On July 18 at the FOSE 2011 Conference in Washington, DC , I was one of two speakers who addressed the topic, “Situational Awareness – Mitigating the Next Stuxnet”. In my remarks, I noted that the Stuxnet worm secretly infected 12,000 computers in five Iranian nuclear facilities over a year-long period without detection. The attacks began 2009 and weren’t discovered until July 2010. I stated that there is no way that this attack could have happened had Iran had a reasonably competent level of internal cyber security which was commiserate with the stated importance of those facilities to that nation.
A look at this diagram shows the nine different ways that the Iranians unwittingly gave the Stuxnet worm major assistance in accomplishing its mission without detection:
Static screen shot from an animated presentation illustrating Iran’s cyber security incompetence
As this diagram speaks volumes for itself, for brevity’s sake I will comment here on only two of the nine different ways the Stuxnet worm was able to propagate for so long to so many thousands of machines without detection:
- In a real-time process control facility (common example: SCADA/DCS), the user-monitored graphical user interfaces on Human Machine Interface (HMI) machines can be manipulated at will to display whatever an attacker –or an attacker’s malware– wants. This includes forcing the display to show normal facility operations data, even though the machinery or processes may be operating abnormally as a result of an in-progress attack. Use of this tactic in an offensive military worm should not have been a surprise, as vulnerability assessment Red Teams including those managed by yours truly have used such attacks as part of process control assessment work as far back as 2001.
A low footprint, high return way of preventing such manipulation is to use off-the-shelf software to monitor file-level changes to all mission critical applications such as HMI software, database executable files and major portions of the HMI underlying host operating systems. A pattern of file changes that spreads on its own from machine to machine across the network is indicative of a stealthy malware attack. An example: the MD-5 or SHA hash value of BOOTVID.DLL changing across a network without detection by anti-virus software likely indicates the spread of a stealthy new malware specimen.
- Malware propagation across a network environment generally produces abnormal patterns of traffic which deviate from previously baselined traffic patterns. These patterns can be detected by routine manual analysis even in the absence of detection by Intrusion Detection Systems (IDS), although many IDS systems can be calibrated to detect such traffic deviances. Basic examples of patterns to look for include new peer-to-peer machine connections, server-to-workstation connections, a pattern of changed connections from workstations to servers, or outbound traffic changes or pattern of new outbound data egress attempts.Any pattern of changes that spreads on its own across the network without alerts from anti-virus software may be a strong indication of an in-process stealthy malware attack. Example: a burst in a specific pattern of DNS queries which spreads from machine to machine across a network.
In conclusion, it should be calming to realize that in the end, the Stuxnet worm was just software. Complex groundbreaking software, admittedly yes, but still just software. The Stuxnet had no magical powers or superhero ways of taking over its target networks. It was merely software that relied on the same avenues of attacks and network communication protocols which have been widely discussed for many years as being significant problem areas. Stuxnet could have been beaten by an appropriate level of internal defense which was commiserate with the importance of those facilities to that nation.
Now that the Stuxnet code is in the wild, we can surmise that the next great attack will only build on the ground breaking path laid by Stuxnet worm. This should be a wake up call to our nation. The question is, are we listening? Time will tell soon enough.
Incredible content, I must say i await updates from you.
Hi there I stumbled upon your blog by mistake when i searched Msn for this matter, I have to point out your website is actually very helpful I also like the theme, it is wonderful!
Just want to say your article is as amazing. The clearness in your post is simply excellent and i could assume you are an expert on this subject. Fine with your permission allow me to grab your RSS feed to keep updated with forthcoming post. Thanks a million and please carry on the rewarding work.
Just want to say your article is as amazing. The clearness in your post is simply excellent and i could assume you are an expert on this subject. Fine with your permission allow me to grab your RSS feed to keep updated with forthcoming post. Thanks a million and please carry on the rewarding work.=-=
Hey! I’ve just stopped by to say thanks for this nice article. Take care!
I suggest adding a facebook like button for the blog!
Just simply wanted to say I truly respect your work on this blog and the high quality articles you make.