Security

Network admins must beware of Stuxnet: A SCADA System worm

Learn why Mark Underwood looks at Stuxnet as a new kind of threat that network admins should not simply classify with the regular barrage of security advisories. Find out more about this worm and its target.

Sometimes with mind-numbing frequency, patches and security advisories from Microsoft, Adobe, and Apple compete for an ever-increasing amount of attention from administrators. Little wonder then, that most will have greeted with a mild yawn the latest announcement of another zero day attack -- this one named the "Stuxnet Attack." Just as I was about to file this latest message under "Priority - To Be Reviewed," the sender's name jarred me to attention: Managing Automation.

Managing Automation is a periodical with a healthy web presence that tends to cover topics from the supply chain, manufacturing, process control, and product lifecycle management. Over the past five years or more, the editorial focus has branched out to cover additional topics more familiar to network administrators: e.g., security event management for industrial systems, defenses against industrial espionage, etc. Despite this new coverage area, Managing Automation topics are rarely vehicles for malware notification. It was noteworthy then, to see author Chris Chiappinelli's story begin with:

Manufacturers worldwide have been put on notice that an insidious virus targeting supervisory control and data acquisition (SCADA) systems is on the loose.

The targets of the malware are Siemens' SIMATIC WinCC and PCS7 software, integral components of the distributed control and SCADA systems that facilitate production operations in many process manufacturing companies...

Those not in the manufacturing and process engineering fields may be unaware of Siemens SIMATIC and PCS7 software. How important was this emerging threat, in a field rife with worries that are sometimes alarmist and self-serving? Important. This time there is legitimate cause for concern.

Wired's Kim Zetter wrote in a post the same day as the Managing Automation announcement that "the emergence of malware targeting a SCADA system is a new and potentially ominous development for critical infrastructure protection." Network World's Ms. Smith quotes F-Secure's warning that the vulnerability poses "a risk of virus epidemic at the current moment." Finally, it may be standard lingo for such announcements, but Microsoft's July 16th announcement of Security Advisory 2286198 advised customers to visit Microsoft's general support portal and to "contact the national law enforcement agency in their country."

All of this was more than enough to get my attention.

While SCADA systems are often not regularly connected to the Internet, they are networked and are subject to the usual array of vulnerabilities. (Promotional web copy for the Siemens product that is the target of this attack explicitly mentions Ethernet switches and wireless LANs.) Public officials such as Richard Clarke have warned about risks to SCADA systems, but there have been few examples to rally the troops. While the particular vulnerability -- a hard-coded password allowing access to the Siemens software's back end data base -- is not especially remarkable (though it does both date the software and call into question software quality review processes at Siemens), the malware packs a punch.

Thought to mainly spread by USB stick, or possibly by network shares,  it cannot be defeated by simply turning off Windows autorun; simply viewing an infected file system will install the malware. A security specialist at Tofino believes that this zero-day attack, which affects all versions of Windows, may have been in the wild for a month or more. Preliminary assessments indicate that the malware does not appear designed to cripple infrastructure, but rather to steal information from SIMATIC WinCC / PCS7 implementations -- i.e., some form of industrial espionage. Of course that espionage could later be used to wreak havoc on these same or similarly configured systems.

Recent press and analyst coverage has addressed both the threats to SCADA networks, and also the broader Windows vulnerability which the worm uses to spread (it exploits a code that interprets Windows shortcuts, i.e., .lnk files). As Microsoft noted in their analysis of the exploit, which has been named the "Stuxnet" threat, this is a new method of propagation which leverages a flaw in the way the Windows Shell "parses shortcuts." Stuxnet has been cataloged as CVE-2010-2568 at Mitre's CVE. For its part, Microsoft has proposed a workaround of sorts, and updated its own detection engines.

There's more

As if that wasn't enough, the attack also involved theft of a signed Verisign digital certificate owned by Realtek Semiconductor. This certificate was used to authenticate drivers needed by Stuxnet when it self-installs, though Microsoft has since persuaded Verisign and Realtek to revoke the certificate. This was the icing on the trojan's cake.

The Dependency Syndrome

What does all this mean? One lesson -- not new, but that is borne out by this incident -- is that the Internet-centric orientation of most malware models could miss certain types of threats. SCADA vulnerabilities are just that sort of threat. And while infections might not spread directly from them to general purpose networks, those general purpose networks depend upon SCADA systems for connectivity, power -- and even human habitability. The "Dependency Syndrome" asserts that connections between traditional networks such as those managed every day by network administrators, and nontraditional networks such as those hosting SIMATIC WinCC / PCS7, will sooner or later be impossible to detect -- and defend against.

