Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew.

Published byNorman Mathews Modified over 9 years ago

Similar presentations

Presentation on theme: "How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew."— Presentation transcript:

1 How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew Ginter Industrial Security Director ICSJWG 2011 Spring Conference Dallas, Texas May 2-5, 2011

2 Escalation: “bragging rights” -> organized crime -> nation states Opportunistic versus Targeted Recent examples: ◦Stuxnet – industrial sabotage -> Iranian uranium enrichment program ◦Ghostnet – stole diplomatic communications -> embassies, Dhali Llama ◦Aurora – stole source code and other intellectual property -> Google ◦Night Dragon – industrial and commercial intelligence -> large oil companies Advanced Persistent Threats 2

3 Stuxnet Worm 3

4 Targets Siemens S7/WinCC products, compromises S7 PLC's to sabotage physical process Exploited 4 Windows zero-day vulnerabilities Spreads via: ◦USB/Removable Media ◦3 Network Techniques ◦S7 Project Files ◦WinCC Database Connections Drivers digitally signed with legitimate (stolen) RealTek and JMicron certificates Installs cleanly on W2K through Win7/2008R2 Conventional OS rootkit, detects and avoids major anti-virus products Advanced reverse-engineering protections “Most Sophisticated Worm Ever” 4

5 PLC Rootkit Compromised Step7/WinCC Host Stuxnet S7otbxdx DLL Legitimate Function Blocks PLC Programming Application S7 PLC Legitimate Blocks Stuxnet “Malicious” Blocks Siemens S7otbxsx DLL Function Blocks 5

6 “Man in the Middle” WinCC HMI PLC Stuxnet Function Block Stuxnet Function Block False Values Power Supplies Process In/Out False Register Values 6

7 “Functional” components: ◦Operator System (OS) ◦Automation System (AS) ◦Engineering System (ES) “Software” components: ◦OS Server + Client ◦WinCC Server + Client ◦Web Navigation Server ◦OS Web Server ◦Central Archive Server (CAS) ◦Engineering Station Siemens SIMATIC PCS7 Product Line 7

8 Source: Byres Security How Stuxnet Infects a System Infected Removable Media: 1. Exploits vulnerability in Windows Shell handling of.lnk files (0-day) 2. Used older vulnerability in autorun.inf to propagate Local Area Network Communications: 3. Copies itself to accessible network shares, including administrative shares 4. Copies itself to printer servers (0-day) 5. Uses “Conficker” vulnerability in RPC Infected Siemens Project Files: 6. Installs in WinCC SQL Server database via known credentials 7. Copies into STEP7 Project files 8

9 All Windows Hosts ◦Installs rootkit and loader ◦Creates configuration and data files ◦Propagates to other potential hosts Siemens PCS7 STEP7 Hosts ◦Wraps S7 Device OS driver (MitM + PLC rootkit) ◦Looks for specific PLC models  Infects S7 Project files  PROFIBUS driver replaced Siemens PCS7 WinCC Hosts ◦Infects WinCC SQL Server database files Target System ◦Injects 1 of 3 different payloads into PLC How Stuxnet Infects a System 9

10 High Security Site Manufacturing Operations Network Enterprise Control Network Process Control Network Control System Network Perimeter Network WinCC PCS7 Historian Remote Access General Purpose Source: “Security Concept PCS7 and WinCC – Basic Document”, Siemens, Apr. ‘08 10

11 Date is May 1, 2010 Stuxnet has been refined for over 12 months Is installed on a single USB flash drive No patches exist for the 0-days used No anti-virus signatures exist Security researchers are unaware of the attack Stuxnet Spreads 11

12 Employee is transmitted project files from an offsite contractor on a USB flash drive Initial Handoff of the Worm 12

13 Infected USB drive inserted into computer Even though computer is fully patched and current with anti-virus signatures, worm successfully installs Rootkit installed to hide files Attempts connection to C&C server for updates Infects any new USB Flash drive inserted into computer First Infection: Enterprise Computer 13

14 Rapidly spreads to Print Servers and File Servers within hours of initial infection Establishes P2P network and access to C&C server Infects any new USB Flash drive inserted into computer Propagation on Enterprise Network 14

