“You need to be paranoid. You need to assume your system is under attack,” said Andrew Ginter, director of industrial security at Waterfall Security Solutions.

That is part of what a user must think about when they are a victim of an advanced persistent threat (APT) like Stuxnet, Ginter said during his talk Tuesday with Joel Langill, chief technology officer at SCADAHacker, entitled “How Stuxnet Spread: A Study of Infection paths in Best Practice Systems” at the ICSJWG 2011 Spring Conference in Dallas.

“An advanced persistent threat works on a single target,” Ginter said. “Stuxnet was one example.” Usually an APT comes from organized crime or from nation states, he said. This worm targeted the Siemens control systems that and went after the Iranian nuclear enrichment program. “The objective was to sabotage the nuclear program,” he said.

This approach to the attack was not new and in fact there may be more to come down the road.

“Two dozen nations announced they are funding cyber warfare initiatives,” Ginter said. “Some friendly, some not. In addition, one dozen more nations have not announced it, but it is known they are funding cyber warfare initiatives. Again, some friendly, some not.”

Ginter remains impressed with the mighty worm. “This had four zero days and the worm circulated 3 to 4 months before anyone was alerted to it. That meant it was free to go around a system and learn. This was also the first time a worm used a PLC rootkit, which allowed the worm to reprogram the PLC without the users knowing it was happening.”

If anyone thinks this worm was purely attacking a vulnerability in the Siemens system, think again, Langill said.

“There is a lot to the worm that can apply to any system from any vendor,” he said.

Another interesting aspect is the worm could attack from different vectors. Langill said the one most people focus on is the USB stick, but there were others like the local area network communications.

On top of the attack vectors, the worm also had the ability to adapt to its environment.

“This provided the bad guys a well controlled playbook to get into any system,” Langill said.

Stuxnet brought the idea of policy and procedures to the forefront of users’ attention. “Why spend $500,000 on a security system if you allow a USB stick to plug into your engineering workstation,” Langill said.

He then asked, “Are we still vulnerable? Yes.”

View the article

By Gregory Hale

ISS Source, May 5, 2011

1. Waterfall Has More Control System “Connectors”

A “connector” allows what is typically two-way traffic to be sent through a one-way security device. You essentially install a protocol or application client / server on both sides of their device. The secure side server gets the information as usual, then pushes it out to the insecure side server using a Waterfall one-way protocol. So even though the communication is two way, data from the secure side can be available to the insecure side and accessed from other clients and servers on the insecure side.

In my original blog I mentioned that there were connectors available for protocols like OPC and ICCP, but in fact there is a much larger list including:

• Historians like OSIsoft’s PI Server and GE iHistorian
• Modbus TCP and DNP3
• NTP and log transfer
• Bentley Nevada, Siemens Simatic / WinCC and others

2. Some Connectors Push Configuration Data

One of the problems with the connector approach is the administrative burden. For example, an administrator would have to enter any new OPC tag on two systems, one on the secure side and the other on the insecure side. Of course this is often done with a USB stick or other sneakernet technique.

I learned that some of the Historian solutions have the ability to make configuration changes on the secure side and have these pushed through the one-way device to the insecure side.

View the article

By Dale Peterson

Digital Bond, October 5, 2010

The security chief at the North American Electric Reliability Corp. (NERC) is calling for better designed and more hardened systems in the wake of the Stuxnet malware threat. 

The Stuxnet Trojan quickly gained the attention of the security industry because it was one of the first pieces of malware to use multiple previously unknown vulnerabilities. Stuxnet initially relied on four zero-day vulnerabilities to gain access to devices that could potentially connect to critical control systems, allowing Stuxnet to spread to other machines. It was also the first piece of malware that could inject itself into programmable logic controllers, the system that controls temperature, pressure and other processes vital to keeping industrial facilities running smoothly. As Stuxnet activity peaked in late September, NERC readied a guidance document to help North American energy firms address the threat. But addressing Stuxnet goes beyond using quality security controls, said Mark Weatherford, vice president and chief security officer at NERC. The industry, he said, needs to demand higher quality software that is free from defects.