About

Mark Underwood ("knowlengr") works for a small, agile R&D firm. He thinly spreads interests (network manageability, AI, BI, psychoacoustics, poetry, cognition, software quality, literary fiction, transparency) and activations (www.knowlengr.com) from...

23 comments
jkameleon
jkameleon

I used to work in industrial automation some 20 years ago. Back then, PCs were considered totally unreliable, justifiably so. The typical PC running Windows 3.x behaved pretty much like typical malware infected PC of today: Slow and chrasheable. That's why PCs were used mostly for display and data logging, while critical processing was done by microcontrollers and PLCs. When critical commands had to be entered via display, keyboard & mouse, dedicated computers were used. In any case, PLCs & microcontrollers were programmed not to trust the SCADA entirely, to reject commands, which could cause direct damage. As a matter of fact, all computers were considered a bit unreliable, including PLCs. Consequently, electomechanical failsafes were placed wherever possible. It was nearly impossible to cause serious damage to the well designed system via SCADA alone. I sure hope the same philosophy still holds today. Especially in that Iranian nuclear power plant Stuxnet is allegedly targeting.

Photogenic Memory
Photogenic Memory

Only he can tell us truly scary stories about malware. Maybe he can teach this young buck a thing or two. Just playin! ROFL!! But damn!! The threat was hard to figure out from this Jar Jar binks style rant. Writing is just like speaking; YOU HAVE TO DELIVER or your audience gets hella-bored QUICK! Something to grow on.

knowlengr
knowlengr

Dark Reading reports today on misconfigured VxWorks devices that include ". . . VoIP equipment and switches, DSL concentrators, industrial automation systems for SCADA environments, and Fibre Channel switches." http://bit.ly/dosxEl

andrejakostic
andrejakostic

Interesting article. Few days ago I was shocked when I found out that a lot of powerplants in my country still keep their 70s dinosaurs in working order. I understand them now. Properly set-up obsolete mainframe is way better than running plant by hand if SCADA viruses start spreading and making real damage. We have industrial espionage now. How far away are viruses which will actually attempt to sabotage industrial complexes, especially in most critical moments?

marks
marks

This article is like calling 911 with a fire warning but giving no location. I have no doubt that it is important and something should be done. But what and by whom? No symptoms are given that would allow anyone to detect an infection. No indication of the severity of damage one might expect is given. Worst of all, there is no indication of remedial actions that should or can be taken. Don't ring my fire alarm if you don't have something specific in mind that I should do. WDM

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Life cycle for SCADA equipment is usually 15 to 20 years instead of 5 years for typical IT equipment. It's expensive and risky to upgrade control systems. Bill

mustafaozkan77
mustafaozkan77

http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf http://www.scribd.com/doc/11531054/1052-Hacking-Scada Note the 3K explosion, "the most monumental non-nuclear explosion " ; below is a detailed link for it: http://www.builderau.com.au/architect/work/soa/US-software-blew-up-Russian-gas-pipeline-/0,339024596,320283135,00.htm I am an automation engineer. I never consider being a web developer or a DB admin because I like controlling hardware to see something physically happens by your code. Several years ago, some robots in our plant started working slowly. We found that it caused by a worm spreading over companies network, and consuming huge bandwidth. It took more than several hours to fix it. Probably, hackers of future will involve in SCADA attacks more than deleting data or abusing web pages. Someone get injured and even died in case of SCADA attacks, so I believe that securing SCADA is more critical than securing ordinary IT systems.

knowlengr
knowlengr

Complaint ack'd. However, since the alarm went out last week in numerous places, my focus wasn't to repeat it here. The links given accomplish that. Cheers

