The Stuxnet malware is a game changer for critical information infrastructure protection, an EU security agency has warned. ENISA (European Network and Information Security Agency) warns that a similar attack of malware capable of sabotaging industrial control systems as Stuxnet may occur in future. The worm, whose primary …
Statements of the obvious?
"ENISA (European Network and Information Security Agency) warns that a similar attack of malware capable of sabotaging industrial control systems as Stuxnet may occur in future."
Which is another way of saying that the type of attack that already happened could happen again... Wow! Really - who knew?
"Critical protection methodologies and best practices will have to be reassessed in the wake of Stuxnet, according to ENISA."
I.E... slapping McAfee/SAV/etc on your Windows XP "critical infrastructure", strolling off and whistling might be inadequate?
If "critical protection methodologies" of the type that I've heard of before, which include stateless operating systems and disabling of USB among a number of other best practices... had actually been followed they more than likely would not have seen this infection.
I have yet to see any evidence that the "critical" machines in question were managed any differently than a standard desktop.
"I have yet to see any evidence that the "critical" machines in question were managed any differently than a standard desktop."
And in many cases, possibly even managed less/worse, as the presumption is that the air gap will save them. Whoops!
"If "critical protection methodologies" of the type that I've heard of before, which include stateless operating systems and disabling of USB among a number of other best practices"
High assurance measures, I think you mean. Often they end up at the bottom of the RA matrix because of the cost. The figure in the 'cost of failure to mitigate' column just had a rather hefty number of zeros postfixed, though, so this may change.
If "critical protection methodologies
Security always seems an after thought and only really taken seriously for a while when burnt
The rush to web apps seems typical - people are starting to wake up to the idea that security needs to e take seriously and web apps it is far more complex than an application
Cost is a relative thing.
Paying to harden the operating system is one thing, but on a factory floor environment your solutions don't have to be pretty - fill the USB ports with a hot glue gun, and remove the CD and floppy disk drives. Sorted....
"Paying to harden the operating system is one thing, but on a factory floor environment your solutions don't have to be pretty - fill the USB ports with a hot glue gun, and remove the CD and floppy disk drives. Sorted...."
Cool. Now how do I get my updated PLC code onto the machine ?
@The Other Steve
That's what the punch card reader is for you idiot!
"helping to devise revised best practices for securing SCADA systems."
It should be quite a short document:
1. Do not connect any SCADA system to the internet.
2. Do not connect any SCADA system to any computer running any version of Windows.
3. Member States will impose the mandatory death penalty for anyone who violates rules 1 or 2.
Let IT be .... and it is.
How do you secure SCADA systems against Wireless and Satellite Beamed Intrusions which are Super IntelAIgently Designed to Engage and Enable/Actualise Executive Administrative Devices? And why would one wish to bother to deny oneself such Selfless Treasure and Fabulous Pleasure.
should really STFU when it comes to anything to do with the real world.
its just embarassing.
Look what happens when you use long words... incorrectly.
Time to ditch windows, seriously
For all serious business / commercial / industrial use winows really needs to be ditch, much as I like it and enjoy using it.
One thing that puzzled me during the 80's and 90's was the massive adoption of what was to me, a user friendly home operating system, but across the business world. I simply did not "get it" that workers should be "allowed" to use a home system and play games at work, browse the web, etc. Now it cannot be really turned off without greeat pain and resistance, but it MUST be done.
Businesses need business systems, probably based on linux or BSD, and not necessarily the newbie friendly Ubuntu which has also taken steps to simplify security but reduce it accordingly.
IT Professionals need to stop being lazy and CIOs need to stop trying to be popular but have a serious discussion with the CFO and COO about the risks and cost of lax security and that it cannot really be fixed without major changes...so forget about allowing iphones or Android phones in with all their security ridden apps sending data to god know where!
But... but... but....
The users will riot if we take away their access to Facebook! Accessing Facebook to carry out personal business while on the employer's clock is a fundamental human right and can not be infringed upon.
The entire system software (PLCs and computers) should run from Read-Only devices. No executable code in RAM. Nothing in data store should be capable of being executed. No general purpose libraries. No external devices should be able to directly write to the data but must go though a locked-down IO system. Whatever BIOS that's there (and it should be really minimal) should only be able to read program from one source specific and should not be software reconfigurable.
