STUXNET - A Game-Changer
STUXNET - A Game-changer
The malware was designed to attack industrial systems affecting automation systems manufactured by Siemens. The most high profile report of this virus was on the Iranian nuclear enrichment facilities. It was the first time in recorded history that a virus was used to cause physical damage. Some also consider this to be the first cyber weapon ever used. The virus targeted the Siemens SCADA (supervisory control and data acquisition) systems and caused disruption in the processes controlled and monitored by the SCADA system. It caused damage to the uranium enriching centrifuges and led to major slowdown in the refining process. A lot of the centrifuges had to be replaced as they were no longer operable. Let us try to understand how this happened.
Information assets:
€ The main target asset here was the Siemens SCADA system. This system was basically used to automate and control the various processes going on in running of the nuclear enrichment facility.
€ The compromise of these information assets affected other assets like power plants, industrial facilities etc.
Vulnerabilities:
From what is known till now it basically exploited three vulnerabilities in Windows in order to gain entry and spread.
The technical terms are MS08-067, MS10-061 and MS10-046.
€ MS08-067: It basically attacked the windows 2000, XP based and Windows Server 2003 based systems wherein it exploits the vulnerabilities of the Remote Procedure Call (RPC) without any sort of authentication and runs any random code that it wants.
€ MS10-061: Here the method exploited was to spread in the networks in which systems shared a network printer.
€ MS10-046: Here the windows shortcut vulnerability was abused, what it basically did was that it allowed the remote execution of code if the icon, a specially designed shortcut is displayed. As the system allows full admin access to the icons, the virus got executed via this.
In the case of the SCADA systems used in the Iranian plant, analysis revealed that the WORM_STUXNET.A looks for the legitimate.DLL file S7OTBXDX.DLL used by Siemens WinCC systems in the Windows system folder. Once found, it renames the said file to S7OTBXSX.DLL and then drops a modified.DLL file to replace the original.DLL file. This DLL file had code modifications to access, read, write, and delete code blocks on the PLC (Programmable Logic Controller).
Threats:
€ The threats here in the case of attacks by the Stuxnet virus was the disruption of the processes which used the Siemens SCADA systems and thus affecting the various infrastructure facilities being run by the system.
€ Basically starting from the possibility of Windows of being compromised to the.DLL files having the code that could be manipulated which could ultimately lead to the compromise of all the facilities run by it.
€ So the threats here are a possible loss of control of systems running windows, corrupted SCADA systems and a possible physical damage to infrastructure.
Risk:
When we say risk we have to consider it as the sum of threats and vulnerabilities.
Risk = Threat + Vulnerabilities. So high threats and high vulnerability make it a high risk asset.
€ Here in the case of the Stuxnet attack on the Iranian plant was they were target because of their nuclear enrichment program and because of some of the vulnerabilities of Windows and Siemens SCADA system. Hence there was a considerable risk of attack and was hence can be taken to be a high risk asset.
€ The best way to counter the risk would be to either reduce the threat level or the vulnerability in order to reduce the risk to the assets.
Impact:
The impact is the outcome after an attack.
When we consider the case of Stuxnet attack on Iranian facilities, it caused a tremendous amount of damage to the enrichment infrastructure especially the centrifuges which were used to purify uranium from the ores. The count given by experts is a damage of a total of 5000 centrifuges.
€ This attack not only cost a lot because of the costly centrifuges but also delayed the enrichment program. To get an idea about this, sources close to the attack say that the Iranian operation will never return to normal.
Existing safeguards or controls:
The problem here was that there were protective measures but not enough to match the sophistication of the attack and malware design in order to be detected by the traditional monitoring and detection mechanisms. The security team was blindsided and completely outsmarted by the attack. All of their proactive measures failed and they had to take a reactive approach in order to mitigate the losses of the attack.
€ In additional to this, to make things worse the device drivers in the virus appeared to have been digitally signed by the two renowned Taiwanese security companies JMicron and Realtek. This made the detection all the more difficult for the intrusion and malware detection systems at the Iranian nuclear facility.
How the issue is tackled and suggested controls:
€ Siemens developed a tool to detect and remove the Stuxnet virus which was affecting its SCADA systems. Also Microsoft updates were recommended in order to get the latest patches for the Windows vulnerabilities.
€ As stuxnet spreads through removable drives its better if users are careful while connecting an external drive to their machine. The authenticity of the source must be verified by the user.
€ It is better if the users keep the system updated with the latest patches and anti-virus software so that the vulnerabilities in the system are well protected through the updates.
€ As it spreads through the network make sure it is made secure via proper authentication and network share is to be allowed only when necessary.