iamsource
iamsource

Aliases VirTool:WinNT/Rootkitdrv.HK (other) Trojan horse SHeur3.XLI (AVG) Sus/UnkPack-C (Sophos) Rootkit.TmpHider (other) Alert Level: Severe Summary TrojanDropper:Win32/Stuxnet.A is a trojan that drops and installs other Stuxnet components detected as Trojan:WinNT/Stuxnet.A and Trojan:WinNT/Stuxnet.B. It also injects code into certain processes. The injected code contains links to certain football betting websites. Symptoms The following system changes may indicate the presence of this malware: ?The presence of the following files: system folder\mrxcls.sys system folder\mrxnet.sys ?The presence of the following registry keys: HKLM\SYSTEM\CurrentControlSet\Services\MRxCls HKLM\SYSTEM\CurrentControlSet\Services\MRxNet Aliases VirTool:WinNT/Rootkitdrv.HK (Microsoft) Win32/Rootkit.Agent.NTK (ESET) Alert Level: Severe Summary Trojan:WinNT/Stuxnet.B is a trojan component that loads other malware and is installed by TrojanDropper:Win32/Stuxnet.A. Symptoms The following system changes may indicate the presence of this malware: ?The presence of the following files: system folder\mrxnet.sys ?The presence of the following registry keys: HKLM\SYSTEM\CurrentControlSet\Services\MRxNet Is this specific enough for you? It even gets more specific, see here: Details from Microsoft Microsoft Malware Protection Center The Stuxnet Sting http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx and here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWinNT%2FStuxnet.B and here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FStuxnet.A&ThreatID=-2147331492 Also look at this article: http://www.eweek.com/c/a/Security/Stuxnet-Malware-Still-Exploiting-Microsoft-Windows-Security-Hole-166909/

spage
spage

Understandably this is an issue, but to whom? The article fails to connect the story to the everyman corporate and small business CIO/IT Director. I feel for the manufacturing field, but is this a RED ALERT scenario for the rest of us?

knowlengr
knowlengr

Interesting stories. I hadn't seen these reports.

paslot
paslot

Can this worm manually delete from system file where its created?

taylorstan
taylorstan

It's not about the system or sector that STUXNET is attacking. It's abou the concept that an undetectable piece of malware is attacking a network or system that no one probably worried about. I doubt there is NORTON A/V that you run on this stytem. So think about your own network. What non-microsoft, non-mainstream systems to you deploy. How about that new car you bought with built-in bluetooth technology? Your kid d/l's a file on their IPOD and links it to the car stereo. Then when the file is accessed, a code is sent to the cars computer via the link between them for speed volume control. By the way that code was to disable the brakes and increase the throttle. Is this likely, no, but possible. We forget that although some devices may not be directly connected to the internet, they are connected to a network, or become connected at some point. The bad guys understand this and are finding ways to infect these sytems that we thought where "secure". That is Everyday IT as you put it.

Andrzej_Ladosz
Andrzej_Ladosz

Our company producing paper is controlled by SCADA systems from electical energy supply (utility and own generators), through wood processing machines (chippers) and whole production line to waste and water treatment plants. With very little effort (in software) you can destroy whole mill: exceed some parameters (pressure or something else), let it explode and rip some equipment carrying strong chemicals (for example HCl = hydrochloric acid). That carried by wind and/or water will kill local population... In case of emergency ALL personel including contractors have gas masks. Mine is in the drawer below computer here. It is only to escape. Many windsocks around indicate direction to chose. In the town people don't have all of that. They don't have to have computers to be afected. OS is also irrelevant...

Lazer_x
Lazer_x

I work for a Public water supply (PSD) We have Siemens Equipment in the plant, and from one end of the system to the other. Lots of it on the INTERNET as a comm. link. Used to control chemical feed pumps, monitor water quality at remote system sites. etc etc.....I won't go into any more detail.I'm sure you can see the potential for a large number people. As a SCADA field Tec let me invite you to go to the kitchen, run out a glass of water and really think about this while you drink it. Did it taste a little different this time??

e.tamanisau
e.tamanisau

While the will not apply to the majority of IT personnel, it serves as a good awareness of what is happening in the other sectors, especially since the "brain" behind a SCADA system is a computer. It might not affect us as IT jockeys per se, however, its use in controlling water treatment plants, sewerage systems, electrical power transmission and large communication system makes it important for us to at least know something about it.

Ole88
Ole88

I agree with your statement primarily because I support SCADA systems that cover a municipal collection system, distribution system, two wastewater treatment plants and a water filtration plant. If the SCADA system goes down at one of them there could be sewer spills (leading to a very sick public), water hammers (blow the top right off your sink), improper chemical levels that could damage the environment or poison unsuspecting people - and the list goes on. Just because you don't work with it doesn't mean don't pay attention. I am not an Oracle DBA (nor do I want to be), but I still pass information on about patches or bugs I get information on to our Oracle DBA's. Why? Because I believe that we all should help each other and at least be aware of what is going on. The minute you turn a blind eye on something or think it can't affect you - it will.

jereg
jereg

I share your concerns. Anything attached to a network is a potential target. While I like the idea instant data collections, the downside is too great. I don't want anything in my home except my PC connected to the outside.

dduffy
dduffy

Besides the SCADA system, I see problems comming on the horizon with BACnet, Zigee, and all these SMART Meters all the power companies are installing. Imagine, someone can shut down your business' HVAC, power, and even other SMART devices.