How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.

Slides:

Advertisements

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Advertisements

By Hiranmayi Pai Neeraj Jain

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

(n)Code Solutions Presentation on the importance of a Secure Technology Infrastructure.

Entelec Spring 2013 Slide 1 Cyber Security in Critical Infrastructure Control Systems Presented by: Motty Anavi VP Business Development A practical approach.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Security and Policy Enforcement Mark Gibson Dave Northey

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Stuxnet – Getting to the target Liam O Murchu Operations Manager, Symantec Security Response 1 Feb 2011.

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Enterprise Network Security Accessing the WAN Lecture week 4.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Norman Endpoint Protection Advanced security made easy.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Module 16: Software Maintenance Using Windows Server Update Services.

STUXNET. Summary What is Stuxnet? Industial Control Systems The target/s of Stuxnet. How Stuxnet spreads. The impact of Stuxnet on PLC’s.

 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.

EDUCAUSE Security 2006 Internet John Brown University.

Website Hardening HUIT IT Security | Sep

Norman SecureSurf Protect your users when surfing the Internet.

Advanced Persistent Threats CS461/ECE422 Spring 2012.

Copyright Security-Assessment.com 2004 New Technology Enforcement Strategies by Peter Benson.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

A sophisticated Malware Arpit Singh CPSC 420

By: Sharad Sharma, Somya Verma, and Taranjit Pabla.

Mr. Mark Welton.  The five game changing viruses  Security best practices that deal with the problems.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Jonathan Baulch  A worm that spreads via USB drives  Exploits a previously unknown vulnerability in Windows  Trojan backdoor that looks for a specific.

Honeypot and Intrusion Detection System

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

1 Managed Premises Firewall. 2 Typical Business IT Security Challenges How do I protect all my locations from malicious intruders and malware? How can.

Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Lessons from Stuxnet Matthew McNeill. Quick Overview Discovered in July 2011 Sophisticated worm - many zero-day exploits, Siemens programmable logic controller.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Module 11: Designing Security for Network Perimeters.

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Flame: Modern Warfare Matthew Stratton. What is Flame? How it was found What are its capabilities How it is similar to Stuxnet and Duqu Implications.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

NETWORK SECURITY Definitions and Preventions Toby Wilson.

TS workshop 2004U. Epting, M.C. Morodo Testa - TS department1 Improving Industrial Process Control Systems Security Uwe Epting (TS/CSE) Maria Carmen Morodo.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.

NEXT GENERATION ATTACKS & EXPLOIT MITIGATIONS TECHNIQUES ID No: 1071 Name: Karthik GK ID: College: Sathyabama university.

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

How a presumably military grade malware sabotaged the Iranian nuclear program W32.Stuxnet Presenter: Dolev Farhi |

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

Advanced Endpoint Security Data Connectors-Charlotte January 2016

W32.Stuxnet How a presumably military grade malware sabotaged the Iranian nuclear program Presenter: Dolev Farhi |

Securing Network Servers

Firmware threat Dhaval Chauhan MIS 534.

Critical Security Controls

Propagation, behavior, and countermeasures

Presentation transcript:

How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew Ginter Industrial Security Director ICSJWG 2011 Spring Conference Dallas, Texas May 2-5, 2011

Escalation: “bragging rights” -> organized crime -> nation states Opportunistic versus Targeted Recent examples: ◦Stuxnet – industrial sabotage -> Iranian uranium enrichment program ◦Ghostnet – stole diplomatic communications -> embassies, Dhali Llama ◦Aurora – stole source code and other intellectual property -> Google ◦Night Dragon – industrial and commercial intelligence -> large oil companies Advanced Persistent Threats 2

Stuxnet Worm 3

Targets Siemens S7/WinCC products, compromises S7 PLC's to sabotage physical process Exploited 4 Windows zero-day vulnerabilities Spreads via: ◦USB/Removable Media ◦3 Network Techniques ◦S7 Project Files ◦WinCC Database Connections Drivers digitally signed with legitimate (stolen) RealTek and JMicron certificates Installs cleanly on W2K through Win7/2008R2 Conventional OS rootkit, detects and avoids major anti-virus products Advanced reverse-engineering protections “Most Sophisticated Worm Ever” 4

PLC Rootkit Compromised Step7/WinCC Host Stuxnet S7otbxdx DLL Legitimate Function Blocks PLC Programming Application S7 PLC Legitimate Blocks Stuxnet “Malicious” Blocks Siemens S7otbxsx DLL Function Blocks 5

“Man in the Middle” WinCC HMI PLC Stuxnet Function Block Stuxnet Function Block False Values Power Supplies Process In/Out False Register Values 6

“Functional” components: ◦Operator System (OS) ◦Automation System (AS) ◦Engineering System (ES) “Software” components: ◦OS Server + Client ◦WinCC Server + Client ◦Web Navigation Server ◦OS Web Server ◦Central Archive Server (CAS) ◦Engineering Station Siemens SIMATIC PCS7 Product Line 7

