The Many Paths of Stuxnet – How Robust are Today’s Best Practice Systems?

Over the past four months, Joel Langill, Andrew Ginter and I have been working on a really cool research project. We have been investigating how Stuxnet would infect an industrial site protected by a “high security architecture.”

In other words, a site protected exactly according to the best practices recommended by control system vendors. In this case, we focused on Siemens’ best practices (as defined in the Siemens' White Paper: “Security concept PCS 7 and WinCC - Basic document”), because Stuxnet attacked Siemens systems.

Now to be VERY clear, we are NOT trying to show that Siemens control systems are less secure than competing control systems. In fact, many of the other vendor guidelines and products we have investigated over the last few years are far less secure than the Siemens architecture. Siemens just happen to be at the wrong place at the wrong time, an experience I am sure the boys and girls at Microsoft can relate to.

Many pathways for Stuxnet

What did we find? Well not surprisingly, we learned that a worm as complex as Stuxnet will make short work of even the best of today’s ICS security architectures. A modern ICS or SCADA system is so highly interconnected that there are multiple opportunities for a talented worm to migrate from the outside world to the controllers.

Modern worms can piggy back using many different media – for example, in my last blog I talked about how carefully modified PDFs are one of the current fads in worm propagation.

Unfortunately as an industry we tend to focus our security efforts on a few obvious pathways (such as USB storage drives or the Enterprise/ICS firewall). Stuxnet makes it clear that this is a flawed defence.

If we want our control systems to be secure, ALL mechanisms for transfer of electronic information (in any form) have to be evaluated for security risk. I mean everything – old serial links, user manuals on CDs, printer sharing, you name it. If a bit is moving to or from an ICS, it is a potential security risk.

Security Models often not implemented in practice

Another thing worth mentioning is that the analysis was based on a security model which is, as Andrew puts it, “although accepted in industry as a best practice, is often not implemented in practice.” System architectures in the real world are typically much less secure than the one we assumed in our study.

For example, take the question of patching. Joel and Andrew just gave me well deserved heck for a statement I made to a reporter “The propagation tools that Stuxnet used aren’t all that useful anymore, as (hopefully) most people have installed the patches for the various Microsoft vulnerabilities that made Stuxnet so successful.

Unfortunately when I stop to think about it, I bet that there are tens of thousands of un-patched computers still running in ICS around the world. We would need another blog or two to explain the reasons why (some very reasonable), but these systems exist and they put our critical infrastructures at serious risk unless compensating mitigations are put in place.

We haven’t given up our dream of truly secure control systems. In the conclusions of our paper, we outline some of the issues that Stuxnet highlighted and what industry needs to do to address them. Better industrial control system security is needed quickly. Waiting for the next worm may be too late.

If you would like to read about what we learned from studying Stuxnet and what needs to be done to secure our ICS, go to the White Paper download page:

How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems

Related Links has a series of articles about this White Paper:


Subscribe to the "Practical SCADA Security" news feed

Add new comment