What does Stuxnet mean to the ICS community and how will this change ICS cyber security
Stuxnet is arguably the first cyber attack specifically targeting ICS devices. It is a very sophisticated attack that gets around multiple security barriers and utilizes multiple vectors. The Siemens PLC default password was published in public forums in Germany and Russia in 2008. Stuxnet targets the Siemens PLC using the default password hardcoded into software. Stuxnet has been in the wild since June 2009 and upgraded at least once in early 2010. It is not clear who developed Stuxnet, what Stuxnet is trying to accomplish, or when the Stuxnet payload is to be activated. There have been estimates that Stuxnet cost over $1 million to develop and deploy. This is clearly not something an amateur hacker could do, but it is certainly something within the capabilities of a major corporation or nation state to accomplish. It is probable this approach could target other ICS vendors.
Specifically, Stuxnet has demonstrated:
- We really do not know what an ICS cyber attack will look like or what control system unique attributes it will target.
- A sophisticated attack such as Stuxnet most likely won’t be found by ICS IDS/IPS or ICS security researchers. The DOE-funded Digital Bond effort to develop IDS rules and signatures were not effective as they did not address the Stuxnet worm. The DOE-funded Bandolier project did not address older versions of Windows which are prevalent with many ICS installations and are vectors for Stuxnet. The DOE-funded Integrated Security System didn’t find it and ironically the project lead was Siemens Corporate Research.
- We need to understand the unique ICS cyber vulnerabilities that would not be discovered via a typical IT analysis.
- The Stuxnet code is modular and many parts of the Stuxnet code could be applied to any ICS vendor. We need to be prepared for a targeted cyber attack against any ICS vendor and have recovery activities in place.
- Antivirus solutions may not be successful. Until we understand the actual attack, IT-type solutions can provide a false sense of security and/or impact the performance of the device.
- It took very experienced IT security researchers to find the worm but will take knowledgeable ICS personnel to understand the payload. This is a critical understanding. Finding malware is not the same as understanding what its purpose is, or what the attack vectors will threaten. We need an integrated team of IT security researchers, ICS experts, threat analysts, and forensic experts to address these sophisticated types of attacks.
- There may be possible connections with previous cyber outbreaks (eg, Conficker). It is important to connect the dots and reexamine previous ICS cyber incidents in light of these “new” attacks.
- The Stuxnet worm represents a different form of interdependency – ICS vendors. In this case, infecting Siemens PLCs can affect multiple industries each of which can have other interdependencies. These interdependencies need to be understood.
- The NERC CIP process is ineffective to address an event such as Stuxnet, particularly in an operational (substation or plant) environment. Aurora was not addressed in a timely manner and it is now three years later. This is a real threat and the nation may not have three more years. Congress needs to give FERC for electric and DHS for other critical infrastructures immediate emergency powers; NRC already has the authority for nuclear plants.
- The concept of defense-in-depth needs to be reconsidered in light of Stuxnet.
- Stuxnet places a critical aspect of smart grid in jeopardy – reliance on key management. Smart Grid cyber security mitigation approaches need to be reexamined.
In order to address many of these issues at the September 20th ACS Conference, I have asked Siemens and Symantec to discuss what they have found. Particularly, how did Symantec find the worm that is buried within the PLC and wasn’t able to be found by ICS researchers? What has Siemens found as a payload, can the payload be easily modified, and can it affect upstream or downstream devices? I have also asked Kaspersky to discuss how they found the worm as early as June 2009.