Fallout from Stuxnet Continues

Aug. 31, 2010
Siemens, Microsoft, Symantec issue fixes, but doubts remain about system security.

In the short term, it appears that the Stuxnet virus that affected four (or six, depending on which reports you read) Siemens customers using the company's Simatic WinCC SCADA software and PCS7 DCSs was small potatoes. Siemens itself, Microsoft and computer security vendor Symantec all issued fixes within a few days of the discovery of the "zero-day" virus, and no catastrophic events related to Stuxnet have been reported. However, the discovery served as a scary wake-up call across the process industries.

According to Joe Weiss, principal at Applied Control Solutions and author of the ControlGlobal.com security blog, "Unfettered," Stuxnet is "notable not only for its technical sophistication, but also for the fact that it targets industrial control systems (ICS) designed to run power plants including nuclear plants, smart grid, water systems, off-shore oil platforms, ships, other critical infrastructure and even critical infrastructures in Iran."  

He also warns that just because Stuxnet was first discovered in a Siemens system doesn't mean other ICSs aren't vulnerable. 

Furthermore, according to Eric Byres, CTO of Byres Security and one of the key brains behind the Tofino Industrial Security System, the worm's dangers are not limited to just the most recent versions of Windows. He says, "Stuxnet is designed to take advantage of a previously unknown vulnerability in all obsolete and current versions of Windows including Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7."

Even more troubling is that by early August, Kevin Hogan, senior director for Symantec Security Response, reported that the company had observed "a consistent number of infections" since the malware was first detected in mid-July. Installations in 115 countries have been hit.

Iran has been hardest hit, he said, with 33,000 infections reported—three times higher than the next most infected country, Indonesia, which has nearly 10,000 compromised systems. India is at No. 3 with over 5,000 infections.

These numbers suggest that Siemens is not the only vendor whose systems have been affected.  

While early analyses of the attacks suggested that their aim was industrial espionage, the possibility that some nation-state or group with more damaging intent was behind it cannot be ruled out. "Many people think of Stuxnet as a data exfiltration issue. Although Stuxnet could have been used by a counterfeiter to steal industrial secrets, Kaspersky Lab's Roel Schouwenberg suspects a nation-state was behind the attacks," says Weiss. 

The worm's sophistication is one of the factors feeding that suspicion. "Stuxnet is more than data exfiltration—it is the first rootkit targeted at PLCs," says Weiss. "It has the ability to take advantage of the programming software to upload its own code to the PLC. In addition, Stuxnet then hides these code blocks, so when programmers using an infected machine try to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn't just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC. In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found and can't accidentally be overwritten. Stuxnet contains 70 encrypted code blocks that appear to replace some foundation routines. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC."

To make matters worse, part of the successful spread of the virus was caused by the fact that after Stuxnet was created, its authors added new software that allowed it to spread among USB devices with virtually no intervention by the victim. They also got their hands on encryption keys belonging to chip companies Realtek and JMicron and digitally signed the malware, so that antivirus scanners would have a harder time detecting it. Realtek and JMicron both have offices in the Hsinchu Science Park in Hsinchu, Taiwan, and Kaspersky Labs' Schouwenberg believes that someone may have stolen the keys by physically accessing computers at the two companies. This has allowed Stuxnet to defeat two-factor authentication.

Weak Response

Researchers at Symantec say they've identified an early version of the worm created in June 2009, and that the malicious software was then made much more sophisticated in January 2010. Furthermore, Stuxnet appeared at the same time as Conficker. Stuxnet can use the Conficker worm to spread itself. Stuxnet has also been tied back to June, 2009 which was when Conficker was first identified.

At the same time, in a recent article in August/September issue of Foreign Affairs magazine, William J. Lynn III, U.S. Deputy Secretary of Defense, disclosed a cyber attack on U.S. military computers and networks propagated by a USB stick loaded onto a military laptop in the Middle East in 2008. "That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," he says in the article, describing an attack that sounds distressingly similar to Stuxnet.

But in spite of the fact that industry insiders have been warning about the possibility of such attacks for years, response on a national and regulatory level has been thin, leaving users scrambling to figure out how to defend themselves.

Weiss points out that Stuxnet was identified by investigators with VirusBlockAda, a security vendor based in Minsk, Belarus. Meanwhile, the Department of Energy had a security R&D peer review the week that Stuxnet was disclosed and none there knew of its existence. Furthermore, Weiss says there has been a "deafening silence" from the NERC CIP Standards Drafting Team.

"What does this say about the efficacy of the DOE R&D program when a researcher in Belarus finds it [the Stuxnet worm]?" asks Weiss.