Gary Mintchell's Feed Forward

Eric Byres, CTO of Byres Security Inc., Andrew Ginter, CTO of Abterra Technologies and Joel Langill, CSO of SCADAhacker.com announced today the release of their joint White Paper “How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems.” Byres says it is the first paper to detail how Stuxnet could infect a control system site protected by a high security architecture using modern, vendor-recommended best practices. The paper shows that current best practices are insufficient to block advanced threats. It then discusses what operators of control and SCADA systems need to do to protect their critical systems from future threats of this type.

Stuxnet is the first known malware to have been designed specifically to compromise a control system and sabotage an industrial process. It has been described by Symantec's forensic experts as the “most sophisticated” piece of malware they have ever seen.

The paper follows the progress of the worm as it moves through a hypothetical control system, configured according to vendor-recommended security best practices. In spite of strong security measures, the worm is able to compromise a sequence of machines, culminating in the compromise of the PLC devices which directly control the physical process.

While Stuxnet is presumed to have targeted the Siemens WinCC and PCS7 systems used at Iran’s uranium enrichment plants, its existence creates a new cyber security standard for all automation and critical infrastructure sites around the world.

Andrew Ginter remarked “The Stuxnet worm is the best-documented example of an advanced threat designed to sabotage an industrial control system. Other recent attacks have targeted control systems for industrial espionage. Control systems are now targets of advanced threats and today's best-practice defenses must be improved before they can stand against these kinds of adversaries.”

“By explaining how Stuxnet works, our paper helps security professionals understand what it takes to properly secure a state-of-the art industrial control system,” said Joel Langill. “The reality is that the majority of critical facilities are protected much less thoroughly than the hypothetical site described in our paper, and now they need to step up and protect against Stuxnet-like malware.”

“Our paper goes into great detail on Stuxnet infection pathways and highlights the difficulty of preventing infection from an advanced threat. While best practices for prevention should be implemented, control system operators should also put into practice early detection, mitigation, and containment strategies,” remarked Eric Byres. “Such strategies include putting into practice zone-based security as described in ANSI/ISA-99 Standards, paying particular attention on securing last line of defense critical systems, and understanding the unique security challenges of control systems versus IT systems.”

The paper concludes that changes to improve the cyber security of industrial control systems are urgently needed. You can download the paper here, but you must register with the Website.

Today is becoming security day for me. I am still listening to a press conference live from Silicon Valley--Wind River and McAfee are partnering to put McAfee security on embedded devices powered by Wind River operating systems. McAfee is in the process of acquisition by Intel, a fact which has spurred it to be able to scale its application to the size required by embedded devices.

The companies' executives see this as an opportunity for their OEM customers to achieve product differentiation through added security.

Meanwhile, I received a paper written by Torsten Rössel is the Director of Business Development for Innominate Security Technologies AG in Berlin. Innominate is a Phoenix Contact business that has a security device dubbed mGuard. It has been tested by a university and found to be effective against--among other things--the infamous Stuxnet. This is interesting and worth checking out.

From his whitepaper:

"Due to the difficulties of deploying antivirus software on industrial PCs and with the timely provision of malware signatures, alternative techniques of integrity assurance are gaining relevance and acceptance for the protection of industrial systems. The mGuard CIFS Integrity Monitoring method, for instance, provides monitoring of configurable sets of files on PCs for unexpected modifications of executable code (CIFS or Common Internet File System denoting the file sharing protocol used by Windows and other operating systems). When initialized, it computes a baseline of signatures for all monitored objects and then periodically checks them for any deviations. This process works without any external provision of virus signatures, without the risk of disrupting operations through “false positives,” without installation of software, and with moderate load on the monitored PCs, by utilizing the processing resources of an mGuard security appliance. In this way, suspect modifications are reliably discovered and promptly reported via SNMP and E-mail to network management systems or responsible administrators.

"In a test study performed at the University of East Westphalia-Lippe in Germany, researchers from the independent inIT Institute for Industrial IT (www.hs.owl.de/init/en/) have been able to verify that mGuard CIFS Integrity Monitoring recognized infections with Stuxnet and would have done so on day zero of its exploit. It would have unveiled the unexpected manipulations by the worm and warned asset operators about them long before any commercial antivirus product. Both the device drivers installed by Stuxnet as well as the modifications performed by the worm on the pivotal SIMATIC Manager DLL were immediately discovered in the process. And while antivirus products need frequent, continuous pattern updates – mGuard CIFS Integrity Monitoring does not need any patterns at all."

An article in Infoworld asks the question--Was Stuxnet built to attack Iran's Nuclear Program? Thought provoking even if we'll never know.

Also, Wes Iversen has a news update from Siemens on the whole problem. You have to give Siemens credit for jumping on the situation immediately and keeping the community informed. Tough situation.