Source: Byres Security How Stuxnet Infects a System Infected Removable Media: 1. Exploits vulnerability in Windows Shell handling of.lnk files (0-day) 2. Used older vulnerability in autorun.inf to propagate Local Area Network Communications: 3. Copies itself to accessible network shares, including administrative shares 4. Copies itself to printer servers (0-day) 5. Uses “Conficker” vulnerability in RPC Infected Siemens Project Files: 6. Installs in WinCC SQL Server database via known credentials 7. Copies into STEP7 Project files 8

All Windows Hosts ◦Installs rootkit and loader ◦Creates configuration and data files ◦Propagates to other potential hosts Siemens PCS7 STEP7 Hosts ◦Wraps S7 Device OS driver (MitM + PLC rootkit) ◦Looks for specific PLC models  Infects S7 Project files  PROFIBUS driver replaced Siemens PCS7 WinCC Hosts ◦Infects WinCC SQL Server database files Target System ◦Injects 1 of 3 different payloads into PLC How Stuxnet Infects a System 9

High Security Site Manufacturing Operations Network Enterprise Control Network Process Control Network Control System Network Perimeter Network WinCC PCS7 Historian Remote Access General Purpose Source: “Security Concept PCS7 and WinCC – Basic Document”, Siemens, Apr. ‘08 10

Date is May 1, 2010 Stuxnet has been refined for over 12 months Is installed on a single USB flash drive No patches exist for the 0-days used No anti-virus signatures exist Security researchers are unaware of the attack Stuxnet Spreads 11

Employee is transmitted project files from an offsite contractor on a USB flash drive Initial Handoff of the Worm 12

Infected USB drive inserted into computer Even though computer is fully patched and current with anti-virus signatures, worm successfully installs Rootkit installed to hide files Attempts connection to C&C server for updates Infects any new USB Flash drive inserted into computer First Infection: Enterprise Computer 13

Rapidly spreads to Print Servers and File Servers within hours of initial infection Establishes P2P network and access to C&C server Infects any new USB Flash drive inserted into computer Propagation on Enterprise Network 14

System Admin (Historian) becomes infected through network printer and file shares System Admin connects via VPN to Perimeter Network and infects the CAS Server and its WinCC SQL Server database Penetrating Perimeter Network 15

Infects Web Navigation Server’s WinCC SQL Server Infects STEP 7 Project files used in Web Navigation Server Terminal Services feature Infects other Windows hosts on the subnet like WSUS, ADS, AVS Propagation on Perimeter Network 16

Leverages network connections between Perimeter and Process Control Network Exploits database connections between CAS Server (Perimeter) and OS Server (PCN) Infects other hosts on PCN via Shares, WinCC or STEP7 methods Identifies target configuration and modifies PLC logic while hiding from users Propagation to Control Networks 17

Based on 7 different infection methods … How many attack vectors do you think this exposes??? 18

19

Excessive focus on the USB flash drives as an attack vector left other paths unprotected Attack opportunities from control system architectures using RPC (service) Named Pipes over SMB/CIFS (protocol) Similar protocols used between ECN-DMZ and DMZ-PCN “Essential” communications still allowed through firewalls Currently “approved” & integrated SIS platforms can be compromised by a common-mode failure Are We Still Vulnerable? 20

Best practice systems are rarely implemented Systems very susceptible to inside attacks, since perceived risk from external threats Security is often considered a commercial disadvantage to a vendor Limited security testing performed prior to system commissioning & on reoccurring basis Businesses never realized that an ICS cyber breach could result in mechanical damage Changing the Industrial Security Culture 21

Short-Term Complete prevention is not realistic Provide additional protection around high-risk assets Focus on complete life-cycle of cyber breach Escalate advanced attacks to national authorities Contain attack to minimize consequences Deploy, operate & maintain ICS-appropriate advanced security technologies & practices ◦Whitelisting ◦Advanced Firewalls ◦Unidirectional Gateways ◦Intrusion Detection ◦SIEM / Log Analysis ◦Compliance Managers What Can We Do? 22

Long-Term Current best practices need improvement Improve content inspection of ICS protocols Hardware-based security, not software What Can We Do? 23

Stuxnet provided not just an end result (sabotage), but a roadmap to exploiting a supposed “secure and isolated” system Stuxnet code is readily available, and the system- specific training is readily available Control systems are now the target of advanced attacks Looking Forward 24

Presentation is based on a White Paper co-authored by team of Security Experts ◦Eric Byres Byres Security (makers of Tofino) ◦Andrew Ginter Waterfall Security Solutions (Unidirectional Gateways) ◦Joel Langill SCADAhacker (formerly with ENGlobal) “How Stuxnet Spreads” Download at: 25

Thank you for your attendance 26