The Conference started in earnest June 21st. There were approximately 100 attendees. The highlights consisted of the following discussions:
- what are unnecessary ports and services and who defines them - what exactly is two-factor authentication
- Roel Schouwenberg from Kaspersky Labs provided a summary of the Stuxnet worm. Roel mentioned this was the most sophisticated worm he has encountered. It is more sophisticated than the Aurora worm associated with Google and Microsoft. In fact, he had the worm in his lab for at least a week before realizing it was malware. He said there were 4 Microsoft zero-day vulnerabilities and they were complimentary – a VERY sophisticated attack. According to Roel, the worm was found by a researcher in Belarus (VBA) when one of their customer’s computers acted “funny” with spontaneous reboots. According to Roel, the attackers understood the weakness of anti-malware products. This was one of the first cases of a worm using stolen legitimate digital signatures. He has subsequently found three others following this trend. Roel feels that the authenticity of certificates may be diminishing and it will even more difficult to find the “next Stuxnet. Stuxnet has a huge binary – approximate ½ Megabyte in size. Roel mentioned that he was not aware of how this worm could impact control systems. According to Roel, this was a nation-state, targeted attack. As he did not have a Siemens PLC, he was not able to go further to identify its possible impact.
- Ralph Langner from Langner Communications provided details of his analysis of the Stuxnet worm and its impact on PLCs. According to Ralph, the worm attacks the Siemens Process Manager (Engineering Tool) and effectively hijacks the legitimate DLL. It is a man-in-the middle attack replacing some of the PLC ladder logic with rogue ladder logic. Apparently, INL has confirmed Ralph’s analysis. This is an engineering attack on a specific application (unknown) based on specific process conditions (unknown). It is thought that the worm may have infiltrated through the systems integrator that had their web presence compromised for more than 2 years. Ralph feels this is a directed attack against a specific process meant to cause physical damage. Whoever did this had significant knowledge about the process model, the Siemens PLCs, and IT programming. Ralph believes there are only a limited number of people capable of doing this specific attack. This is not a bug but an engineering attack and therefore patches do not address this issue. Ralph provided several recommendations to minimize this type of problem. There was discussion about who the attack might be directed at but that part was speculation – the rest is based on testing and facts. - Based on Ralph’s presentation, there was approximately two hours of open discussion on what can and should be done.
Joe Weiss
