“Son-of-Stuxnet” - Coming Soon to a SCADA or PLC System Near You

In the past two months, the number of serious security vulnerabilities being reported in SCADA and ICS products has sky rocketed. In late March, I blogged about how Luigi Auriemma published 34 vulnerabilities (with free exploit code) for 4 popular HMI packages. Within days, 3 more vulnerabilities were announced (one by Joel Langill, with details submitted to ICS-CERT).

By the end of May, ICS-CERT had released 11 new security advisories for SCADA and ICS products, many containing multiple vulnerabilities.

Last week’s bad news about ICS security was that security researcher Dillon Beresford had discovered new vulnerabilities in the Siemens S7 line of PLCs. According to Wired Magazine, Beresford found multiple vulnerabilities in the Siemens products.

“They’re very easy to exploit,” Beresford said. “As long as you have access to [a PLC's] network you will be able to exploit them.”

Beresford goes on to say that he gave Siemens 4 exploit modules to test. He also states that at least one of the vulnerabilities he found affects multiple SCADA-system vendors, which share “commonality” in their products.

Now with all these vulnerabilities being “easy to exploit” (Auriemma also noted that it only took him 8 days to discover his 34 vulnerabilities), a number of people have asked me if perhaps Stuxnet wasn’t also created by someone with a few weeks spare time. So in this article I will explain why Stuxnet was special, and why a “Son-of-Stuxnet” is likely to impact a SCADA or ICS system sometime soon.

Why Stuxnet was Special

Here are at least 4 reasons why I believe Stuxnet was a very advanced piece of malware:

1. It was truly ground breaking in both its design and its integration of different attack concepts into a unified package.
2. It was designed to be very stealthy and stay under the radar (which it did for at least a year – This is hard to do).
3. It required a number of different Subject Matter Experts (SMEs) to develop. At a minimum it needed an expert in Siemens PLC programming, Windows Malware design, SQL database programming, VFD Drive controller programming and centrifuge operations. Perhaps someone could be knowledgeable on two of these subjects, but I doubt anyone could master them all, so Stuxnet took a team.
4. It was extremely well-coded and tested – the quality of code was better than most commercial products.

Any one of the above would require a team to carry out. All 4 make it almost certain that Stuxnet was the work of a nation-state, capable of assembling a very skilled project team and keeping it secret.

“Son-of-Stuxnet” Components are Straight-forward to Create

Let’s go back to what Beresford and others are doing today.  I call their work “Son-of-Stuxnet” and their research really concerns me because the bar is much lower:

1. Ground-breaking vision is no longer needed.  Stuxnet (as deconstructed by Symantec, Langner et al.) provided a step-by-step cookbook for SCADA/ICS malware design. It also introduced many to the whole world of SCADA and process control – a world that Auriemma freely admits he knew little about before Stuxnet appeared.
2. Beresford, Auriemma and company aren’t trying to be either stealthy or target-focused. They are just proving a point; namely there are serious vulnerabilities in the various ICS product lines. Stealthiness and target focus can be supplied by someone else later on.
3. Beresford had to develop good security testing expertise (which I hear he definitely has), as well as a reasonable knowledge of Siemens PLCs, a combination that has been mastered by many of my staff and students. Any knowledge of the target process or what the PLCs actually do in the process isn't needed - that also can be supplied by someone else later on.
4. The code is truly prototype at this stage. For example, this quote comes from someone who saw Beresford's presentation; "Beresford is confident in his ability to produce a Linux shell on the PLC and have root level access to the OS." Note that he hasn't done any of those tasks yet. It is still all proof of concept and thus has not been QA'd at all. And yes, that can be supplied by someone else later on...

Why “Son-of-Stuxnet” is coming to a PLC or SCADA System soon

People like Beresford probably won't ever develop a worm with their knowledge. I believe most want to do the right thing for the world. But now that the information is out in the public domain, someone else could. They don't need to have Beresford's or Auriemma’s skills (and may not have their morals).  These “new-to-ICS” developers could have skills focused in other areas such as power engineering, along with a reasonable set of skills in malware development.

Here are some ways “new-to-ICS” developers could cause SCADA security havoc:

1. Depending on their ideology and goals, they might not care if their worm is stealthy or focused. They might just want to create a general purpose attack against the transportation industry that would cause mayhem in "enemy countries".
2. Or, they could create a worm that is moderately stealthy, but shot-gunned at a number of power companies, so that if successful in penetrating a victim (any victim), it allows the malware owner to demand money in exchange for not damaging the company's operations.
3. They could acquire the expertise to attack an industrial process from publically available materials on the Internet.

For example, in March, Rubén Santamarta notified US ICS-CERT of a vulnerability in BroadWin WebAccess, a web browser-based HMI product. ICS-CERT forwarded the vulnerability information to BroadWin. Unfortunately, BroadWin was not able to validate the vulnerability and said it was false. So Mr. Santamarta publicly released details of the vulnerability including exploit code.

Then Mr. Santamarta provided a very detailed presentation to help everyone understand how the power industry uses State Estimators to manage power flows on the grid (go to slide 43).

Prior to this slide deck going public, the number of people in the world who knew what a state estimator did, was probably in the thousands (and 99.99% worked for a power company). Now it is in the hundreds of thousands (and very few work for a power company). So now we have both security vulnerability knowledge and industrial process knowledge all wrapped up into one handy package for the bad guys to use.

So while Stuxnet might have been hard to build the first time, it is relatively straight forward to assemble components of “Son-of-Stuxnet” from the public domain.  Bottom line: we are in for a tough few years as the industry tries to catch up with the bad guys.

Related Links

• Son-of-Stuxnet can be Stupid - PJ Coyle of Chemical Facility Security Today references this article and makes further comments on why detailed process knowledge is not required to create a "Son-of-Stuxnet" malware (May 31, 2011)
• Homemade cyberweapon worries federal officials – A Washington Times article about the U.S. Government’s concern with Beresford’s research (May 24, 2011)
• Stuxnet, routing hacks and a seized iPad - ZDNet Podcast from AusCERT 2011 on the Son-of-Stuxnet (May 23, 2011)

July 25, 2011 update:

• A time bomb with fourteen bytes -  Ralph Langner discusses how "an attacker needs zero insider information and zero programming skills at the controller level in order to perform a Stuxnet-inspired attack against control systems."  (July 21, 2011)

Subscribe to the "Practical SCADA Security" news feed