“This is not an indictment on [the] control system industry; it’s an indictment on the IT business in general,” Weatherford said. “We’re still seeing products that come out that are susceptible to vulnerabilities that quite frankly have been in the wild for quite some time.”

NERC maintains security standards and issues guidance to about 2,000 public and private firms involved in electricity generation and distribution in the U.S. and Canada. Weatherford said a “Malware Tiger Team” was formed in July when Microsoft issued the first of what will likely be four patches designed to plug the zero-day vulnerabilities used by the Stuxnet malware in its attacks. Once the malware uses those vulnerabilities, it seeks out the Siemens industrial control system and then attempts to inject itself and change critical processes. Weatherford said Stuxnet is seen as a blueprint that can be used by future cyberterrorists to inflict damage on critical national infrastructure systems or create some kind of catastrophic event.

“Companies who develop products and write code need to continue to mature their development processes to become more secure,” he said.

The Tiger Team, which is made up of representatives from various federal agencies, as well as malware experts from several antivirus vendors and security consultancies, helped ensure the information disseminated to critical infrastructure facilities was accurate and not conflicting, Weatherford said.

“The Tiger Team will be a living, breathing organization that morphs and contracts as necessary in response to whatever the threat is,” he said.

After Stuxnet surfaced, researchers began the painful process of reverse engineering the malware, a task made more difficult because the Siemens system Stuxnet was targeting is known by only a specialized group of researchers. Many federal organizations had their hand in driving much of the research, including experts with the Department of Energy, the Department of Homeland Security and the Federal Energy Regulatory Commission (FERC).

“All infrastructure is at risk and I would pause and say the utility industry is no more at risk than any other critical infrastructure,” Weatherford said. “The malware still exists and certainly could be a threat to any critical facility.”

The information gleaned from the ongoing Stuxnet research resulted in two advisories, the details of which Weatherford declined to disclose, as well as a formal recommendation letter, which was sent to electric facilities. It will culminate with the guidance document, which also will remain confidential to protect the security of the facilities, he said. Much of the advice disseminated to U.S. firms included basic security guidelines, such as ensuring that antimalware signatures are up to date and ensuring facilities use security policies that address the use of removable media and USB drives.

“There’s no indication that any North American companies have had any type of infection,” Weatherford said. “That [Siemens control system] is not widely used in North America but it is also not uncommon.”

View the article

By Robert Westervelt, News Director

SearchSecurity.com, October 6, 2010

The goal of this work is to revisit the first survey, and to test whether its findings remain valid. The current study is much larger, and is based on newer data, collected from firewalls running later firewall versions. Furthermore, for the first time the study includes configurations from two major vendors: both Check Point firewalls and Cisco PIX firewalls. Finally, the study considers three times as many possible configuration errors, consisting of 36 vendor-neutral errors instead of the 12 used in the 2004 study.

In order to compare the complexity of configurations from different vendors, this work also introduces a novel uniform complexity measure, called the firewall complexity (FC), that applies to both types of firewalls.

The findings of the current study indeed validate the 2004 study’s main observations: (a) firewalls are (still) poorly configured, and (b) a rule-set’s complexity, as measured by the new FC measure, is (still) positively correlated with the number of detected configuration errors. These findings hold for rule-sets from both vendors. Thus we can conclude that, for well-configured firewalls, “small is (still) beautiful”. However, unlike the 2004 study, there is no significant indication that later software versions have fewer errors (for either vendor). This is apparently because the vendor-neutral errors that this study focuses on are all controlled by the firewall’s basic filtering capability—which has not changed significantly between versions.

View the article

By Avishai Wool

November 6, 2009

Computer hackers have begun targeting power plants and other critical operations around the world in bold new efforts to seize control of them, setting off a scramble to shore up aging, vulnerable systems.

Cyber criminals have long tried, at times successfully, to break into vital networks and power systems. But last month, experts for the first time discovered a malicious computer code — called a worm — specifically created to take over systems that control the inner workings of industrial plants.

