Stuxnet Guidance: The Good, the Bad and the Ugly

Over the past month, there has been no shortage of reports on how Stuxnet is attacking the Iranian Nuclear Program. Unfortunately, good advice on what exactly Industrial Control System (ICS) owner/operators can do to protect themselves against Stuxnet (and its future offspring) is in short supply. In fact much of what passes as technical guidance is either too IT-focused or simply wrong.

The Bad and the Ugly

Top of the “Bad” list is the recent Gartner Report on Stuxnet. This paper suggested that ICS users “make sure all default passwords are changed” when installing Siemens control systems. Seems like good advice on the surface, doesn’t it? Unfortunately it’s not.

As the Siemens web site, this blog and others pointed out back in July, if users change the default password on the Siemens SQLServer databases used, the control system will cease to function correctly. The reason is Siemens hard-coded the password into its PCS7 applications. Changing the password in the database prevents legitimate PCS7 stations from accessing the central database, effectively creating a self-induced denial of service on the control system.

Now this might not have been smart security design on Siemens part (a topic for another blog), however, it is a fact of life that the end-users need to live with. Suggesting users do otherwise is just plain “Bad and/or Ugly” and shows a lack of experience in the real world of control and SCADA systems.

The Good

That said, there is some “Good” advice out there. For example, one of the groups that have provided reliable advice on Stuxnet is Industrial Defender (ID). Recently they released a new White Paper that is worth reading called "The Stuxnet Worm & Defenses for Advanced Threats."

The paper starts off with a standard tour of Stuxnet and what it does. Nothing new here, but it's good if you aren’t up to speed on Stuxnet. The paper then goes into a nice summary of a topic very near to my heart; Advanced Persistent Threats, or APTs. Now if you haven’t heard of APTs you are not alone – compared to the usual worm, APTs often get little press.

Rather than the usual crude and opportunistic attacks seen every day in your SPAM folder, APTs use combinations of advanced malware techniques to attack a specific target in a “low and slow” manner. Stuxnet is one excellent example, but it isn’t the first. Others include Operation Aurora and GhostNet.

One client of Byres Security experienced an APT attack designed to steal the intellectual property behind yet to be released products. The goal of the APT’s creators were to have extremely realistic counterfeits on the market within days of the official product release, a strategy that could net them 100’s of millions of dollars in sales.

What the Industrial Defender paper nicely points out is that if your company is the target of an APT, then you can forget about patching and anti-virus solutions saving you. Not that AV and patching isn’t important  - if you don’t take those basic steps seriously, then the next worm in your control system will be neither advanced nor persistent – it will be the “garden variety” worm causing havoc.

The trouble is, APT’s typically use –zero-day exploits that can’t be detected by A/V systems because the AV systems don’t have signatures for them yet.

Whitelisting:  Good for Industrial Control Systems

So what are some solutions to protect your control system? The ID paper suggests a technique called whitelisting, where every application on a computer is marked with a signature known as a cryptographic hash. Each time software attempts to execute, the hash is recalculated and checked against an original hash. If the two hashes don’t match, or if there is no record of an approved hash, then something is amiss and an alarm is generated.

The paper goes on to show how the ID product would have alerted administrators something was wrong when Stuxnet visited, months before conventional AV solutions would have.

Like the Fixed Configuration Firewalls (FCFs) I discussed in my last blog, whitelisting is one of those techniques that has not been popular in the IT world, because constant system changes make management a challenge. But as I noted in the FCF blog, “in the ICS/SCADA space, the basic network design can stay steady state for decades.” So for control systems, whitelisting is a very good arrow in your quiver of defenses.

Control system operators have a lot stacked against them when it comes to cyber security. Frankly many of the recommended IT solutions are less than ideal in the ICS environment. So if technologies like whitelisting or fixed configuration firewalls can help prevent APTs from attacking our critical systems, we need to take a serious look at them.

In the next blog article I will talk about a third technology that shows promise for our world called deep packet inspection.

In the meantime, I’d love to hear your ideas for evolving security technologies that might be ignored in the IT world but will work well for control systems.


Subscribe to the "Practical SCADA Security" news feed

Add new comment