What is Stuxnet? Stuxnet is a computer worm designed to target one or more industrial systems that use Siemens PLCs. The objective of this malware appears to be to destroy specific industrial processes. Browse our resource center to learn more.
Is Field-Based Control More Secure?
If We Hide Our Controls in Field Devices, Are We More Immune From the Infections of the Higher-Level Networks?
Reader Feedback: Cybersecurity Risk
When Will the Government Take Cybersecurity Risks Seriously?
Why Nuclear Needs Process Automation
The Key to the Safety of Nuclear Power Plants Is to Maintain the Availability of Coolants, Even if All Electric Power Supplies Fail
Process Security is a Never-Ending Journey
Users and Suppliers Must Collaborate to Patch Control System Vulnerabilities
White Papers: In Depth Research
Post-Stuxnet Industrial Security: How to Detect Industrial Malware on Day Zero
Author: Phoenix Contact
Preventing the next Stuxnet-like attack on the control world might be impossible, but operators can mitigate the effects and contain worms and viruses through early detection.
- Although the Stuxnet worm has received a great deal of media attention, the greater threat to most control systems is that copycats could use Stuxnet as a blueprint for future attacks.
- An ideal network security appliance with both preventive and diagnostic functions can boost security against Stuxnet-like attacks and reduce their associated risks.
- While such a device will not completely prevent malware infections, fast and reliable discovery of such infections is a key aspect of protection.
Following its discovery in June 2010, the Stuxnet worm caused a worldwide sensation. It is the first publicly known rootkit attack targeted at industrial plants. It has infected tens of thousands of PCs, and abused and manipulated automation software running on Windows operating systems. Its ultimate purpose: to infiltrate malicious code into the controllers of specific real-world industrial installations.
Experts have long warned that malware and insufficient IT security pose a threat to automation networks, but Stuxnet offers concrete proof that these threats can no longer be ignored. The actual hazard, however, no longer originates from Stuxnet itself, but rather comes from mutations that copycats can now create with the same basic techniques. And while Stuxnet focused on products from the Siemens SIMATIC family and on STEP 7 PLC projects with very specific properties, such mutations could affect components from other vendors as well, ultimately turning out malware a lot less selective in its damaging impact.
Apart from the fact that industrial PCs are often not (and cannot be) equipped with antivirus software, Stuxnet has also made clear that conventional virus scanners do not provide protection against this caliber of attacks. The analysis of Stuxnet has shown that the worm had been around in the wild unnoticed for at least 12 months before its discovery. Because Stuxnet did not use any of the known malware signatures, existing antivirus programs did not detect it during that time.
How Stuxnet Spreads - A Study of Infection Paths in Best Practice Systems
Author: Tofino Security | Abterra Technologies | ScadaHacker.com
The Stuxnet worm is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC, S7 and PCS 7 control systems. The worm used both known and previously unknown vulnerabilities to spread, and was powerful enough to evade state-of-the-practice security technologies and procedures.
Since the discovery of the Stuxnet worm in July 2010, there has been extensive analysis by Symantec, ESET, Langner and others of the worm’s internal workings and the various vulnerabilities it exploits. From the antivirus point of view, this makes perfect sense. Understanding how the worm was designed helps antivirus product vendors make better malware detection software.
What has not been discussed in any depth is how the worm might have migrated from the outside world to a supposedly isolated and secure industrial control system (ICS). To the owners and operators of industrial control systems, this matters. Other worms will follow in Stuxnet's footsteps and understanding the routes that a directed worm takes as it targets an ICS is critical if these vulnerable pathways are to be closed. Only by understanding the full array of threats and pathways into a SCADA or control network can critical processes be made truly secure.
It is easy to imagine a trivial scenario and a corresponding trivial solution:
Scenario: Joe finds a USB flash drive in the parking lot and brings it into the control room where he plugs it into the PLC programming station.
Solution: Ban all USB flash drives in the control room.
While this may be a possibility, it is far more likely that Stuxnet travelled a circuitous path to its final victim. Certainly, the designers of the worm expected it to - they designed at least seven different propagation techniques for Stuxnet to use. Thus, a more realistic analysis of penetration and infection pathways is needed.
This White Paper is intended to address this gap by analyzing a range of potential "infection pathways" in a typical ICS system. Some of these are obvious, but others less so. By shedding light on the multitude of infection pathways, we hope that the designers and operators of industrial facilities can take the appropriate steps to make control systems much more secure from all threats.
Using Tofino to Control the Spread of Stuxnet Malware
This application note describes how to use the Tofino Industrial Security Solution to prevent the spread of the Stuxnet worm in both Siemens and non-Siemens network environments.
What is Stuxnet?
Stuxnet is a computer worm designed to target one or more industrial systems that use Siemens PLCs. The objective of this malware appears to be to destroy specific industrial processes.
Stuxnet will infect Windows-based computers on any control or SCADA system, regardless of whether or not it is a Siemens system. The worm only attempts to make modifications to controllers that are model S7-300 or S7-400 PLCs. However, it is aggressive on all networks and can negatively affect any control system. Infected computers may also be used as a launch point for future attacks.
How Stuxnet Spreads
Stuxnet is one of the most complex and carefully engineered worms ever seen. It takes advantage of at least four previously unknown vulnerabilities, has multiple propagation processes and shows considerable sophistication in its exploitation of Siemens control systems.
A key challenge in preventing Stuxnet infections is the large variety of techniques it uses for infecting other computers. It has three primary pathways for spreading to new victims:
- via infected removable USB drives;
- via Local Area Network communications
- via infected Siemens project files
Within these pathways, it takes advantage of seven independent mechanisms to spread to other computers.
Stuxnet also has a P2P (peer-to-peer) networking system that automatically updates all installations of the Stuxnet worm in the wild, even if they cannot connect back to the Internet. Finally, it has an Internet-based command and control mechanism that is currently disabled, but could be reactivated in the future.
Access the entire print issue on-line and be notified each month via e-mail when your new issue is ready for you. Subscribe today.
- Featured White Papers