This will never happen of course as while Devs would love it the bean counters would veto it as not being 'cost effective'.
"essentially ignores vulnerable Windows boxes...
This does rather give the impression that the Windows controllers/reporter computers are not involved. The systems wouldn't be in trouble if it wasn't for the vulnerabilities in Windows AND the criminal lax security of the Siemens systems.
But let us be clear - the Windows PCs ARE infected.
I think not.
Same rules apply - if its worth more than 50p dont have Windows in the loop.
Bring back DEC, all is forgiven
Many years ago I was running process control on a VAX 32 (single chip, 6U(?) 19" rack, not much in the way of magnetic storage (but on that at least, now we have no problem) using RSX11IIRC
And there was XINU, now there is RTLinux.
I understand that graphical interfaces used not to be a priority for NIX lovers, but that too has changed.
I think I know what architecture I would want for my networked process control
Paul forgot another rule, before his rule 3:
3) Do not allow "critical Windows systems"  ever to interchange programs or data with any other computer systems, as the transfer of files can expose as-yet-unknown vulnerabilities, as happened with Stuxnet and with many others before and with many others still to come.
Once PaulVD and others acknowledge this simple truth, one which is so impractical as to be unimplementable, the futility and risk of using Windows for this kind of critical application becomes very clear.
 ok it's an oxymoron but there are a lot of morons in this picture
[submitted Sun 8:30 pm ish BST]
Lockerbie bomber release was motive for Stuxnet Worm
"Motivation behind Stuxnet." BP lobbied for the release of the Lockerbie bomber, and the people responsible for Stuxnet wanted to make sure they paid. To make sure the oil deal from releasing the bomber, BP couldn't make a profit from. Stuxnet targeted the oil well. There were a lot of unhappy people after the release of Abdelbaset Ali al-Megrahi. Abdelbaset Ali al-Megrahi was convicted for blowing up Pan Am Flight 103 over Lockerbie, Scotland, on December, 21, 1988. He was freed on compassionate grounds by the Scottish government on August, 20, 2009. The claim was he had terminal prostate cancer and was expected to have less than three months to live. It was a lie and he is still alive living the life of riley in Libya. Originally posted by me at http://www.schneier.com/blog/archives/2010/10/stuxnet.html#c467887
He is not living the life of riley.
He is horribly ill.
They probably had to cut bits out of his willy to keep him alive at all. When you do that to a willy, it doesn't work very well for any of the things you normally use it for.
He's probably been irradiated.
And he's slowly slowly dying.
One plus: because of the terrible pain, they let you have as much heroin as you want. However, at a certain stage, the point of still feeling pain and the point of still remembering who you are cross over. And then you're a struldbrug, except that, unlike a struldbrug, you are, in fact, about to die.
- an intelligence agency from one of the G7 is most likely to have the means, the motive, and the capability
- the pattern of infection - they are all Asian/Middle Eastern countries, or very close to it
- the pattern of NON-infection - Europe, USA and China are currently not listed in the article as being infected - you probably wouldn't infect yourself, so this is the shortlist
- the control centres - hmm, one in Asia, one in Europe.
- the common element in the infection/non-infection/command centres is China.
So that would be my prime suspect, if I was investigating, which of course I'm not.
I've still never heard a good explanation
On the infection pattern. Why India (86,258), Indonesia (34,138) and Iran (14,171) with such high infection numbers? (Figs from Kaspersky as of 9/28). The "next" highest on the list is roughly half of Iran's numbers.
Seems to me to imply a lot of traffic between Iran, which is under all sorts of UN Sanctions, and India and Indonesia.
No sh*t Sherlock
"protection methodologies and best practices will have to be reassessed"
Start by firing all of the muppets who were responsible for the lamentable security of the Siemens system perhaps (remember the 'un-changeable passwords')?
Then make insurance of said devices mandatory, and allow the financial penalties of using Windows with its impressive history of exploitation become a financial factor in deciding what OS(s) to use.
Now please note that I have said before, and will repeat again it for hard of thinking, there is no perfect OS from a security point of view, and if said muppets can be persuaded to install something with more holes than Swiss cheese you are facing game over irrespective of the OS choice.
But really, given Windows' legacy of exploits, and the established expertise in black-hat circles for penetrating it from all manner of orifices, only Paris would think it a smart move for critical infrastructure.
