Stuxnet – marking the beginning in Cyberwar of zero-day malware targeting physical systems
While most new threats are geared towards financial gain, in June 2010, we witnessed what is considered to be the first major attack designed to harm physical systems. This malware was designed to go after Supervisory Control and Data Acquisition (SCADA) systems. SCADA systems are designed to control and monitor various processes within industrial systems. The Windows-specific worm used various zero-day attacks to target Siemens’s WinCC/PCS 7 SCADA software. It then spread via infected USB flash drives then used other exploits to go after network-based WinCC computers.
After getting inside the system, it used default passwords to command the software. What made Stuxnet so different than the other attacks during 2010 was the level of sophistication, the fact that it specifically targeted critical infrastructure, in particular, that used in controlling Nuclear power plants or Nuclear research facilities, and the geo-specific location of the target – that being facilities in Iran. Also of interest, Stuxnet surfaced in other countries without causing any known harm. Even if it never takes a system down, it did its job – folks in Iran are most likely questioning the safety of all of their SCADA equipment, most likely believing the systems have been compromised, whether or not they actually know how far the zero-day worm travelled into their country or their Nuclear facilities.
Without strong Host-based Intrusion Prevention (HIPS) in conjunction with Network Access Control (NAC), these upgraded SCADA systems, now with TCP/IP touch points, will become a major target. Most of the new malware targeting these systems will not be easily discovered by traditional UTM firewalls, Intrusion Prevention Systems (IPS) or Anti-virus Systems (AVS). It’s going to take a heuristic, real-time analysis – looking for oddities in network traffic communication requests from potentially compromised hosts. Also, by removing most Common Vulnerabilities and Exposures (CVEs), the risk of these infections will be reduced but not completely mitigated due to the surgical precision of new malware targeting these systems. It seems that nearly an unlimited amount of malware intelligence research and development went into the Stuxnet worm – there will be much more targeting Critical infrastructure in the very near future.
In recent years, Railroad executives claimed that they’ve become IT managers. With a few bits flipped, a train can be moved from one track to another and would potentially collide with another train, causing massive casualties, if it weren’t for new software written specifically for these archaic systems, to ward off a collision through automated collision avoidance detection. It’s simple software tweaks like these that can make the difference between life and death in Critical infrastructure.
Recently a teenage hacker who didn’t think of himself as a cyberterrorist was playing around with good old fashioned war-dialing software – he found a modem pool at an airport and was able to login to the computer that turned the airport lights on and off. He turned them off during the night when planes were landing. Good thing the pilots could key their microphone on a certain frequency and get the lights back on just in time to land safely. Expect the innovations in this area to outpace traditional countermeasures.
IT / SCADA practitioners in Critical infrastructure need to protect their networks in the most vigilant methods available with the best of breed technologies where worrying about budgets or brand names are of no use. Most managers in IT usually say I will never get fired for buying XYZ corp’s products (pick one – Cisco, IBM, Microsoft, etc.) but the reality is that these systems are under more scrutiny and attack by cyberterrorists now more than ever. Their vulnerabilities are published monthly in the National Vulnerability Database. To think systems by big brand name vendors will protect critical infrastructure is an absolute fallacy. It’s time to look at high-level policies, procedures, strategies and lesser known more innovative products and technologies that won’t telegraph easily to these bad guys– making it even harder for them to successfully break in and cause critical damage where it hurts the most.