In response to the growing threat, the Department of Homeland Security has begun building specialized teams that can respond quickly to cyber emergencies at industrial facilities across the country.

As much as 85 percent of the nation’s critical infrastructure is owned and operated by private companies, ranging from nuclear and electric power plants to transportation and manufacturing systems. Many of the new attacks have occurred overseas, but the latest episode magnified worries about the security of plants in the U.S.

“This type of malicious code and others we’ve seen recently are actually attacking the physical components, the devices that open doors, close doors, build cars and open gates,” said Sean McGurk, director of control systems security for Homeland Security. “They’re not just going after the ones and zeros (of a computer code), they’re going after the devices that actually produce or conduct physical processes.”

Officials have yet to point to any operating system that has been compromised by the latest computer worm. But cyber experts are concerned that attacks on industrial systems are evolving.

In the past, it was not unusual to see hackers infiltrate corporate networks, breaking in through gaps and stealing or manipulating data. The intrusions, at times, could trigger plant shutdowns. The threat began to escalate last year, with cyber criminals exploiting weaknesses in systems that control what the industries do.

The latest computer worm, dubbed Stuxnet, was an even more alarming progression. Now hackers are creating codes to actually take over the critical systems.

In many cases, operating systems at power plants and other critical infrastructure are decades old. Sometimes they are not completely separated from other computer networks used by companies to run administrative systems or even access the Internet.

Those links between the administrative networks and the control systems provide gateways for hackers to insert malicious codes, viruses or worms into the programs that operate the plants.

Sitting in his office not far from Homeland Security’s new state-of-the-art cyber operations center, McGurk recently held out a small blue computer flash drive containing the destructive Stuxnet worm.

Experts in Germany discovered the worm, which has since shown up in a number of attacks — primarily in Iran, Indonesia, India, and the U.S., according to Microsoft. Stuxnet had tried to infect as many as 6,000 computers, as of July 15, according to Microsoft data.

German officials transmitted the malware to the U.S. through a secure network, and experts at the Energy Department’s Idaho National Laboratory began to analyze it.

In plain terms, the worm was able to burrow into some operating systems that included software designed by Siemens AG, by exploiting a vulnerability in several versions of Microsoft Windows.

On Monday, Microsoft released another update to address the problem, and Siemens has taken similar steps.

Annual reports issued by Homeland Security and the Department of Energy have detailed weaknesses in the industrial computer systems, and have repeatedly pressed companies to improve security practices. Reports as recently as this May urged companies to routinely download patches to update software, change and improve passwords, carefully restrict access to critical systems and use firewalls to separate commonly used networks from those that control key systems.

A successful attack against a critical control systems, the Energy Department warned in its May report, “may result in catastrophic physical or property damage and loss.”

Over the past year, Homeland Security has quietly been deploying teams of experts around the country to assess weaknesses in industrial control systems. The agency has created four teams and — with a budget scheduled to increase from $10 million this year to $15 million next year — has plans to grow to 10 teams in 2011.

The teams are armed with a $5,000 kit: a black, suitcase-sized bag crammed with cables, converters, data storage and high-tech computer forensic tools. With that equipment, they can download the problem malware, analyze it and work with the companies to correct or clean their systems.

So far, said McGurk, the teams have done 50 assessments and have been dispatched 13 times to investigate and help correct cyber incidents and attacks. Nine of those cases involved some type of deliberate cyber intrusion, while the other four were the unintended result of an operator’s action.

In one of the nine intrusion cases, a company representative had gone to a conference and had the presentation documents downloaded onto a computer flash drive.

One of the files was infected with the Mariposa botnet, a malicious software code that has infected 12 million computers worldwide, including hundreds of companies and at least 40 major banks in 190 countries since appearing in December 2008.

When the man returned to his office and connected his laptop to the company’s network, the botnet spread, eventually affecting nearly 100 computers.

A Homeland Security team was called in and helped the company evaluate the problem and begin to clear up the system.