" a game changer for critical information infrastructure protection"
in that if your criticial information infrastructure DOESN'T LET YOU CHANGE THE FACTORY DEFAULT PASSWORD then SOMEBODY NEEDS TO BE FIRED.
New rule. ;-)
Having said that, if the target of the worm was Iranian atomic energy generation, then the vulnerability may have been put in place on purpose.
And of course nobody is allowed to sell nice stuff to Iran anyway - so they probably have trouble using the customer support line.
How dare they try to enter the twentieth century.
"No Member State ... can successfully mitigate on their own
"No Member State, hardware/software vendor, CERT or law enforcement agency can successfully mitigate sophisticated attacks like Stuxnet on their own"
Member states are in a better position to do something about this than the other parties on that list. The hardware/software vendors are in general clearly certified Microsoft dependent, directly or indirectly, and law enforcement agencies also are far too subject to generic MS lobbying at senior government level.
Member states can set (or contribute to setting) nuclear regulatory policy, and iin general the input has to come from credible technical sources (not government officers). Regulatory policy could and probably should be worded such that known vulnerable MS products do not at any time cross the plant boundary. Known vulnerable MS products: Windows will do as a start.
Anti-competitive? No more anti-competitive than tactics MS have used in the past? Now it's their turn to be on the receiving end.
Not just nuclear either. In due course, see also: water, electricity, oil, gas, flight systems, etc. Oh, and maybe finance too. I want to be able to keep what's left of my pension.
Where's Ross Anderson? What's he got to say about this, or is it of no interest because there's no money at stake?? Les Hatton, where are you?
The engineers with clue on these projects likely *know* what they're doing is wrong but the PHBs in charge have, to date, left them little option but to continue down this road.
It's time to stop pussyfooting around.
1. Do not connect any SCADA system to the internet.
Another person who has failed to read any of the analysis of the threat before flapping their fingers.
You failed to read the article as well...
You see the C&C centers connect to this via the internet. Take that out and there is no way of controlling what happens. Of course someone could break something else but that would require a very specific targeted attack to work on a specific setup.
So yes... internet is necessary if you want to actually control stuff. It isn't a complete solution but it's a start.
I work with SCADA and PLCs in the water industry, we don't put them on the internet.
Quite clever to rely on infected USBs. But why are people plugging USB sticks into SCADA systems?
No, I didn't
"You failed to read the article as well."
The problem is not that I didn't read the article, it's that you don't understand the threat.
RE: Why indeed
"But why are people plugging USB sticks into SCADA systems?"
They aren't. They are/were plugging them into the windows host used to program PLCs, at which point stuxnet trojans your PLC programming software (WinCC in this case), and then next time you program a PLC, it actually writes custom code to the PLC. Code which is masked from the programming host.*
Then you drop your PLC back in, and your plant go boom, or at least crunch, if it happens to match a certain configuration.
That's why everyone's knickers are in a twist.
*this is a gross simplification, if you work with SCADA, reading the actual analysis is an absolute must.
At the weekend I was speaking to a friend of mine who is a process control engineer in a large foundry. I mentioned this worm to him and it's attack vector and he was totally staggered that anyone would attach their SCADA to any network which could be connected to the outside world in any way or allow anyone to attach external media to the systems. He also said that this is SCADA lesson one. After this he said that they ditched Siemens years ago due to unreliability...
Last self reptition, honest. Please RTF Analysis
"he was totally staggered that anyone would attach their SCADA to any network which could be connected to the outside world in any way"
The (allegedly) effected SCADA systems were not connected to the outside world in any way.
"or allow anyone to attach external media to the systems."
No one attached external media to the SCADA systems.
"He also said that this is SCADA lesson one.""
Indeed it is. Which is why stuxnet was coded in order to jump over these limitations.
Clearly none of the commentards can be arsed to RTFM, so in summary :
Stuxnet arrives at your plant on a USB drive (say). It then compromises machines and spreads through your internal net via a combination of tricky exploits. It also continues to infect USB (or other removable media).
At some point, someone takes a USB drive accross the air gap that separates the internal net from the PLKC development boxes and plugs it into the machine used for PLC software development, it spots the WinCC PLC development environment and trojans the fuck out of it, enabling it drop it's payload of malicious PLC code into any PLC projects that come along.
