By Nancy Bartels
We can't say we weren't warned. For years, the doubters and naysayers have been warning us that maybe all this PC-based computing and connectivity on the factory floor was a bad idea.
Security was always one of the main concerns. But the warnings were drowned out in the noise of the inexorable march to PCs on the plant floor and Internet connectivity.
Meanwhile, control engineers were used to working with closed systems that were pretty well blocked from outside mischief makers, and IT people, who did have a grasp of cyber security issues, were clueless about control systems and their unique security problems. So we've limped along with a few folks from both disciplines doing their best to bridge the gap, struggling to overcome institutional inertia, preaching cyber security best practices, training people to think differently and hoping for the best.
As of July 14, that strategy is no longer good enough.
On that day, Siemens was notified of a security breach within Windows, which could potentially affect its Simatic WinCC SCADA software and the PCS7 DCS, which uses WinCC as its HMI, and the S7 controller. First to discover the worm in June of this year was the Belarus-based maker of the VirusBlokAda anti-virus product. In July, Byres Security's (www.tofinosecurity.com) chief technology officer, Eric Byres, confirmed that Siemens and its users were experiencing "a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7." Later, it was reported that older versions of Windows, which Microsoft no longer supports, were vulnerable as well.
For the uninitiated, a "zero-day" exploit is one that uses a previously unidentified security breach that only becomes apparent because of and at the same time as the original attack, and leaves all other users of the same system or systems at risk until such time as the vulnerability is eliminated.
According to Nicolas Falliere of security vendor Symantec (www.symantec.com), "Stuxnet can steal code and design projects and also hide itself using a classic Windows rootkit, but unfortunately it can also do much more. It has the ability to take advantage of the programming software to also upload its own code to a PLC typically monitored by SCADA systems. Stuxnet then hides these code blocks, so when programmers using an infected machine try to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn't just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC."
Falliere adds, "In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read and write functions, so that you can't accidentally overwrite the hidden blocks as well. Stuxnet contains 70 encrypted code blocks that appear to replace some ‘foundation routines' that take care of simple, yet very common tasks, such as comparing file times, and others that are custom code and data blocks. By writing code to the PLC, Stuxnet can potentially control or alter how the system operates."
Byres adds that Stuxnet "uses the Siemens default password of the MSSQL account WinCCConnect to log into the PCS7/WinCC database and extract process data and possibly HMI screens," which it then attempts to export via an Internet connection to a remote server."
Furthermore, says John Cusimano, director of security services at security services and certification vendor exida (www.exida.com), that while this virus seems to have been coded specifically for Siemens products, other products could be just as vulnerable. "WinCC is by far the largest SCADA HMI package. It's embedded into everything. Whether you know you're buying it or not, it may be embedded [in your system]. That's probably why it was the target."
The situation gets even scarier. After Stuxnet was created—and Symantec says that initial versions were circulating as early June of last year—its developers created a second, much more powerful iteration that allowed it to spread among USB devices with virtually no intervention by the victim. They also got their hands on encryption keys belonging to chip companies Realtek and JMicron and digitally signed the malware, so antivirus scanners would have a harder time detecting it. This has allowed Stuxnet to defeat multiple factor authentication.
Not Just a Prank
Stuxnet is not some prank cooked up by a kid with more cyber smarts than sense. The sophistication of the attack and the kind of money that must have been spent on it suggest the perpetrators have a more serious agenda. What that might be is open to speculation. Intellectual property theft is one likely possibility, but other, even more disturbing ideas come to mind as well—state sponsored espionage, nationalistic, political or religious groups "sending a message" or even terrorism.
Joe Weiss, author of ControlGlobal.com's "Unfettered" blog and principal at Applied Control Solutions (ACS, http://realtimeacs.com) says, "Many people think of Stuxnet as a data exfiltration issue. This does not seem credible to me for at least two reasons. First and foremost, why go to a controller unless you want to take control? If you want economic data, go to an archival database. Secondly, zero-day Microsoft vulnerabilities and counterfeit digital signatures are extremely expensive. I find it very unlikely that a cost-benefit can be made for this kind of investment if the sole purpose was economic espionage. It is not clear yet what Stuxnet has been programmed to do or when it will be activated, but it certainly has something to do with control. Although Stuxnet could have been used by a counterfeiter to steal industrial secrets, Kaspersky Lab's (http://usa.kaspersky.com/) Roel Schouwenberg suspects a nation-state was behind the attacks."