15 System Admin (Historian) becomes infected through network printer and file shares System Admin connects via VPN to Perimeter Network and infects the CAS Server and its WinCC SQL Server database Penetrating Perimeter Network 15

16 Infects Web Navigation Server’s WinCC SQL Server Infects STEP 7 Project files used in Web Navigation Server Terminal Services feature Infects other Windows hosts on the subnet like WSUS, ADS, AVS Propagation on Perimeter Network 16

17 Leverages network connections between Perimeter and Process Control Network Exploits database connections between CAS Server (Perimeter) and OS Server (PCN) Infects other hosts on PCN via Shares, WinCC or STEP7 methods Identifies target configuration and modifies PLC logic while hiding from users Propagation to Control Networks 17

18 Based on 7 different infection methods … How many attack vectors do you think this exposes??? 18

19 19

20 Excessive focus on the USB flash drives as an attack vector left other paths unprotected Attack opportunities from control system architectures using RPC (service) Named Pipes over SMB/CIFS (protocol) Similar protocols used between ECN-DMZ and DMZ-PCN “Essential” communications still allowed through firewalls Currently “approved” & integrated SIS platforms can be compromised by a common-mode failure Are We Still Vulnerable? 20

21 Best practice systems are rarely implemented Systems very susceptible to inside attacks, since perceived risk from external threats Security is often considered a commercial disadvantage to a vendor Limited security testing performed prior to system commissioning & on reoccurring basis Businesses never realized that an ICS cyber breach could result in mechanical damage Changing the Industrial Security Culture 21

22 Short-Term Complete prevention is not realistic Provide additional protection around high-risk assets Focus on complete life-cycle of cyber breach Escalate advanced attacks to national authorities Contain attack to minimize consequences Deploy, operate & maintain ICS-appropriate advanced security technologies & practices ◦Whitelisting ◦Advanced Firewalls ◦Unidirectional Gateways ◦Intrusion Detection ◦SIEM / Log Analysis ◦Compliance Managers What Can We Do? 22

23 Long-Term Current best practices need improvement Improve content inspection of ICS protocols Hardware-based security, not software What Can We Do? 23

24 Stuxnet provided not just an end result (sabotage), but a roadmap to exploiting a supposed “secure and isolated” system Stuxnet code is readily available, and the system- specific training is readily available Control systems are now the target of advanced attacks Looking Forward 24

25 Presentation is based on a White Paper co-authored by team of Security Experts ◦Eric Byres Byres Security (makers of Tofino) ◦Andrew Ginter Waterfall Security Solutions (Unidirectional Gateways) ◦Joel Langill SCADAhacker (formerly with ENGlobal) “How Stuxnet Spreads” Download at: www.tofinosecurity.com/how-stuxnet-spreads 25

26 Thank you for your attendance 26

Download ppt "How Stuxnet Spreads: A Study of Infection Paths in Best Practice Systems Joel Langill Chief Security Officer Eric Byres Chief Technology Officer Andrew."

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
(n)Code Solutions Presentation on the importance of a Secure Technology Infrastructure.

(n)Code Solutions Presentation on the importance of a Secure Technology Infrastructure.
Entelec Spring 2013 Slide 1 Cyber Security in Critical Infrastructure Control Systems Presented by: Motty Anavi VP Business Development A practical approach.

Entelec Spring 2013 Slide 1 Cyber Security in Critical Infrastructure Control Systems Presented by: Motty Anavi VP Business Development A practical approach.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor

Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Copyright© 2005-2006 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.

Copyright© Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #1 Tightening the Network: Network.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Stuxnet – Getting to the target Liam O Murchu Operations Manager, Symantec Security Response 1 Feb 2011.

Stuxnet – Getting to the target Liam O Murchu Operations Manager, Symantec Security Response 1 Feb 2011.
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Norman Endpoint Protection Advanced security made easy.

Norman Endpoint Protection Advanced security made easy.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Module 16: Software Maintenance Using Windows Server Update Services.

Module 16: Software Maintenance Using Windows Server Update Services.

Similar presentations

Ads by Google