazy conjecture, with the recent articles comparing the WellinTech vuln to Stuxnet being the latest foolish article and the NYT research and analysis of the Israeli connection being quite interesting. So it seems impossible that Stuxnet Advisories could be lacking, but for Siemens S7 users they are. There should be warnings in screaming headlines the process integrity of S7 PLC’s remains vulnerable to modified versions of Stuxnet.
Last Wednesday I was listening to a public NERC conference call on security, and the group mentioned they are considering an updating their Stuxnet advisory from last September. Last September??? A lot of new information, such as the man-in-the-middle feature and the ease of modifying Stuxnet to attack S7 controllers, is available and understood by the good guys and bad guys.
The key thing that seems to be under reported and under appreciated, despite strong attempts by Ralph, this blog and others, is that the Siemens S7 controllers have not been patched or otherwise modified to prevent the attack. The defense is simply don’t let the attackers get to the S7 controllers.
So I went back at looked at the latest advisory from ICS-CERT. They issued Primary Stuxnet Indicators on Sept 29th. This focused solely on the PC software and not on the PLC where the real damage is done. Ralph has a good analysis of this on langner.com.
The previous ICS-CERT bulletin on Stuxnet Mitigations was on Sept 15th. It talks about five vulnerabilities, none relating to the vulnerability of the PLC itself.
As a side note, the Sept 15th bulletin states:
ICS-CERT is continuing to reverse engineer and analyze this malware. Because of the malware’s complexity, this work is expected to take some time.
This statement contradicts or at least casts doubt on the implied timing of Sean McGurk’s oft repeated statement that DHS thoroughly understood Stuxnet because they had the equipment and were working with the vendor. Sept 15th was two months after Stuxnet was discovered.
Here’s what missing in all the vulnerabilities . . . if you are ICS has an S7 controller you are still vulnerable to the code on that controller being modified by a Stuxnet derivative that might not be so selective to only attack a single process. Outside of Langner’s tool to detect changes on S7 PLC’s, there has been no mitigation for Stuxnet clones. Siemens has done nothing to date or announced any plan to date to mitigate the S7 vulnerability to this type of attack.
So where are the warning in the trusted advisories that S7 PLC’s, even after all the mitigations suggested in the advisories, are still just as vulnerable as on day one to Stuxnet clones? BTW the infection of the S7 PLC’s does not need to come from the same Window’s zero days or even a PC with a Siemen’s client on it. The goal is to infect the Siemen’s PLC / the ICS process, not the HMI or EWS.
Ralph and I do disagree a bit about how Stuxnet will help other attackers. My belief is that it will be a great help for those wanting to attack S7 PLC’s. They can simply change the process to make the S7 stop working properly or more intelligently alter a specific process or introduce intermittent failures by altering Stuxnet code. This is why owner/operators with S7 controllers should be concerned with the integrity of their process. The advisories and Siemens need to be a lot more vocal about this risk.
Ralph takes a broader view that attackers will learn from the Stuxnet methodology and use this knowledge to attack other PLC’s. He is probably correct, but without the Siemens specific framework in Stuxnet this will require a lot more skill and work. Stuxnet was the realization of what we knew was possible based on lacking authentication in PLC’s, RTU’s and other field devices. Stuxnet exposed this to a broader audience and showed how effective this type of attack can be.