Caveat: It is important to recognize that the target of Stuxnet – Siemens PLCs - is not an industry but a device used by many industries. It is not even clear what country is being targeted and by whom. As the US electric industry (nuclear and non-nuclear) is the only one with cyber security standards, I recently sent a note to Congress and FERC as policy makers due to my concerns about the Stuxnet worm. I am approaching the Stuxnet problem with trepidation as it is a real and near term threat with minimal solutions to date. I hope industry looks at this issue dispassionately and takes the appropriate urgent action.
According to Symantec, Stuxnet is able to hide injected code located on a PLC. In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well. Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks. Additionally, Stuxnet uses an infection counter before deleting itself. Consequently, what is there to see?
Takeaway: AntiVirus solutions purported to address this worm may not be successful even though they appear to be.
Siemens is working with Symantec on analyzing what is in the code. Siemens PLCs are designed to utilize the Ethernet-based Profibus architecture which connects the PLC to various field devices such as drives, analyzers, and transmitters.
Takeway: It is not clear yet what is in the code and whether Stuxnet is isolated to the PLC or if it could affect field devices.
As this worm has been in the wild since June 2009, it is not clear what systems have been infected or what was being accomplished. However, the concept of economic espionage that was originally identified does not seem credible to me for at least two reasons. First and foremost, why go to a controller unless you want to take control. If you want economic data, go to an archival database. Secondly, zero-day Microsoft vulnerabilities and counterfeit digital signatures are extremely expensive. I find it very unlikely that a cost-benefit can be made with this kind of investment if the sole purpose was economic espionage. One train of thought is if they weren’t successful in whatever it is they were trying to accomplish, they wouldn’t spend the effort to make it even more powerful and undetectable.
Takeaway: It is not clear yet what Stuxnet has been programmed to do or when it will be activated, but it certainly has something to do with control.
Stuxnet targets MS08-067, the same vulnerability used by Downadup, (Conficker) to spread the worm. It is interesting to note that Conficker vulnerability exploiting process and power plants occurred in the in the May-June 2009 time frame. This may simply be coincidental. I don’t think anyone looked to see if Siemens PLCs were involved.
Major takeaways: This is a worm that has targeted a controller, apparently has buried code that lets it affect the controller at a time of its choosing, has made traditional AntiVirus ineffective, and industry has minimal forensics to detect the infection.
Joe Weiss