View the article

By Lolita C. Baldor(AP)

Google.com, August, 2010

The discovery of the first worm to target networks controlling power plants points has prompted an expansion of specialized forensic teams to combat the cybersecurity threat.

The Department of Homeland Security (DHS) plans to ramp up a program that sends specialized forensic teams to combat the cybersecurity threat on U.S. critical control systems, such as those that control power plants, industrial facilities and air-traffic control systems.

For the past year, the DHS has sent out four special teams — collectively a part of the Industrial Control System Computer Emergency Readiness Team — on missions to examine these systems to determine threats and respond to technical-support calls from private-sector partners.

However, the department plans to expand the program next year, a move that coincides with the discovery last month of the first worm designed to specifically attack such systems.

“There is no shortage of demand for this service from the DHS among our partners in the private sector,” said DHS spokesman Amy Kudwa Wednesday. “That there has been this worm that is specifically focused on control systems only solidifies our focus on expanding this program.”

The system attacked was based on technology from Microsoft and Siemens, which have developed patches for the worm, she added.

The worm attacked four systems, none of which were in the U.S. However, its presence is enough to put the DHS on alert for more direct attacks on critical systems.

The specialized control-system teams — which fall under the purview of the National Cybersecurity Division (NCSD), part of the DHS Office of Cybersecurity and Communications — went on 13 missions last year armed with a $5,000 case full of specialized forensic technology to identify malware on control systems

The expansion of the NCSD’s budget for the program from $10 million to $15 million is meant to increase the number of teams available for these service calls from four to 10 in 2011.

Response to the threat on critical control systems is not new. The DHS has been keeping a close eye on them and published reports about how to address vulnerabilities for about five years. The systems are high risk given that they are often built on outdated technology that does not have the same security level as newer systems.

Earlier this month, the Wall Street Journal revealed that the National Security Agency (NSA), too, is expanding its interest in protecting control systems. The agency is set to launch a program specifically aimed at assessing vulnerabilities and developing capabilities to secure them.

While the government’s interest in these systems is aimed at keeping crucial systems protected and online in the event of a cyberattack, it also has raised questions of privacy and just exactly what the government’s role should be in protecting privately owned networks.

View the article

By Elizabeth Montalbano

Information Week, August 4, 2010

In the USA today, Siemens is strongly warning its users that Trojan, which is the name of a certain malware program is directly targeting PCS 7 as well as Simatic WinCC. This virus is further distributed with the use of USB memory sticks. The sad part is that it is very good at taking advantage of the present vulnerabilities of Microsoft security.

As reported, the malware has negative results on all of the Windows computers, especially from XP on up.

Unfortunately, merely one click in order to view the contents of a particular USB memory stick can actually end up activating the Trojan virus. This is why Siemens recommends its users to, as much as possible; avoid using a USB memory stick on multiple personal computers, especially those that are running the WinCC software.

The Virus

This malicious code has been named W32 or Stuxnet-B. It propagates through USB drives that have been infected with the malformed shortcut .lnk files. The code is activated when the user starts to insert the memory stick and then clicks to view the contents of that particular USB with the use of Windows Explorer or some other applications that gets to display the icons of the files.

Although it is true that its main aim is WinCC, it can still target any of the systems under Windows, as long as it is capable of accepting removable media. The code seems to rely largely on undisclosed vulnerability in how Windows .lnk files are handled.

Smart Malware

It is quite smart, actually, since it is well aware that it needs to bypass the readily installed Microsoft controls that make sure that drivers are to be signed digitally. Being a smart malicious code as it is, its creators made sure that it contained the digital signature of Realtek Semiconductor Corp. This way, it could gain all access entry.

With this virus up and coming on Siemens gadgets, the company decided to take all precautions in order to alert its loyal clients to the possible dangers of this aforementioned malware. The sales team has already been informed, and the company’s customer representatives will be speaking directly to the clients in order to fully and genuinely explain the given circumstances. As the first warning, Siemens tells their users to actively check their computer’s systems, especially ones that have been installed with WinCC.

