Sometimes with mind-numbing frequency, patches and security advisories from Microsoft, Adobe, and Apple compete for an ever-increasing amount of attention from administrators. Little wonder then, that most will have greeted with a mild yawn the latest announcement of another zero day attack — this one named the “Stuxnet Attack.” Just as I was about to file this latest message under “Priority - To Be Reviewed,” the sender’s name jarred me to attention: Managing Automation.
Managing Automation is a periodical with a healthy web presence that tends to cover topics from the supply chain, manufacturing, process control, and product lifecycle management. Over the past five years or more, the editorial focus has branched out to cover additional topics more familiar to network administrators: e.g., security event management for industrial systems, defenses against industrial espionage, etc. Despite this new coverage area, Managing Automation topics are rarely vehicles for malware notification. It was noteworthy then, to see author Chris Chiappinelli’s story begin with:
Manufacturers worldwide have been put on notice that an insidious virus targeting supervisory control and data acquisition (SCADA) systems is on the loose.
The targets of the malware are Siemens’ SIMATIC WinCC and PCS7 software, integral components of the distributed control and SCADA systems that facilitate production operations in many process manufacturing companies…
Those not in the manufacturing and process engineering fields may be unaware of Siemens SIMATIC and PCS7 software. How important was this emerging threat, in a field rife with worries that are sometimes alarmist and self-serving? Important. This time there is legitimate cause for concern.
Wired’s Kim Zetter wrote in a post the same day as the Managing Automation announcement that “the emergence of malware targeting a SCADA system is a new and potentially ominous development for critical infrastructure protection.” Network World’s Ms. Smith quotes F-Secure’s warning that the vulnerability poses “a risk of virus epidemic at the current moment.” Finally, it may be standard lingo for such announcements, but Microsoft’s July 16th announcement of Security Advisory 2286198 advised customers to visit Microsoft’s general support portal and to “contact the national law enforcement agency in their country.”
All of this was more than enough to get my attention.
While SCADA systems are often not regularly connected to the Internet, they are networked and are subject to the usual array of vulnerabilities. (Promotional web copy for the Siemens product that is the target of this attack explicitly mentions Ethernet switches and wireless LANs.) Public officials such as Richard Clarke have warned about risks to SCADA systems, but there have been few examples to rally the troops. While the particular vulnerability — a hard-coded password allowing access to the Siemens software’s back end data base — is not especially remarkable (though it does both date the software and call into question software quality review processes at Siemens), the malware packs a punch.
Thought to mainly spread by USB stick, or possibly by network shares, it cannot be defeated by simply turning off Windows autorun; simply viewing an infected file system will install the malware. A security specialist at Tofino believes that this zero-day attack, which affects all versions of Windows, may have been in the wild for a month or more. Preliminary assessments indicate that the malware does not appear designed to cripple infrastructure, but rather to steal information from SIMATIC WinCC / PCS7 implementations — i.e., some form of industrial espionage. Of course that espionage could later be used to wreak havoc on these same or similarly configured systems.
Recent press and analyst coverage has addressed both the threats to SCADA networks, and also the broader Windows vulnerability which the worm uses to spread (it exploits a code that interprets Windows shortcuts, i.e., .lnk files). As Microsoft noted in their analysis of the exploit, which has been named the “Stuxnet” threat, this is a new method of propagation which leverages a flaw in the way the Windows Shell “parses shortcuts.” Stuxnet has been cataloged as CVE-2010-2568 at Mitre’s CVE. For its part, Microsoft has proposed a workaround of sorts, and updated its own detection engines.
As if that wasn’t enough, the attack also involved theft of a signed Verisign digital certificate owned by Realtek Semiconductor. This certificate was used to authenticate drivers needed by Stuxnet when it self-installs, though Microsoft has since persuaded Verisign and Realtek to revoke the certificate. This was the icing on the trojan’s cake.
The Dependency Syndrome
What does all this mean? One lesson — not new, but that is borne out by this incident — is that the Internet-centric orientation of most malware models could miss certain types of threats. SCADA vulnerabilities are just that sort of threat. And while infections might not spread directly from them to general purpose networks, those general purpose networks depend upon SCADA systems for connectivity, power — and even human habitability. The “Dependency Syndrome” asserts that connections between traditional networks such as those managed every day by network administrators, and nontraditional networks such as those hosting SIMATIC WinCC / PCS7, will sooner or later be impossible to detect — and defend against.