Stuxnet

Podcast from:  Digitalbond.com, February 2011

Dale Peterson of DigitalBond.com talks with Eric Byres CTO Tofino Security, Andrew Ginter of Abterra Technologies and Joel Langill of SCADAhacker.com, the three authors of the new 26-page whitepaper "How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems." 37:27 - 1:08:30

Other parts of the podcast:

The Stuxnet worm is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems.

This paper describes an example of a site following high security architecture best practices and then shows the ways that the worm could make its way through the defences of the site to take control of the process and cause physical damage.

The paper closes with a discussion of the lessons that can be learned from the analysis of Stuxnet’s propagation pathways. It explains how owners of critical systems need to respond to protect control systems from future threats of this type.

The Canadian Cyber Incident Response Centre Information (CCIRC) Information Note IN11-502 on Cyber Threats and Vulnerabilities Against SCADA Systems summarizes hundreds of pages of security bulletins into a succinct document.

This note covers 6 important Vulnerabilities and also includes information on ICS-CERT and Stuxnet.

One of the issues with Stuxnet is that in certain cases it will directly modify the PLC firmware and not just user logic. Erasing the CPU memory, including the MMC card, would completely clear out the memory on the S7 controllers and remove the worm.

In case you are not certain how to do this, we have provided the relevant section from the Siemens CPU 31xC and CPU 31x: Installation Manual.

Please remember that you must be certain that the STEP7 project file used to download the program after the memory reset is uninfected, otherwise you start all over again.  Stuxnet hid in STEP7 project files it to re-infect the ES when the project file was opened (Special thanks to Joel Langill for help confirming this).
 

Article in: InTech Magazine, January/February 2011

Anyone integrating automation technologies these days is well aware of the pressure on the operators of industrial plants to increase productivity, reduce costs, and share information in real time across multiple industrial and enterprise systems.

Stuxnet is a computer worm designed to target one or more industrial systems that use Siemens PLCs. However, it is aggressive on all networks and can negatively affect any control system.

Stuxnet spreads rapidly using Local Area Network communications and one of the most effective ways to prevent this type of distribution is to make use of zone-based defenses.

Stuxnet is a computer worm designed to take advantage of a number of previously unknown vulnerabilities present in the Windows operating system and Siemens SIMATIC WinCC, PCS7 and S7 PLS systems.

It takes advantage of numerous vulnerabilities in the Windows operating system and the Siemens product line.  As a result, full mitigation requires multiple actions.

The Stuxnet Mitigation Matrix shows mitigation measures by Windows operating system and it includes dynamic links to detailed information on each of the patches and mitigations.

New Stuxnet White Paper: Analysis of the Siemens WinCC / PCS7 “Stuxnet” Malware for Industrial Control System Professionals.

Stuxnet is a computer worm designed to take advantage of a number of previously unknown vulnerabilities present in the Windows operating system and Siemens SIMATIC WinCC, PCS7 and S7 product lines.

It was designed to target one or more industrial systems that use Siemens PLCs with the apparent objective of sabotaging industrial processes.

This White Paper summarizes the current known facts about the Stuxnet worm and the actions that operators of SCADA and ICS systems can take to protect critical operations.

Also included is Joel Langill's excellent video that shows in detail how Stuxnet infects a system.