Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.

Similar presentations

Presentation on theme: "How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew."— Presentation transcript:

1 How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew Ginter Industrial Security Director ICSJWG 2011 Spring Conference Dallas, Texas May 2-5, 2011

2 Escalation: “bragging rights” -> organized crime -> nation states Opportunistic versus Targeted Recent examples: ◦Stuxnet – industrial sabotage -> Iranian uranium enrichment program ◦Ghostnet – stole diplomatic communications -> embassies, Dhali Llama ◦Aurora – stole source code and other intellectual property -> Google ◦Night Dragon – industrial and commercial intelligence -> large oil companies Advanced Persistent Threats 2

3 Stuxnet Worm 3

4 Targets Siemens S7/WinCC products, compromises S7 PLC's to sabotage physical process Exploited 4 Windows zero-day vulnerabilities Spreads via: ◦USB/Removable Media ◦3 Network Techniques ◦S7 Project Files ◦WinCC Database Connections Drivers digitally signed with legitimate (stolen) RealTek and JMicron certificates Installs cleanly on W2K through Win7/2008R2 Conventional OS rootkit, detects and avoids major anti-virus products Advanced reverse-engineering protections “Most Sophisticated Worm Ever” 4

5 PLC Rootkit Compromised Step7/WinCC Host Stuxnet S7otbxdx DLL Legitimate Function Blocks PLC Programming Application S7 PLC Legitimate Blocks Stuxnet “Malicious” Blocks Siemens S7otbxsx DLL Function Blocks 5

6 “Man in the Middle” WinCC HMI PLC Stuxnet Function Block Stuxnet Function Block False Values Power Supplies Process In/Out False Register Values 6

7 “Functional” components: ◦Operator System (OS) ◦Automation System (AS) ◦Engineering System (ES) “Software” components: ◦OS Server + Client ◦WinCC Server + Client ◦Web Navigation Server ◦OS Web Server ◦Central Archive Server (CAS) ◦Engineering Station Siemens SIMATIC PCS7 Product Line 7

8 Source: Byres Security How Stuxnet Infects a System Infected Removable Media: 1. Exploits vulnerability in Windows Shell handling of.lnk files (0-day) 2. Used older vulnerability in autorun.inf to propagate Local Area Network Communications: 3. Copies itself to accessible network shares, including administrative shares 4. Copies itself to printer servers (0-day) 5. Uses “Conficker” vulnerability in RPC Infected Siemens Project Files: 6. Installs in WinCC SQL Server database via known credentials 7. Copies into STEP7 Project files 8

9 All Windows Hosts ◦Installs rootkit and loader ◦Creates configuration and data files ◦Propagates to other potential hosts Siemens PCS7 STEP7 Hosts ◦Wraps S7 Device OS driver (MitM + PLC rootkit) ◦Looks for specific PLC models  Infects S7 Project files  PROFIBUS driver replaced Siemens PCS7 WinCC Hosts ◦Infects WinCC SQL Server database files Target System ◦Injects 1 of 3 different payloads into PLC How Stuxnet Infects a System 9

10 High Security Site Manufacturing Operations Network Enterprise Control Network Process Control Network Control System Network Perimeter Network WinCC PCS7 Historian Remote Access General Purpose Source: “Security Concept PCS7 and WinCC – Basic Document”, Siemens, Apr. ‘08 10

11 Date is May 1, 2010 Stuxnet has been refined for over 12 months Is installed on a single USB flash drive No patches exist for the 0-days used No anti-virus signatures exist Security researchers are unaware of the attack Stuxnet Spreads 11

12 Employee is transmitted project files from an offsite contractor on a USB flash drive Initial Handoff of the Worm 12

13 Infected USB drive inserted into computer Even though computer is fully patched and current with anti-virus signatures, worm successfully installs Rootkit installed to hide files Attempts connection to C&C server for updates Infects any new USB Flash drive inserted into computer First Infection: Enterprise Computer 13

14 Rapidly spreads to Print Servers and File Servers within hours of initial infection Establishes P2P network and access to C&C server Infects any new USB Flash drive inserted into computer Propagation on Enterprise Network 14

15 System Admin (Historian) becomes infected through network printer and file shares System Admin connects via VPN to Perimeter Network and infects the CAS Server and its WinCC SQL Server database Penetrating Perimeter Network 15

16 Infects Web Navigation Server’s WinCC SQL Server Infects STEP 7 Project files used in Web Navigation Server Terminal Services feature Infects other Windows hosts on the subnet like WSUS, ADS, AVS Propagation on Perimeter Network 16

17 Leverages network connections between Perimeter and Process Control Network Exploits database connections between CAS Server (Perimeter) and OS Server (PCN) Infects other hosts on PCN via Shares, WinCC or STEP7 methods Identifies target configuration and modifies PLC logic while hiding from users Propagation to Control Networks 17

18 Based on 7 different infection methods … How many attack vectors do you think this exposes??? 18

19 19

20 Excessive focus on the USB flash drives as an attack vector left other paths unprotected Attack opportunities from control system architectures using RPC (service) Named Pipes over SMB/CIFS (protocol) Similar protocols used between ECN-DMZ and DMZ-PCN “Essential” communications still allowed through firewalls Currently “approved” & integrated SIS platforms can be compromised by a common-mode failure Are We Still Vulnerable? 20

21 Best practice systems are rarely implemented Systems very susceptible to inside attacks, since perceived risk from external threats Security is often considered a commercial disadvantage to a vendor Limited security testing performed prior to system commissioning & on reoccurring basis Businesses never realized that an ICS cyber breach could result in mechanical damage Changing the Industrial Security Culture 21

22 Short-Term Complete prevention is not realistic Provide additional protection around high-risk assets Focus on complete life-cycle of cyber breach Escalate advanced attacks to national authorities Contain attack to minimize consequences Deploy, operate & maintain ICS-appropriate advanced security technologies & practices ◦Whitelisting ◦Advanced Firewalls ◦Unidirectional Gateways ◦Intrusion Detection ◦SIEM / Log Analysis ◦Compliance Managers What Can We Do? 22

23 Long-Term Current best practices need improvement Improve content inspection of ICS protocols Hardware-based security, not software What Can We Do? 23

24 Stuxnet provided not just an end result (sabotage), but a roadmap to exploiting a supposed “secure and isolated” system Stuxnet code is readily available, and the system- specific training is readily available Control systems are now the target of advanced attacks Looking Forward 24

25 Presentation is based on a White Paper co-authored by team of Security Experts ◦Eric Byres Byres Security (makers of Tofino) ◦Andrew Ginter Waterfall Security Solutions (Unidirectional Gateways) ◦Joel Langill SCADAhacker (formerly with ENGlobal) “How Stuxnet Spreads” Download at: 25

26 Thank you for your attendance 26

Download ppt "How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew."

Similar presentations

Ads by Google