At some point further along, someone tales this developed PLC code on (say) a USB stick, and crosses another air gap to the machine that is used to program the code onto the PLC. At which point, stuxnet trojans the fuck out of the PLC programming software as well.
Now, at this point, when you take your PLC out of your SCADA gubbins to modify the process code on it, another air gap because no one attaches SCADA to anything, it rewrites the code on the PLC, only you can't see it, because stuxnet has trojaned the fuck out of the programming software, and it is now lying to you.
Then you put the PLC back across the air gap and start up your plant. Then your plant go boom.
Stuxnet was specifically designed to work around the fact that no one is dumb enough to connect SCADA kit to external networks, and to exploit the - now thoroughly debunked - belief that this is sufficient to protect them from remote malfeasance.
Now can we all please stop with the "shouldn't connect SCADA to teh internets" cockwaffle ?
Steve - What is attaching a USB drive to the SCADA systems, if it's not attaching external/removable media?
Like I said, there are basically two ways that computers can become infected - via a network connection or via external media. I can't think of another way to get software onto a computer, short of typing it in.
Really, none of this matters if you don't connect your SCADA to the Internet.
I jest but I'm working on a PLC that is, wait for it, connected to and programmable over the Internet. Its not exactly critical infrastructure and the worst someone could do is burn out a couple pumps and spill a bit of poo, but I've still been appalled at how every company involved depends only upon the obscurity of the hardware for security. Much like Siemens they all advise against changing default passwords or ports. And one of the passwords is 12345. Consider this my grey hat disclosure to encourage better security.
I wonder how many of those systems were considered 'closed' as a justification for not having any virus/malware scanning
Re: "not having any virus/malware scanning"
Not that malware scanning would have thwarted a well financed team of black-hats anyway.
Please oh please
Will the powers upon high, gaze down at the brick and mortar that builds the hills through which the skills of business supposedly rise feeding their pockets. Without surprise, and in only one breath surmise that the protective guise of Microsoft as secure is seen through like manure. Pure and secure by nature is the world of open source (surprise, surprise). Of course though, this side of the world that glides by doesn't have so many people who pull out their horse tackle and shackle such critical systems to their grin for it is a world where people actually look within to see sense and make decisions based on precision and principle. Stuxnet is not new just as the sky is blue, what is new is the rain that forces people to look up without an umbrella :p
*whistles innocently* ahhhh, sunday poetreats :p
What the back door password was doing there in the first place is the thing that gets me.
Can anybody shed any light on wether this is industry practice for this kind of equipment?
with the continual de-skilling and down sizing of factory staff; OEM support is moving more and more into remote access. This after spending years telling clients that no sane Engineer would put a process network anywhere near the inter/intranet; hell we don't even want our friends from IT having access. But now we have to link (mostly via a good solid firewall) to the factory IT infrastructure & then out either by VPN/HTTS or dedicated adsl link.
So now I sit somewhere in the UK accessing factories all over the world. Some of them even want me to have access to their Process Control systems so I can modify/improve it - when it is running. And I can do this from the office or from home.
It is quite sobering; I know more about some plants that I have never been to than the people 'running' them. AND; if I so wished I could do all sorts of interesting things; some of which could cause things to go bang - or even B A N G ! And no one would be able to find out who caused the bang....
Stuxnet is what we spent years defending against. - and a lot of people (IT and Management) thought we were being stupid. Now when it becomes imperative that we have remote access; oops - there it is; only Siemens at the moment; Honeywell; Emerson; Rockwell; Wonderware etc can't be far behind. And thats when it gets really frightening; when the DCS systems are targeted; little PLCs aren't to much problem; but corrupt a DCS and then you will have BIG trouble. (So what idiots 'forced' COTS crap -AKA Windows- onto the process world ?). Think of all those BIG refineries/dangerous chemical plants they use DCS to control the PLCs & monitor what's going on...
The only solution is to train more engineers; pay them more than bankers, and have enough in plant to keep each plant safe. At least that way there are only a small number of people who would be in a position to commit sabotage.
AC - you think I'm as stupid ?
I'm finding it has the opposite effect, viz it makes me want to get very drunk indeed. That is by far the most frightening thing I have read for a long time.
"..was granted a five-year extenuation to its responsibilities last month. .."
extenuation: noun - 1.the act of extenuating. 2.the state of being extenuated.
extenuate: verb - 1.to represent (a fault, offense, etc.) as less serious.