To date, a trio of highly effective virus scan programs has already been recommended for systems that are under Siemens. They are, namely, Symantec, Trend Micro, and McAfee, which also happen to be the best virus scan programs in the entire market. Additionally, their latest versions or upgrades are also the best when it comes to successfully detecting Trojan.

Deploying such virus scan programs on Runtime environment can have some unexpected results. To date, these results are still being investigated fully in order for everyone to obtain further understanding on the matter. Still, experts are pretty much verbal in implying that approval will be issued very shortly.

View the article

Tech Genie, August 2, 2010

The recently discovered Stuxnet worm that contains the password for Siemens’ SCADA systems is wreaking havoc around the world.

The Simatic WinCC SCADA system, which runs on Windows and is used by many utilities and factories, uses a database that is protected by a hard-coded password that has been publicly revealed on a couple of forums back in 2008.

The worm takes advantage of a yet unpatched Windows vulnerability affecting the way that Windows handles shortcut files, which allows it to spread via CDs, USB sticks or file-sharing among computers in a network.

If it finds SCADA software, the worm proceeds to enter the database and search project files, then tries to copy them to an external website. If it fails to find said software, it simply copies itself somewhere on the system and lays dormant.

This particular worm is obviously intent on stealing all the information about the way that these companies work – counterfeiters will have a field day with it.

The worm is spreading like fire – Symantec registers some 9,000 attempts of infection per day. SCADA users are panicking and consider changing the hard-coded password.

Siemens recommends against it, as it could disrupt the whole system. According to Network World, they promise to publish a customer guidance document soon, but they say that the solution will definitely now involve a change of password. They also mean to set up a website that will offer details about the worm.

In the meantime, Microsoft has released a security advisory regarding the vulnerability, and advises users to disable icons from being displayed for shortcuts and/or disable the WebClient service.

Siemens’ spokesman Michael Krampe said that the company “has started to develop a solution, which can identify and systematically remove the malware,” but didn’t offer a date for the release of the software.

View the article

By Zeljka Zorz

Help Net Security, July 20, 2010

Security experts launch a cyber attack “war game” to test the nation’s cyber security defenses.

View the article

CNN, February 16, 2010

Critical infrastructure systems around the world are the targets of repeated cyberattacks, according to a new global survey of technology executives in these industries. They believe some of the attacks are coming not just from individual cybercriminals but terrorists and foreign nation states.

The United States and China are believed to be the most likely countries to conduct a cyberattack against the critical infrastructure of another nation, according to the respondents. Companies and agencies operating in the banking and finance sectors, energy and natural resources, telecommunications and internet service providers, transportation and mass transit, chemical production and storage, food distribution and government services are considered critical infrastructure companies.

The attacks that are occurring include massive denial of service attacks, stealthy efforts to penetrate networks undetected, DNS poisoning, SQL injection attacks and malware infections. The aims of the attacks vary from shutting down services or operations to theft of services and data or extortion attempts.

Among the more serious findings in the report is that some of the most sensitive critical infrastructure entities around the world, such as those for energy and natural-resource industries (such as water and sewage plants), are some of the least secure. For example, 80 percent of executives working for entities that use SCADA (supervisory control and data acquisition) or Industrial Control Systems say their systems are connected to the internet or some other IP network, putting them at possible risk of intrusion. Executives at water and sewage facilities also reported having the lowest level of security measures in place.

About 55 percent of respondents in the energy and power and the oil and gas sectors reported that the attackers most often targeted the SCADA or other operational control systems, although the survey offers no indication of how successful these attacks were. Only 57 percent of respondents across all sectors said their organization installed security patches and updated software on a regular schedule.

The report, “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” was commissioned by anti-virus firm McAfee and coordinated by the Center for Strategic and International Studies in Washington, DC. It was led by Stewart Baker, a visiting fellow with CSIS and former assistant secretary for policy at the Department of Security during the last Bush administration. Baker was also general counsel for the National Security Agency in 1992 to 1994.

