Securing SCADA systems from APTs like Flame and Stuxnet – Part 1

Recently a very complex worm called Flame has been discovered attacking companies in the Middle East, and it is an excellent example of what security experts call an Advanced Persistent Threat (APT). Figuring out how to defend against APTs is a major focus in the IT security world.

Now while Flame was busy attacking the Middle East, I was in Abu Dhabi at the International Cyber Security Forum for Energy and Utilities, listening to a talk by Paul Dorey called "Advanced Persistent Threats - A Real Problem with Real Solutions" (you can download his presentation at the end of this article). Paul’s talk focused on security for the IT industry, but there were important lessons on managing attacks in the ICS / SCADA world. I will focus on one of those lessons in today’s blog.

Eric Byres speaks with an attendee at the International Cyber Security Forum for Energy and Utilities, which was held in Abu Dhabi, May 21-24, 2012. At this event Eric presented a keynote address, and he and Paul Dorey gave a one day workshop on SCADA Security.

What’s an APT? Is it just Marketing Hype?

First, a little background. Advanced Persistent Threats (APTs) are carefully crafted attacks against a focused target that are designed to be effective over an extended period of time. Ricard Bejtlich in his TaoSecurity Blog says it well:

  • Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.
  • Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.
  • Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data).

Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.

Now some people claim that APTs are just marketing hype, but Paul offered some chilling case studies showing that APTs are very real threats. Flame is also good example of an APT, but so are Stuxnet, Nitro, Night Dragon and Duqu. These are all attacks I have discussed in previous papers and blogs. Trying to wish away APTs as hype is a clear case of sticking one’s head in the sand.

Paul went on to discuss the seven advanced approaches that the best companies are using to deal with APTs. Figure 1 shows a summary of all seven, and in today’s blog I will cover the first one.

Seven Advanced Approaches for dealing with Advanced Persistent Threats. From Paul Dorey’s presentation "Advanced Persistent Threats - A Real Problem with Real Solutions".

Lesson #1: Focus on the Crown Jewels

Advanced Approach #1 is to focus your protection efforts on your most important assets. It would be ideal to protect everything perfectly and do it all the time. Unfortunately modern systems, whether they are IT systems or control systems, have become too complex to achieve perfect and uniform security.

So the smart IT teams are focusing their scarce security resources on securing those assets that really matter to the survival of the company. They do not rely solely on a perimeter firewall to keep all the bad stuff out of the company (a technique known as a Bastion Model). Instead, they install additional layered defenses directly protecting key assets such as servers containing sensitive financial or intellectual property information.

There are good reasons for using this approach. The obvious one is that it allows a defense in depth strategy, rather than a bastion strategy. It also allows the company to focus additional money, effort and diligence on a few core assets. For example, it is a lot easier to carefully review the audit logs for two servers every day, rather than two hundred servers. Tasks that are highly focused are more likely to be carried out by over worked security staff.

The third reason is that these assets are the same ones the bad guys will focus on. Sure hackers and worms will go after any undefended computer, but in most cases these victims are just a stepping stone to the real target. Focusing your defensive efforts on the same things that your adversary is focusing on makes good security sense.

Focused Defense in the ICS and SCADA World

The strategy of focusing your defences also works for ICS and SCADA security. Every control system has a few assets that would seriously impact production, safety or the environment if successfully attacked. These might be the safety integrated system (SIS) in a refinery, the PLC controlling chlorine levels in a water filtration plant, or the RTU in a electrical substation. Every control engineer knows what really matters to his or her particular operation. Aggressively protect this asset and the chance of a truly serious cyber incident is massively reduced.

The first SCADA security lesson from the IT world is to focus on protecting the crown jewels. An example would be protecting safety integrated systems, like the Tricon safety integrated system shown on the right. Images courtesy of Royal Exhibitions and Invensys.

Consider Stuxnet. Symantec reports that the worm infected over 100,000 computers, 60% of these in Iran. But its ultimate target had to be the PLCs and drive controllers running the enrichment centrifuges. It wouldn’t have mattered if Stuxnet had infected one billion computers; if it could not get to the PLCs, it would have failed in its mission. Had Iran’s defence focused on protecting those PLCs, their enrichment process likely would never had been impacted. Clearly, they focused more on a bastion security model which ultimately failed them, allowing Stuxnet to impact at least 1000 centrifuges.

A Balanced Approach

Don’t get me wrong, neither Paul nor myself are advocating to give up on defending less critical assets or the network in general. This makes no more sense than a knight giving up the field and hiding in his castle.

What is needed (and is missing) is a balanced approach to system security. As an industry, we focus on trying to defend the entire field and forget about the castle containing the royal family. As long as the battle remains in the open, we think we are doing well. But when Ninja assassins (with names like Nitro, Duqu and Flame) start to sneak in, defending every laptop and desktop won’t seem all that important once the grid is down or the plant is leaking toxic chemicals.

So install those firewalls and Intrusion Detection Systems between IT and ICS networks. Build yourself what NERC-CIP calls an Electronic Security Perimeter (ESP). There is nothing wrong with that as part of a security strategy. Just remember to balance it with a focused defense, protecting what really matters to your process or company. Forget to focus and we will win the battle, but lose the war.

Do you agree with the “protecting the crown jewels” approach? Let me know your thoughts.

Related Content to Download

Presentation - "Advanced Persistent Threat: A Real Problem, with Real Solutions"


Download this presentation and benefit from:

  • Definitions of APT and The Threat Continuum
  • Examples of Advanced Persistent Threat (APT) attacks on major companies
  • A summary of the advanced approaches companies use to defend against APTs

Practical SCADA Security thanks Prof. Paul Dorey for making this presentation available to our readers.

Related Links


RSS Feed Subscribe to the "Practical SCADA Security" news feed

Author Eric Byres



Would it inadvertently show the attacker where the crown jewels or the "safe" is when they gain access to the network and therefore focus on the crown jewels using all their resources?

I don't think so. Just because you focus your defences on an asset doesn't mean that your adversary will see your efforts. Here are two examples:

1. Log Reviews: Where your security team spends its log review efforts is not exposed to the bad guys. They may be able to determine what is being logged (although this is hard to do), but not where the team does its reviews.

2. Firewalls: You may have a firewall defending a critical asset, but that doesn't mean that the bad guy can detect it or what is behind it. For example, Tofino was specifically designed to be invisible - no IP address, no changes to routing, nothing. To the bad guy a part of the network just isn't there.

So I think that a focused defence has a lot of benefits and minimal risk.

This apploach just follows Pareto principle or 80/20 rule. All business people know that you should concentrate 80% of your effort on your 20 most valuable clients (affairs). And this is a proven success strategy.

I agree. It is just unfortunate that so many companies forget the idea of focus when security is involved. Hopefully presentations like Prof. Dorey's will wake them up...

Add new comment