The malware was designed to attack industrial systems affecting automation systems manufactured by Siemens. The most high profile report of this virus was on the Iranian nuclear enrichment facilities. It was the first time in recorded history that a virus was used to cause physical damage. Some also consider this to be the first cyber weapon ever used. The virus targeted the Siemens SCADA (supervisory control and data acquisition) systems and caused disruption in the processes controlled and monitored by the SCADA system. It caused damage to the uranium enriching centrifuges and led to major slowdown in the refining process. A lot of the centrifuges had to be replaced as they were no longer operable. Let us try to understand how this happened.
Information assets:
€ The main target asset here was the Siemens SCADA system. This system was basically used to automate and control the various processes going on in running of the nuclear enrichment facility.
€ The compromise of these information assets affected other assets like power plants, industrial facilities etc.
Vulnerabilities:
From what is known till now it basically exploited three vulnerabilities in Windows in order to gain entry and spread.
The technical terms are MS08-067, MS10-061 and MS10-046.
€ MS08-067: It basically attacked the windows 2000, XP based and Windows Server 2003 based systems wherein it exploits the vulnerabilities of the Remote Procedure Call (RPC) without any sort of authentication and runs any random code that it wants.
€ MS10-061: Here the method exploited was to spread in the networks in which systems shared a network printer.
€ MS10-046: Here the windows shortcut vulnerability was abused, what it basically did was that it allowed the remote execution of code if the icon, a specially designed shortcut is displayed. As the system allows full admin access to the icons, the virus got executed via this.
In the case of the SCADA systems used in the Iranian plant, analysis revealed that the WORM_STUXNET.A looks for the legitimate.DLL file S7OTBXDX.DLL used by Siemens WinCC systems in the Windows system folder. Once found, it renames the said file to S7OTBXSX.DLL and then drops a modified.DLL file to replace the original.DLL file. This DLL file had code modifications to access, read, write, and delete code blocks on the PLC (Programmable Logic Controller).
Threats:
€ The threats here in the case of attacks by the Stuxnet virus was the disruption of the processes which used the Siemens SCADA systems and thus affecting the various infrastructure facilities being run by the system.
€ Basically starting from the possibility of Windows of being compromised to the.DLL files having the code that could be manipulated which could ultimately lead to the compromise of all the facilities run by it.
€ So the threats here are a possible loss of control of systems running windows, corrupted SCADA systems and a possible physical damage to infrastructure.
Risk:
When we say risk we have to consider it as the sum of threats and vulnerabilities.
Risk = Threat + Vulnerabilities. So high threats and high vulnerability make it a high risk asset.
€ Here in the case of the Stuxnet attack on the Iranian plant was they were target because of their nuclear enrichment program and because of some of the vulnerabilities of Windows and Siemens SCADA system. Hence there was a considerable risk of attack and was hence can be taken to be a high risk asset.
€ The best way to counter the risk would be to either reduce the threat level or the vulnerability in order to reduce the risk to the assets.
Impact:
The impact is the outcome after an attack.
When we consider the case of Stuxnet attack on Iranian facilities, it caused a tremendous amount of damage to the enrichment infrastructure especially the centrifuges which were used to purify uranium from the ores. The count given by experts is a damage of a total of 5000 centrifuges.
€ This attack not only cost a lot because of the costly centrifuges but also delayed the enrichment program. To get an idea about this, sources close to the attack say that the Iranian operation will never return to normal.
Existing safeguards or controls:
The problem here was that there were protective measures but not enough to match the sophistication of the attack and malware design in order to be detected by the traditional monitoring and detection mechanisms. The security team was blindsided and completely outsmarted by the attack. All of their proactive measures failed and they had to take a reactive approach in order to mitigate the losses of the attack.
€ In additional to this, to make things worse the device drivers in the virus appeared to have been digitally signed by the two renowned Taiwanese security companies JMicron and Realtek. This made the detection all the more difficult for the intrusion and malware detection systems at the Iranian nuclear facility.
How the issue is tackled and suggested controls:
€ Siemens developed a tool to detect and remove the Stuxnet virus which was affecting its SCADA systems. Also Microsoft updates were recommended in order to get the latest patches for the Windows vulnerabilities.
€ As stuxnet spreads through removable drives its better if users are careful while connecting an external drive to their machine. The authenticity of the source must be verified by the user.
€ It is better if the users keep the system updated with the latest patches and anti-virus software so that the vulnerabilities in the system are well protected through the updates.
€ As it spreads through the network make sure it is made secure via proper authentication and network share is to be allowed only when necessary.
Source...