2. to serve to make (a fault, offense, etc.) seem less serious.
3.to underestimate, underrate, or make light of.
I don't get it.
One question that yet isn't answered...
I wonder. The worm exclusively targets systems made by Siemens.
Who are Siemens' main competitors for those contracts? It doesn't (by it's spread geographically) seem targeted at any one country, but it is provably targeted at one single supplier's systems. Who stands to gain, should this worm tarnish Siemens' reputation in the industry?
"very specific targeted attack to work on a specific setup."
"the C&C centers connect to this via the internet. Take that out and there is no way of controlling what happens. Of course someone could break something else but that would require a very specific targeted attack to work on a specific setup"
You're the one who needs to understand.
The Stuxnet payload already is very specifically targeted. The payload is already perfectly capable of "controlling what happens". If you want botnet-style remote control to allow changes of behaviour, then yes that works best with an Internet connection. But if the desired behaviour is already coded into the Stuxnet (or similar) payload, there is absolutely no need for any Internet connection in this picture.
And anybody who thinks it is practical to implement systems like this without transferring data to/from other systems (no network, no removable media, ever) needs their head examining. As does anybody who still tries to claim that Windows is appropriate in this kind of setup.
Not difficult to control
Not difficult to control as long as the meatbags do as they are told.
Take the SCADA machines off network and put in an airgap.
Have good quality AV/Malware scanning on a sheep-dip machine and have workers scan USB/CD media before it goes on the SCADA machines.
Of course the meatbags won't want to do this extra step because they are lazy so the first person caught not following the procedure will have to be very publicly flogged and sacked.
Devices should be restricted to authorised devices only if poss.
"airgap ... scan USB/CD media before it goes on the SCADA machines."
Engage brain before operating keyboard. Understand what you're posting about before you post.
Stuxnet included several "zero day" vulnerabilities. It wasn't the first zero day vuln in the wild, and won't be the last.
Does 0laf know what a "zero day" vuln is, and what it means? It means...
"zero day" vulnerabilities are by definition not detected by malware scanners. "Good quality" is irrelevant.
So having an airgap and passing files through a "sheep dip" virus scanner is pointless, because the AV folks don't have a signature for the zero-day stuff.
There is a fix, 0laf and many others know what it is, but 0laf and many others seem reluctant to accept it. Why so? [there are some obvious Microsoft-dependency answers]
I see Fraser's been back, and not surprisingly is among the clueless (or deliberately misleading) who think "disconnecting from the Internet" is relevant here.
I like the "sheep dip" term, but the sheep in this picture are the mystifyingly monominded "there is no OS but Windows" sheeple, especially those who think "good quality" AV scanners are of any serious help.
Name calling aside: How do you think that a computer can become infected if it's not connected to the Internet or to a corporate LAN which has a proxy/NAT onto the internet? Accepting that it also has no method of inserting removeable media (CDs/USB memory sticks/USB HDDs etc)
I would also presume that development is carried out in a secure network.
The only way that I can think is if the updates servers host infected packages.
Presume whatever you want
Please re re re read Steve's writeups.
Some data *needs* to be exchanged between the SCADA boxes and the rest of the world. Not all the time, not with the Internet, but from time to time. Sooner or later an infected file or device will infect a Window box which will later connect to the SCADA network. No malwate scanner will detect it if it's a zero-day exploit, so the infection is invisible, and can lie un-noticed for months.
The only alternative to that data exchange process is, as you have already suggested elsewhere in this thread, re-keying any data which needs to be transferred to or from the "secure" SCADA network. I presume you worked out that's not really practical, right?
Have a nice day.
It is not the father that scares me , it is the son of........
Wether it be nublets like 4chan or nation states like Israel, Stuxnet was a targeted attack and that is the worrying thing in this whole saga is the ability to target aspects of a nations infrastructure.
The reason behind the "it must have been a nation state is" this attack required forward intel before stuxnet was primed, zero day babies are nothing new and can be bought on the open market or sold on to the very target they are designed to exploit.
Stuxnet was different in that it required a very intimate knowledge of the Iranian infrastructure on various levels not just SCADA systems.
And if you think this was passed on by infected USB sticks then your as gulible as the media who swallowed Iranian state press releases.
Stuxnet looked like a live test for something bigger and that is what has peoples knickers in a twist.. "What's Next"