Control network security lessons from Stuxnet
Industrial control systems have long life cycles. Older systems were designed with little or no regard for cyber security and are interconnected in ways never envisaged. The mistaken belief in "security through obscurity"—the use of specialized systems, protocols, and proprietary interfaces as the basis of secure systems—is obsolete in the wake of recent incidents. Add to this the increasing complexity, proliferation of access points, wireless communications and wider use of common operating systems, and wider use of the Internet, and it is understandable why governments are keen to promote cyber security.
Information on industrial protocols is widely available, and some systems have already been specifically targeted. These include the Modbus protocol and more recently the Stuxnet trojan/virus, which affected Siemens WinCC SCADA, Step 7 Programming Software and Simatic PLCs. While fixes were quickly developed, Stuxnet was a game-changer in terms of its complexity and reach, and as it and other breaches of security continue to be analyzed, governments are responding with general and sector-specific guidance to protect critical national infrastructures.
Critical national infrastructure
The critical national Infrastructure comprises facilities, systems, sites, and networks necessary for the delivery of the essential services upon which daily life depends. This covers nine sectors: communications, emergency services, energy, finance, food, government, health, transport, and water. Like the U.S. Department of Homeland Security, the UK’s Centre for the Protection of National Infrastructure (CPNI) works with the operators of essential services and with lead government departments to identify critical national infrastructure and to help protect it.
An often cited example to illustrate the risk is the "drive-by wireless hacking" by an Australian ex-employee of a Queensland sewage treatment plant. He used his knowledge of the control system to hack the system 46 times and release millions of liters of waste into public waterways.
The CIA has confirmed a cyber attack caused power outages in multiple cities (including New Orleans in 2008). The CIA also provided information on intrusions into utilities that were followed by extortion demands. The U.S. government has been taking the potential reconnaissance of the power grid by Russia and China seriously, considering the potential for terrorist attack, and this year formed the United States Cyber Command. This group is responsible for directing the defense of U.S. Defense Department networks and conducting military cyberspace operations.
In the UK, the Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides protective security advice to the national infrastructure. Specific SCADA advice is offered by the CPNI in a series of process control and SCADA security good practice guidelines. Much is a result of the work of the U.S. National Institute of Standards and Technology (NIST) and is sponsored by U.S. Homeland Security.
Stuxnet—an usually complex threat
The Stuxnet trojan/virus is the first publicly known "worm" to target industrial control systems. The threat posed by Stuxnet has been portrayed as beyond anything seen before. Its goal was to sabotage a real-world industrial plant, not disrupt abstract IT systems. It was aimed at industrial control systems with the intention to reprogram PLCs in a manner that would sabotage the plant, hiding the changes from programmers or users.
Stuxnet has highlighted the potential to directly attack industrial control systems used in critical national infrastructure, including energy, water, and transport sectors. Research by Symantec (September 2010) showed that nearly 60% of the approximately 100,000 hosts infected by Stuxnet were located in Iran, with relatively high infection rates also seen in India and Indonesia. This has led to speculation that Stuxnet’s goal was disruption of Iran’s delayed Bushehr nuclear power plant, or the uranium enrichment plant at Natanz.
Stuxnet has been described by Symantec as one of the most complex threats the company has analyzed. Features include:
- Four zero-day exploits, which are exploits that are unknown, undisclosed to the software vendor, or for which no security fix is available. This is a rarity for any virus, and would be considered wasteful by most hackers.
- MS Windows rootkit, which is software that enables privileged access to a computer while hiding its presence.
- First-ever “PLC rootkit,” which infected PLC programs while remaining undetectable.
- Antivirus evasion.
- Two stolen Taiwanese digital signatures to authenticate Windows software.
- Complex process injection and hooking code to prevent programmers from seeing the infected code.
- etwork infection routines.
- Privilege escalation.
- Peer-to-peer updates.
- Remote command and control.
How does this virus spread? Since PCs used for control system programming are not normally connected to the Internet, Stuxnet replicates via removable USB drives—exploiting a vulnerability that enables auto-execution. It then spreads across the local area network via a Microsoft Windows Print Spooler vulnerability, and via a Windows Server Remote Procedure Calls vulnerability.
