Stuxnet, Conficker, Smart Grid, and National Security

Aug. 26, 2010

The Stuxnet worm was arguably the first worm targeted at ICSs, in this case Siemens PLCs.  It was unknown until mid-July 2010, when it was identified by investigators with VirusBlockAda, a security vendor based in Minsk, Belarus. The worm is notable not only for its technical sophistication, but also for the fact that it targets ICSs designed to run power plants including nuclear plants, Smart Grid, water systems, off-shore oil platforms, ships, other critical infrastructure and even critical infrastructures in Iran.

The Stuxnet worm was arguably the first worm targeted at ICSs, in this case Siemens PLCs.  It was unknown until mid-July 2010, when it was identified by investigators with VirusBlockAda, a security vendor based in Minsk, Belarus. The worm is notable not only for its technical sophistication, but also for the fact that it targets ICSs designed to run power plants including nuclear plants, Smart Grid, water systems, off-shore oil platforms, ships, other critical infrastructure and even critical infrastructures in Iran. Ironically, DOE had an R&D Peer review the week that Stuxnet was disclosed and none of the DOE R&D projects knew of its existence. What does this say about the efficacy of the DOE R&D Program when a researcher in Belarus finds it?

Many people think of Stuxnet as a data exfiltration issue. Although Stuxnet could have been used by a counterfeiter to steal industrial secrets, Kaspersky Lab’s Roel Schouwenberg suspects a nation state was behind the attacks. However, Stuxnet is more than data exfiltration – it is the first rootkit targeted at PLCs. It has the ability to take advantage of the programming software to upload its own code to the PLC.  In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC. In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found and can’t accidentally be overwritten. Stuxnet contains 70 encrypted code blocks that appear to replace some foundation routines. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC. Stuxnet also uses an infection counter before deleting itself  and also can use MS08-067, the same vulnerability used by Downadup (a.k.a. Conficker) to spread.

Microsoft rushed out an early patch for the Windows vulnerability that Stuxnet uses to spread from system to system. Microsoft released the update just as the Stuxnet attack code started to be used in more virulent attacks. Additionally, several antivirus suppliers provided new anti-virus signatures. However, neither addressed the malicious code written to the PLC firmware. Talk about a false sense of security!

Researchers at Symantec say that they've identified an early version of the worm that was created in June 2009, and that the malicious software was then made much more sophisticated in January 2010. This earlier version of Stuxnet acts in the same way as its current incarnation -- it connects with Siemens PLCs -- but it does not use some of the newer worm's more remarkable techniques to evade antivirus detection and install itself on Windows systems. Those features were probably added a few months before the latest worm was first detected, said Schouwenberg. "This is without any doubt the most sophisticated targeted attack we have seen so far," he said.

After Stuxnet was created, its authors added new software that allowed it to spread among USB devices with virtually no intervention by the victim. And they also somehow managed to get their hands on encryption keys belonging to chip companies Realtek and JMicron and digitally sign the malware, so that antivirus scanners would have a harder time detecting it. Realtek and JMicron both have offices in the Hsinchu Science Park in Hsinchu, Taiwan, and Schouwenberg believes that someone may have stolen the keys by physically accessing computers at the two companies. This has allowed Stuxnet to defeat 2-factor authentication.

Stuxnet leveraged unpatched "zero-day" flaws in Microsoft products. Stuxnet is more technically remarkable than the Google attack, Schouwenberg said. "Aurora had a zero-day, but it was a zero-day against IE6," he said. "Here you have a vulnerability which is effective against every version of Windows since Windows 2000." Recall, Microsoft no longer supports Windows 2000 and other older versions still heavily used in ICS applications.

To date, Siemens says four of its customers have been infected with the worm. But all those attacks have affected engineering systems, rather than anything on the factory floor.
Although the first version of the worm was written in June 2009, it's unclear if that version was used in a real-world attack. Schouwenberg believes the first attack could have been as early as July 2009. The first confirmed attack that Symantec knows about dates from January 2010, said Vincent Weafer, Symantec's vice president of security technology and response. Most infected systems are in Iran, he added, although India, Indonesia and Pakistan are also being hit. This in itself is highly unusual, Weaver said. "It is the first time in 20 years I can remember Iran showing up so heavily."

There are also other significant issues. Stuxnet appeared at the same time as Conficker.  Stuxnet can use the Conficker worm to spread itself. Stuxnet has also been tied back to June 2009 which was when Conficker was first identified. That was also when the NERC Advisory on Conficker was issued because of power plant issues. I recently received an email that a major oil company found Conficker in their Control Systems - brought in by a thumb drive.  Surprise!  One of the most significant issues is that a sophisticated ICS cyber attack will most likely not be identified by the ICS community – we need the IT researchers like those from Symantec and Kaspersky.

The Washington Post is reporting that a senior defense department official writing in Foreign Affairs magazine has declassified and disclosed a cyber attack on US Government (military) computers and networks propagated by a USB stick, loaded onto a US military laptop in the Middle East in 2008. "That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," he says in the Foreign Affairs article. Sounds similar to Stuxnet doesn’t it?

As for regulatory issues, there is a deafening silence from the NERC CIP Standards Drafting Team given the potential consequences of Stuxnet. Is there any question why regulation is needed now? Stuxnet uses compromised encryption keys. Since Smart Grid will rely on key management, what does this mean for Smart Grid?

The researchers from Symantec and Kaspersky that have been involved in the Stuxnet investigation have agreed to speak at the September ACS Conference (www.realtimeacs.com). This will be a great opportunity for them to find out who the ICS community is and for us to find out who they are. Siemens will also speak. Additionally, DHS will speak on the results of their 50 power plant assessments.

This should be a very interesting conference.  I hope you can make it.

Joe Weiss