The survey involved 600 IT and security executives in critical infrastructure industries in 14 countries, including financial, transportation and mass transit, energy and natural resources, telecoms and ISPs. The executives surveyed have responsibilities in information technology, security and operational control systems. The release of the report was timed to coincide with the World Economic Forum being held through the end of January in Davos, Switzerland, and follows on the heels of a serious and coordinated cyberattack conducted against Google, Adobe and other U.S. companies in the finance, technology and defense industries.

The report is believed to be the first of its kind to examine the security of critical infrastructures around the world, although it has a number of shortcomings that the coordinators don’t address. Many of the findings, for example, are provided without elaboration, making it difficult to know what the survey participants meant in their responses. For example, the report indicates that large-scale DDoS attacks had a particularly severe effect in the energy and power and water and sewage sectors, but doesn’t elaborate on what consequences were suffered as a result of these attacks.

Also, the report states that attacks are “often from high-level adversaries like foreign nation-states” but doesn’t indicate how this is known when attribution in cyberspace is often impossible to determine. About 75 percent of executives in China believe foreign governments have been involved in cyberattacks against critical infrastructure in that country, while 60 percent in the U.S. believe this is the case.

In a conference call, the organizers of the survey acknowledged that respondents who indicated that foreign-nation states were behind attacks were not asked how they knew attacks against them came from nation states. The organizers said the respondents were likely basing their responses simply on perceptions gained from news reports rather than firsthand knowledge of the source of attacks.

More than half of executives surveyed (54 percent) said they suffered large-scale DDoS attacks and stealthy infiltration attacks by high level adversaries, such as organized crime, terrorists or nation-state actors. Nearly 30 percent of those surveyed reported suffering large-scale DDoS attacks multiple times each month, with about 64 percent saying the attacks impacted their operations in some way, such as interfering with website operations, e-mail servers or phone systems.

Of those that suffered sensitive data leaks and loss from network intrusions, 15 percent said the impact was serious, while 4 percent said it was critical. The most common target in such attacks was financial information, with a little more than half reporting that this was the aim of intruders. The least common target was password and login information, which was targeted in only 21 percent of attacks. Although the report doesn’t note this, in order to get to financial data, intruders often obtain password and login credentials at some point in their intrusion. So while the password and login may not be the final target, it is often a means to the target.

One in five respondents said they were the victim of extortion through a cyberattack or threatened cyberattack within the last two years. Extortion was most common in India, the Middle East, China and France and rarest in the U.S. and U.K. Again, the survey provides little elaboration other than to point to now disputed media reports attributing power outages in Brazil in 2005 and 2007 to hackers.

These incidents were reported last year by 60 Minutes. The 60 Minutes story, however, has been harshly criticized privately by a number of the show’s own sources, who say it was based on rumor, and has been denied by the Brazilian government. Brazil released a report attributing the outage in 2007 to soot-covered insulators.

The 60 Minutes story was based in part by information from CSIS’ own James Lewis, a senior fellow in its technology and public policy program. So, citing disputed media reports to support extortion claims when those media reports were in part the result of disputed information provided by CSIS is a curious move.

With regard to securing against attack, critical infrastructure entities in China have the highest rate of adopting strong security measures such as encryption, user authentication and strict security polices. About 62 percent of Chinese executives said such measures were in place, while only 53 percent in the U.S. indicated this.

The adoption of strong security measures, however, didn’t necessarily translate to better protection from high-level attacks. For example, although China has a high adoption rate for security technologies and policies, it “is not notably free from high-level attacks,” says the report.

Among the 600 respondents to the survey, 100 are based in the United States; there are 50 respondents each in Japan, China, Germany, France, the U.K. and Italy; another 30 each are in Russia, Spain, Australia, Brazil, Mexico and India; and 20 are in Saudi Arabia. The sectors most represented in the survey are the banking and finance sector and government services. Each of these sectors had 145 respondents. The oil and gas, energy and power, transportation and mass-transit, and telecommunications sectors had representatives ranging from 59 to 82 respondents. Only 23 respondents come from the water and sewage sector.

View the article

By Kim Zetter

Wired, January 28, 2010