Stuxnet-A View From an Energy Perspective

The Stuxnet malware that recently surfaced is one key example of why McAfee is involved in protecting critical infrastructure such as the energy sector from attacks.

Stuxnet is the first piece of malware that exploits a zero-day vulnerability in Windows to target control systems and utility companies. It is apparent that the Stuxnet creator used a combination of vulnerability knowledge, hacking pragmatism and possible physical security breaches to execute an attack targeted at critical infrastructure systems.

The advanced knowledge that the Stuxnet attack displays is intriguing for two main reasons. First, the malware executes and propagates by exploiting a previously unknown Windows vulnerability. Second, the malware components include two drivers with rootkit behavior that are digitally signed, which is unusual for malware.

These two points have been covered broadly in the media. I’d like to focus on the potential impact on compromised systems, the complexity of the coordination of different vectors of attack, as well as what this means for the energy sector.

Here’s what we know so far about how Stuxnet operates:

1.      A user connects a USB drive (or any removable media) to a system
2.      The infected drive exploits the zero-day Windows Shell Code vulnerability to run the malware
3.      The malware searches the compromised system in an attempt to access the Siemens Windows SIMATIC WinCC SCADA systems database.  (Fortunately one of the certificates used to sign the malware has been revoked, with another one pending.)
4.      The malware uses a hard-coded password in the WinCC Siemens system to access operational data of the control systems stored in WinCC software’s SQL database

What is the potential impact of this event? The target is the Siemens SIMATIC WinCC Supervisory Control and Data Acquisition (SCADA) system. This software acts as the HMI (Human Machine Interface) for a utility’s industrial control systems. An HMI hosts and displays graphical information of control systems that operate key generation and transmission facilities for electricity in a power plant.

HMIs consistently monitor health, uptime and the overall operational status of control systems in a plant. In many cases HMIs are set up to have control over the process flows between control systems. The graphical information in a HMI provides is like a map, just like a diagram of a computer network. The malware potentially hands the map of a piece of critical infrastructure to a malicious entity.

Control Systems Security vs. IT Security
There are many differences between control systems and IT systems. IT has a mantra of delivering confidentiality in tandem with availability, whereas control systems were designed for the elusive seven 9s of availability.  Typically control systems are on a separate network from IT systems and are managed by a completely separate team. 

The traditional change management processes can be lengthy in a control systems environment due to the constant need for 24/7/365 availability. As a result, patch updates, security updates and remedial hot fixes or workarounds might not always be the first priority. 

In this example, Siemens used hardcoded passwords in its application to provide access to its SQL databases. The company has warned that changing these passwords could compromise the availability of the systems. Many security researchers have taken the proverbial hammer to Siemens for this apparent security violation. However, given the need for availability in this environment, it is very common.

The U.S.  Department of Energy (DOE), National Institute of Standards and Technology and many private entities have made a call to bridge the gaps between the disciplines of IT and control systems. This could be done through establishment of traditional IT process and compliance frameworks like the National Energy Regulatory Council (NERC).

The need for control systems protection has been discussed for a while, however the threats are nascent. The events that have occurred in the control systems space have been either proof-of-concept attacks, accidental instances, disgruntled employees, or targeted attacks at a specific instance with forensics too limited to assess the intended effect. 

This started to change in 2009, when on April 7 NERC released a public warning that targeted instances of malware from foreign entities were left behind in the electrical grid. We’re seeing another example of this with the Stuxnet attack that is making headlines today.

Let’s look at the sophistication of Stuxnet, assuming that the intent is to compromise our power grid and deliver critical details to rogue elements.

Finding a zero day vulnerability that allows code execution in Microsoft Windows requires expertise, certainly, but we have seen examples of that many times before. Understanding how to attack control systems demonstrates an unusual amount of sophistication.

The attacker would know that typical SCADA systems have limited network access and limited physical access through Ethernet ports and USB devices.  Now we add in the attacker’s knowledge of the Siemens control systems, what role it plays in the control systems space and finding the default hard-coded password to access the database. That shows another level of sophistication.

Finally, how did the attacker forge the certificate credentials? Alltogether, this is an unusually sophisticated attack.

How to Defend Against Stuxnet
How could one protect against this attack? McAfee has several different tools that deal with this particular threat.  We will need to break this attack down into three components and address the solution for each.

First the malware, McAfee provides detection for the Stuxnet worm with DAT version 6046. We not only detect, but also remove components associated with this threat. In addition, our McAfee Application Control (formerly Solidcore) product will prevent infection, execution and payload associated with this threat without the need for signature updates. 

Second, the vulnerability, McAfee has detection for the Windows vulnerability with our July 16th, 2010, Vulnerability Manager checks. Vulnerability Manager can be used to find systems that are vulnerable to this threat.

And third, the vehicle. USB drives is one of the primary infection mechanisms and such device are pervasive in the control systems world. This attack vector would allow the exploit to circumvent perimeter security measures. The use of tools such as McAfee Device Control would allow customers to lock down computers to only accept approved USB devices with embedded antimalware technology. This would reduce the overall exposure.

What does this mean for the energy industry? Energy and utility companies should be frightened by the sophistication of this attack and fearful of coordinated advanced persistent threats. At McAfee, the Stuxnet attack underscores the importance of what we are doing to secure our digital world.

Furthermore, Stuxnet underscores our recent initiatives to work closely with the DOE, Department of Homeland Security, public and private sector organizations to help bridge the gaps between IT security and control systems security. 

A special thanks to Mark Zanotti- CTO from Lofty Perch for his contributions to my thought process on this blog as well as an executive from a major U.S. utility for their insight.

Tags: Compliance, critical infrastructure, Cybercrime, McAfee Application Control, McAfee Vulnerability Manager, Public Sector