White Papers

on 'Stuxnet'

1-20 of 5 < first | prev | next | last >
  • Defending Against the Dragonfly Cybersecurity Attack Part B – Analyzing the Malware

    The age of malware specifically targeting industrial control systems (ICS) began in 2010 when Stuxnet1 was revealed to be disrupting operations at one of Iran’s nuclear enrichment facilities. Recently, a sophisticated malware, known as Dragonfly by some and Energetic Bear by others, was discovered executing cyber espionage on industrial facilities. This white paper analyzes the Dragonfly malware campaign, looking at its targets, its methods of attacks, its results and what it means for defending operations from similar attacks with the goal of improving cyber resilience.

    Belden
    10/22/2014
  • Defending Against the Dragonfly Cybersecurity Attacks Part A - Identifying the Targets

    The age of malware specifically targeting industrial control systems (ICS) began in 2010 when Stuxnet1 was revealed to be disrupting operations at one of Iran’s nuclear enrichment facilities. Recently, a sophisticated malware, known as Dragonfly by some and Energetic Bear by others, was discovered executing cyber espionage on industrial facilities. This white paper analyzes the Dragonfly malware campaign, looking at its targets, its methods of attacks, its results and what it means for defending operations from similar attacks with the goal of improving cyber resilience.

    Belden
    10/22/2014
  • How Stuxnet Spreads - A Study of Infection Paths in Best Practice Systems

    The Stuxnet worm is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC, S7 and PCS 7 control systems. The worm used both known and previously unknown vulnerabilities to spread, and was powerful enough to evade state-of-the-practice security technologies and procedures.

    Since the discovery of the Stuxnet worm in July 2010, there has been extensive analysis by Symantec, ESET, Langner and others of the worm’s internal workings and the various vulnerabilities it exploits. From the antivirus point of view, this makes perfect sense. Understanding how the worm was designed helps antivirus product vendors make better malware detection software.

    What has not been discussed in any depth is how the worm might have migrated from the outside world to a supposedly isolated and secure industrial control system (ICS). To the owners and operators of industrial control systems, this matters. Other worms will follow in Stuxnet's footsteps and understanding the routes that a directed worm takes as it targets an ICS is critical if these vulnerable pathways are to be closed. Only by understanding the full array of threats and pathways into a SCADA or control network can critical processes be made truly secure.

    It is easy to imagine a trivial scenario and a corresponding trivial solution:
    Scenario: Joe finds a USB flash drive in the parking lot and brings it into the control room where he plugs it into the PLC programming station.
    Solution: Ban all USB flash drives in the control room.

    While this may be a possibility, it is far more likely that Stuxnet travelled a circuitous path to its final victim. Certainly, the designers of the worm expected it to - they designed at least seven different propagation techniques for Stuxnet to use. Thus, a more realistic analysis of penetration and infection pathways is needed.

    This White Paper is intended to address this gap by analyzing a range of potential "infection pathways" in a typical ICS system. Some of these are obvious, but others less so. By shedding light on the multitude of infection pathways, we hope that the designers and operators of industrial facilities can take the appropriate steps to make control systems much more secure from all threats.

    Tofino Security | Abterra Technologies | ScadaHacker.com
    02/28/2011
  • Using Tofino to Control the Spread of Stuxnet Malware

    This application note describes how to use the Tofino Industrial Security Solution to prevent the spread of the Stuxnet worm in both Siemens and non-Siemens network environments.

    What is Stuxnet?
    Stuxnet is a computer worm designed to target one or more industrial systems that use Siemens PLCs. The objective of this malware appears to be to destroy specific industrial processes.

    Stuxnet will infect Windows-based computers on any control or SCADA system, regardless of whether or not it is a Siemens system. The worm only attempts to make modifications to controllers that are model S7-300 or S7-400 PLCs. However, it is aggressive on all networks and can negatively affect any control system. Infected computers may also be used as a launch point for future attacks.

    How Stuxnet Spreads
    Stuxnet is one of the most complex and carefully engineered worms ever seen. It takes advantage of at least four previously unknown vulnerabilities, has multiple propagation processes and shows considerable sophistication in its exploitation of Siemens control systems.

    A key challenge in preventing Stuxnet infections is the large variety of techniques it uses for infecting other computers. It has three primary pathways for spreading to new victims:
    - via infected removable USB drives;
    - via Local Area Network communications
    - via infected Siemens project files

    Within these pathways, it takes advantage of seven independent mechanisms to spread to other computers.

    Stuxnet also has a P2P (peer-to-peer) networking system that automatically updates all installations of the Stuxnet worm in the wild, even if they cannot connect back to the Internet. Finally, it has an Internet-based command and control mechanism that is currently disabled, but could be reactivated in the future.

    Tofino
    11/30/2010
1-20 of 5 < first | prev | next | last >