Stuxnet copies and executes on remote computers through network shares and Siemens WinCC database servers (SCADA software). It also copies itself into Siemens Step 7 PLC program projects and executes when a project is loaded, and updates versions via peer-to-peer communication across a LAN. Stuxnet communicates with two command and control servers originally located in Denmark and Malaysia to enable code download and execution for the updating of versions. Stuxnet may have the ability to change command and control servers, although this has not been observed as yet.
Inside the PLC
Stuxnet fingerprints specific PLC configurations that use the Profibus industrial network for distributed I/O. The particular configurations were gleaned using earlier versions of Stuxnet. If the fingerprint does not match the target configuration, Stuxnet remains benign. If the fingerprint matches, the code on the PLCs is modified with the infected programming software and the changes are hidden.
The modified code prevents the original code from running as intended and causing the plant equipment to operate incorrectly, potentially sabotaging the system under control. This is achieved by interrupting processing of code blocks, injecting network traffic on the Profibus network, and modifying output bits of PLC I/O. How this affects the individual plant system depends on how the control system is connected to the PLC and distributed network I/O via Profibus.
The future threat Stuxnet poses is as a blueprint for attacks on real-world infrastructure, providing generic methods to reprogram industrial control systems. However, the level of sophistication and complexity of Stuxnet, which require significant resources, make it unlikely similar threats will develop overnight.
To address the vulnerabilities revealed by Stuxnet, the series of process control and SCADA security good practice guidelines from CPNI and NIST include a series of sector "road maps" for securing the water, electricity, and chemical sectors. There is an emphasis on cost-effective security for legacy systems and new architecture designs and secure communications.
Standards in this area are blossoming as well, including work being done by the International Society of Automation (ISA), which published ISA99 Parts 1 and 2 that deal with industrial automation and control systems security. Part 1 serves as the foundation for all subsequent standards in the ISA99 series. Meanwhile IEC is also working on ICS standards and is considering work already done in ISA.
In the first public speech given by Britain’s secret intelligence agency GCHQ, Chief Ian Lobban highlighted the "real and credible" threat facing the UK’s Critical Infrastructure from terrorists, organized criminals, and hostile foreign governments. He demanded a swifter response to match the speed with which "cyber events" occurred, and stated that the UK’s future economic prosperity rested on ensuring a defense against such assaults. The challenge is to implement appropriate measures while continuing the process of assessment, adjustment, and review in light of emerging vulnerabilities, threats, and consequences.
Dr. Richard Piggin [rpiggin(at)iee.org] is a UK-based network and security consultant. He works with the IEC Network and System Security and Cyber Security working groups, and is involved in developing IEC 62443 Security for Process Measurement and Control – Network and System Security.
What is a threat?
According to the National Institute of Standards and Technology (NIST) Guide to Industrial Control Systems (ICS) Security, potential cybersecurity incidents may include the following:
- Blocked or delayed flow of information through control system networks, which could disrupt control system operation.
- Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
- Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects.
- Control system software or configuration settings modified, or software infected with malware, which could have various negative effects.
- Interference with the operation of safety systems, which could endanger human life.
Best practices for industrial control network protection
In the UK, the Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides protective security advice to the national infrastructure. Specific SCADA advice is offered by the CPNI in a series of process control and SCADA security good practice guidelines.
The foundation of the best practice is three guiding principles:
- Protect, Detect, and Respond – It is important to be able to detect possible attacks and respond in an appropriate manner to minimize the impacts.
- Defense in Depth – No single security measure itself is foolproof as vulnerabilities and weaknesses could be identified at any point in time. To reduce these risks, implementing multiple protection measures in series avoids single points of failure.
- Technical, Procedural, and Managerial protection measures – Technology is insufficient on its own to provide robust protection.
Recommendations from the National Institute of Standards and Technology (NIST) include:
- Restricting physical access to the ICS network and devices.
- Protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing; disabling all unused ports and services; restricting ICS user privileges to only those that are required; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where feasible to prevent, deter, detect, and mitigate malware.
- Maintaining functionality during adverse conditions. This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event.
- Restoring the system after an incident. Incidents are inevitable and an incident response plan is essential.
For further reading: