Presentation is loading. Please wait.

Presentation is loading. Please wait.

Betsy Woudenberg, Co-founder

Similar presentations


Presentation on theme: "Betsy Woudenberg, Co-founder"— Presentation transcript:

1 Betsy Woudenberg, Co-founder
15 August 2012 Thank you for your interest in this presentation! These slides combine my original research with data sources as cited in the slide notes area. You are welcome to cite my work, but please do not re-post this presentation online without my permission. Thank you! Betsy Woudenberg SCADA Right Now Betsy Woudenberg, Co-founder This presentation is © 2012 by IntelligenceArts, LLC.

2 What we’re talking about
Control systems Other control systems Industrial control systems (ICS) Critical infrastructure Facility control Manufacturing Nuclear power plant photo: Oil refinery: Water treatment plant: DCS Distributed Control Systems SCADA Supervisory Control and Data Acquisition Water Oil & gas Power

3 The SCADA industry People are expensive, but computers are cheap.
Commercial and profit-driven A truly global industry Idiosyncratic Few standards New processes bolted on to existing facilities Pragmatic and functional Built to last Early systems are still running

4 Basic SCADA structure HMI software HMI “Lightboard” HMI device PLC RTU
A few Human-Machine Interfaces (HMI) (computer screens and buttons for people) Many Programmable Logic Controllers (PLC) (watching system and making routine decisions) Image sources: Lightboard: Simple HMI: Wikipedia Siemens WinCC computer screen from Bushehr: PLC: Wikipedia RTU: Hundreds of Remote Terminal Units (RTU) (reading sensors and controlling valves and switches) The process: Many thousands of valves, switches, and sensors (temperature, pressure, flow, etc)

5 Modern enterprise SCADA
Facility front office Regional office Corporate headquarters Business or Corporate network Executives, salespeople, travelers Operations or SCADA network (“SCADAland”) “Support services” Human-Machine Interface (HMI) Engineers and vendors with dial-in or Internet access Field devices Programmable Logic Controllers (PLC) Remote Terminal Units (RTU) Valves, switches, and sensors

6 SCADA systems today: Two worlds
Facility front office Regional office Corporate headquarters Human-Machine Interface (HMI) Programmable Logic Controllers (PLC) Remote Terminal Units (RTU) Valves, switches, and sensors

7 Part 2 How to attack SCADA systems

8 + What you will need Access Expertise
The capability to issue commands to the SCADA system Proficiency with the SCADA system to produce an effect Hack into the system Recruit an insider Steal an insider’s credentials Place a software tool Place modified equipment Survey the system Select an effect you can produce Experiment and practice Defeat countermeasures Stay hidden?

9 Access: Technical targets
Facility front office Regional office Corporate headquarters Remote users Corporate network Microsoft Windows Internet protocol and HTTP Passwords, encryption SCADAland Analog and digital signals Wired and wireless transport Proprietary protocols Clear-text communications Serial interfaces Element-level security Perimeter security Support services Human-Machine Interface (HMI) Remote access modems Programmable Logic Controllers (PLC) Remote Terminal Units (RTU) Valves, switches, and sensors

10 A question of priorities
Information security SCADA Confidentiality Integrity Authenticity Integrity Availability Resilience ... Authenticity Confidentiality Worst case scenario: Data Loss Security Breach Worst case scenario: Loss of View Loss of Control

11 Access: Human targets Designers & suppliers Planning engineers
Process engineers SCADA engineers Construction co. Supply chain vendors SCADA system vendor The owners Executives Investors Administrators Managers IT security The operators Engineers Maintenance Security Facility front office Regional office Corporate headquarters People who built it People who own it People who run it Human-Machine Interface (HMI) Programmable Logic Controllers (PLC) Remote Terminal Units (RTU) Valves, switches, and sensors

12 Access in review SCADA systems rely on perimeter security.
SCADA systems and equipment do not follow “standard” security conventions. Most (anecdotally, all) SCADA systems have some communications channel to the outside world. SCADA systems are surrounded by people. Owners: At the corporate level Operators: Hands-on access Designers: Schematics and equipment lists Don’t forget the SCADA system vendors, supply chain, maintenance, security…

13 Expertise The more damage you do, the more likely you’ll get caught.
Nation-state actors, crafty insiders, and other people who don’t want to get caught Hackers, amateurs, and other people who don’t think they will get caught Terrorists

14 Expertise: Selecting a process
Objective: Shut off power to this city Image source:

15 Expertise: Achieving your objective
The process: What you’re going to do The SCADA system: How you’re going to do it The environment: When you’re going to do it Process Chemistry and physics Process design SCADA system Vendor, software, and equipment SCADA protocol Defeat the system Hide your tracks Environment Process variables Facility variables Environmental variables

16 Expertise: Managing human factors
Every place has a culture. Culture derives from and determines human behavior Small problems versus Big Problems Be a small problem! People can help or hinder your attack. Understand the culture at your target facility Will “blame the human” work? Culture is hard to read from a distance. Find and recruit an insider… there are many!

17 Expertise in summary The more damage you do, the more likely you will be caught. Many human and technical factors work against you Controlling SCADA requires a lot of information about your target. What to do: The processes you need to affect How to do it: The commands you need to issue When to do it: The external factors outside your control People can defeat your SCADA attack… or help you. Insider knowledge is critical to managing human factors

18 Remember… Access makes the attack possible
Expertise makes the attack successful

19 What’s out there An overview of known cyber incidents involving critical infrastructure control systems

20 Who is targeting SCADA? To take control To get information Intent Goal
To demonstrate capabilities For destructive attack To case a target For economic advantage Goal Evidence Actor

21 Siemens SCADA equipment Motor speed controllers Siemens SCADA software
Stuxnet Trojan active since 2008, discovered “in the wild” in June 2010 “Escaped” from its intended target in 2009 Very effective Microsoft Windows-based “missile” carrying a highly targeted SCADA “warhead” Is carried onto the Siemens PLC… Siemens SCADA equipment Issues commands to the speed controllers… Motor speed controllers Looks for HMI software, PLCs, and device codes… Siemens SCADA software Rides a USB drive, CD, or DVD… USB drive Lands on a PC network and spreads… Windows PCs … and modifies the rate of spin of the centrifuges. Centrifuge cascades Missile Delivery system Warhead Produces SCADA effect Icons from clipart and the corporate websites of Siemens and Vacon.

22 Stuxnet in the structure
Facility front office Regional office Corporate headquarters Enters at Windows PC running HMI software Human-Machine Interface (HMI) Modifies programming on the PLC Icons are from clipart and from the corporate sites of Siemens and Vacon. Programmable Logic Controllers (PLC) PLC directs RTUs to direct controllers to change speed of centrifuge motors Loss of View and Loss of Control Remote Terminal Units (RTU) Centrifuge processes

23 Stuxnet’s effects on centrifuge spin
Catastrophic crash from 1410 to 2 to 1064 Hz Reset to Higher than normal speed (1410 Hz) Observation of normal range ( Hz) Reset to higher than normal speed (1410 Hz) Reset to new normal (1064 Hz) Drive speed in Hz Normal Stress New Normal Stress From data in Symantec’s Stuxnet dossier. Phase I ~ 12.8 days Phase II ~ 27 days Phase III 15 or 50 minutes Phase IV ~ 27 days Phase II ~ 27 days Initial infection Quick note for Stuxnet fans: This is 315 code, not 417 code.

24 Public discovery of Stuxnet
The Stuxnet operation Cascades at Natanz, Capacity: Total number of cascades in place Success: Cascades up and running 2007 2008 2009 – mid 2010 Post-Stuxnet Data on cascade count and performance taken from published IAEA inspection reports from 2007 to 2012. Information on Stuxnet operation during taken from New York Times article from 01 June 2012 and from the Symantec technical dossier on Stuxnet. The functions during each phase are my extrapolations based on the NYT story and common sense. Feb-07 Jul-07 Dec-07 May-08 Oct-08 Mar-09 Aug-09 Jan-10 Jun-10 Nov-10 Apr-11 Sep-11 Feb-12 Preparation Stuxnet Version 1.0 Stuxnet Version 2.0 Decision to target Access development Technical survey Tool development Survey tool: Flame? Mid-2009 Escape of code to wild June 2010 Public discovery of Stuxnet

25 Who is targeting SCADA? To take control To get information Intent Goal
To demonstrate capabilities For destructive attack To case a target For economic advantage Goal Stuxnet Flame Evidence Nation-state actors Actor

26 South Houston November 2011: Springfield, Illinois announces destruction of a water utility pump by Russian hackers Subsequently proved to be mundane pump failure FBI and DHS investigated: “Russian hack” was remote access by SCADA engineer on vacation Lesson learned: Examining cyber logs without understanding SCADA culture leads to mistaken assumptions But this is not our story!

27 “Second water utility reportedly hit by hack attack”
18 November 2011: Hacker “pr0f” posts a message to pastebin.com Offended by FBI and DHS downplaying the Springfield “hack” Sought to highlight the vulnerabilities of control systems

28 South Houston: Yep, he got in

29 pr0f: Conscientious hacker?
Opportunistic target No grudge against South Houston Likely used Shodan search tool to look for connected and responsive devices South Houston had no real security set up This is an expression of human culture! “No damage was done”?

30 Shodan: “Google for hackers”

31 Who is targeting SCADA? To take control To get information Intent Goal
To demonstrate capabilities For destructive attack To case a target For economic advantage Goal South Houston Stuxnet Flame Evidence Hackers Nation-state actors Actor

32 Brazil power outages “Hacker extortionists” behind multiple power outages in Brazil January 2005: North of Rio de Janeiro, “tens of thousands of people” September 2007: Espirito Santo, 3 million people Brazil continues to deny hacking “Our systems are not connected to the Internet” Blamed 2007 outage on weather and “sooty insulators” If true… Hackers followed through on threats and disrupted the power grid Were outages demonstrations or escalations? Were insiders involved? CIA officer Donahue admits cyber attacks have knocked out power: CBS cites multiple sources confirming Brazil outages due to hackers: Link to Brazil, claim of hacker-extortionists behind it: Brazil denies it, blames “sooty insulators”:

33 Who is targeting SCADA? To take control To get information Intent Goal
To demonstrate capabilities For destructive attack To case a target For economic advantage Goal Brazil South Houston Stuxnet Flame Evidence Criminals Hackers Nation-state actors Actor

34 China and global oil & gas companies
China is conducting a series of espionage operations to collect information from U.S. and foreign energy companies. Short-term: Advantage in energy deals Long-term: Less energy dependence Two recent well-known cyber attacks against energy industry targets demonstrate this. Shady RAT ( ) Night Dragon ( )

35 Shady RAT Who they targeted What they stole How they stole it
From 2006 to 2011, 70 global entities including a U.S. natural gas wholesaler from February to December 2009. What they stole “… A historically unprecedented transfer of wealth—[including] negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations, design schematics, and much more …” Source: “Revealed: Operation Shady RAT,” McAfee. How they stole it “A spear-phishing … a download of the implant malware… backdoor communication channel … live intruders jumping on to the infected machine … targeting for quick exfiltration the key data they came for.” – Dmitri Alperovitch, McAfee

36 Night Dragon Who they targeted What they stole How they stole it
From November 2009 to early 2011, “attackers using several locations in China … [waged] attacks against global oil, gas, and petrochemical companies, as well as individuals and executives in Kazakhstan, Taiwan, Greece, and the United States to acquire proprietary and highly confidential information.” What they stole “Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding…” Source: “Global Energy Cyberattacks: ‘Night Dragon’,” McAfee white paper, February 2011 How they stole it “… social engineering, spear- phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) … In certain cases, the attackers collected data from SCADA systems.” –McAfee

37 China’s foreign oil/gas deals and cyber attacks
Shady RAT ( U.S. natural gas wholesaler) Aggressive bidding on multiple Iraqi oil fields at auction Purchase of major stake in a second Kazakh oil company China-Taiwan trade deal for petrochemicals Purchase of Rumaila oil field, Iraq, at auction McKay River and Dover oil sands deal with Athabasca, Canada Development of Iran’s Masjed Soleyman oil field Oil development deal with Afghanistan Purchase of major stake in Kazakh oil company Night Dragon (Kazakhstan, Taiwan, Greece, U.S.) Framework for LNG deal with Russia LNG deal with Uzbekistan LNG deal with Australia LNG deal with France Finalization of South Pars Phase 11 with Iran LNG deal with QatarGas LNG deal with Shell LNG deal with Exxon Shale gas deal with Chesapeake Energy in Texas Dates of projects taken from the corporate websites of China’s petroleum companies, multiple oil and gas industry websites, and IEA publications. Night Dragon and Shady Rat dates taken from the McAfee public documents. 2008 2009 2010 2011 2012 2013

38 Who is targeting SCADA? To take control To get information Intent Goal
To demonstrate capabilities For destructive attack To case a target For economic advantage Goal China’s cyber theft South Houston Brazil Stuxnet Flame Evidence China (Economic espionage) Hackers Criminals Nation-state actors Actor

39 What’s the scariest thing on here?
To take control To get information For destructive attack To demonstrate capabilities For economic advantage Hackers Criminals Nation-state actors China (Economic espionage) Intent Goal Evidence Actor Stuxnet China’s cyber theft South Houston Flame Brazil To case a target

40 Who is/could be casing SCADA systems?
Everyone. Terrorists Al Qa’ida Competitors Economic espionage Hackers For the lulz Criminals For profit Nation-state actors For covert action China For economic espionage SCADA casing is… Difficult to detect Difficult to prevent Difficult to characterize “Dual use” Illegal? Precursor to SCADA attack? Impossible to quantify Relies on victim to report it Source for Al-Qa’ida info: “US ‘fears al Qa’ida hack attack’,” 27 June 2002,

41 Key indicators What’s the target? Who’s the attacker?
Corporate entity: The target, or a means to an end? SCADA vendor: Look at the customers Facility: One place, or the whole sector? Opportunistic exploration: Because it was there Who’s the attacker? Not just where it came from, but what they did Did the cyber activity penetrate SCADAland? What data did the attacker exfiltrate? How well does the attacker know the target? How far along are things? Early stages Access: Target research and selection Later stages Expertise: Drilling down to data to shape the attack What other information sources have been hit?

42 In conclusion SCADA vulnerability is a consequence of its priorities.
Integrity, availability, and resilience For effective attack, you need access and expertise. Technology targets and human targets Lots of cyber activity appears to touch SCADA … Stuxnet Hackers and criminals Economic espionage … But it’s hard to determine precursors to SCADA attack. Control access and monitor expertise sources Look for indicators of serious capability and intent

43 Betsy Woudenberg betsy@intelligencearts.com
Thank you! Betsy Woudenberg The entirety of this presentation is © 2012 by IntelligenceArts, LLC. The information and insights herein are solely those of IntelligenceArts, LLC and do not derive from or represent the U.S. Government.

44 Backup slides

45 Index to backup slides More on Stuxnet Duqu and Stuxnet What’s next?
Why culture matters

46 Stuxnet facts What it is What it targeted How it spread What it did
A worm/trojan detected “in the wild” in June 2010 What it targeted Windows PCs running Siemens WinCC and Step7 SCADA software WinCC is a Windows-based HMI Step7 (S7) runs on the PC to configure Siemens PLCs Siemens PLCs that control two specific high-frequency converter drives Vacon (Finland) and Fararo Paya (Iran) How it spread Propagates by USB thumb drive, LAN, and other close-range techniques Four zero-day exploits for propagation between Windows machines What it did Late September 2010: 100,000 infected PC hosts worldwide 60% in Iran Forensic data and credited diagrams taken from Symantec’s W32.Stuxnet Dossier, February 2011

47 Uranium gas (UF6) centrifuge
Stuxnet’s purpose Stuxnet was a destructive clandestine attack on the uranium enrichment centrifuge cascades at Natanz, Iran. Stuxnet looks for Siemens PLCs controlling an array of 31 Vacon or Fararo Paya converter drives Must operate between Hz for ~13 days It then modifies the frequency output from the drives in a repeating cycle Normal 1410 Hz  2 1064 Hz Resets timer for next round And it hides the drive speed changes from the HMI Uranium gas (UF6) centrifuge Centrifuge diagram source: Centrifuge cascade photo source: The frequency converter drive controls the speed of the motor that spins the centrifuge rotor

48 Stuxnet’s code Missile Warhead Lands on PC Establish Spread Infect
Implement Thumb drive Check OS version .INF or .LNK Look for WinCC and S7 software Monitor drive output values LAN Get admin privileges Network shares Look for specific PLCs by ID code Initiate timed sequences Digital certificates Decrypt and load files Print spooler vulnerability Modify S7 code on PC Intercept 16 of 109 routines Phone home and send profile WinCC DB and project files Inject code onto PLCs Issue spoofed data to HMI Missile Delivery system Warhead Produces effect Peer-to-peer update

49 Phase I: Planning 2006-2007: Planning and tool development
Study of Iran’s centrifuges Based on P-1 and P-2 Pakistani design Data collection on SCADA system inside Natanz Was this Flame? In 2006, Iran set up, tested, and began operating its first UF6 cascade of 164 linked centrifuges. By November 2007, Iran had assembled and was operating its first “unit” of 18 linked cascades with a total of 2,952 working centrifuges. Source: “Obama Order Sped Up Wave of Cyberattacks Against Iran,” David Sanger, New York Times, 01 June 2012. Data on cascades and production taken from IAEA reports from 2006 and 2007. Involvement of Flame: “U.S., Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say,” Washington Post, 19 June 2012 Feb-07 Aug-07

50 Phase II: Covert attack
2008: First attacks Tool placed in the Natanz control network Moderate success but “no wholesale destruction” “The Iranians had grown so distrustful of their own instruments that they had assigned people to sit in the plant and radio back what they saw.” Iran quickly began assembling additional cascades based on the first successful unit. However, the second unit was not operating at full capacity. By late 2008, only 24 of the 36 total cascades were operating. Source of information and quote: “Obama Order Sped Up Wave of Cyberattacks Against Iran,” David Sanger, New York Times, 01 June 2012. Data on cascades and production taken from IAEA reports from 2008. Feb-07 Aug-07 Feb-08 Aug-08

51 Phase III: Success and escape
2008 – mid 2010: Repeated operations Additional versions inserted into Natanz Improvements to propagation mechanism Mid to late 2009: Critical period Significant disruption of Iran’s program Emergence of first virus samples in the wild Source of information and quote: “Obama Order Sped Up Wave of Cyberattacks Against Iran,” David Sanger, New York Times, 01 June 2012. Data on cascades and production taken from IAEA reports from Feb-07 Aug-07 Feb-08 Aug-08 Feb-09 Aug-09 Feb-10 Aug-10

52 Phase III: Success… A24 A26 A28 Pilot unit, no major problems
November-December 2009 A24 Pilot unit, no major problems Can’t bring these new cascades into service Serious problems starting late 2009 Operating with UF6 Under vacuum, but not operating Idle, not under vacuum Centrifuges disconnected A26 Data source: IAEA Board Notes, A28 August 2009 August 2010

53 Credit to Symantec, W32.Stuxnet Dossier, February 2011
Phase III: Escape? Domain E Domain D Domain C Domain B Domain A Symantec found versions in the wild dating back to three “waves” June 2009 March 2010 April 2010 Initially thought to be insertions into Natanz Now look like evidence of escape from Natanz Diagram and data taken from Symantec’s Stuxnet Dossier, February 2011. Credit to Symantec, W32.Stuxnet Dossier, February 2011

54 Phase IV: Discovery and aftermath
Mid-2010: Public discovery June: Stuxnet found by VirusBlokada July: Stuxnet characterized as SCADA attack Intensive public forensics begin August: AEOI meets to discuss ramifications September: Symantec counts 100,000 global infections November: Iran begins to admit infection at Natanz Discovery Stuxnet compile/release data: Feb-07 Jul-07 Dec-07 May-08 Oct-08 Mar-09 Aug-09 Jan-10 Jun-10 Nov-10 Apr-11 Sep-11 Feb-12

55 How did Stuxnet get out of control?
“An error in the code… had led [Stuxnet] to spread to an engineer’s computer when it was hooked up to the centrifuges … We think there was a modification done by the Israelis and we don’t know if we were part of that activity.” Symantec’s data seems to indicate two versions in the wild by mid-2009 Error persisted across multiple versions of the virus September 2010: 100,000 infections worldwide Counted by samples and callbacks to the same C&C servers Covert Escape 1 Escapes 2 & 3 Data Quote from the New York Times article from 01 June 2012. Data from Symantec dossier. 100,000 infections Feb-07 Jul-07 Dec-07 May-08 Oct-08 Mar-09 Aug-09 Jan-10 Jun-10 Nov-10 Apr-11 Sep-11 Feb-12

56 Did the Iranians know? Post-Stuxnet
At least two years of suffering in silence Post-Stuxnet Barrage of press about Iranian cyber expertise Arrests of “nuclear spies,” October 2010 Stars virus, April 2011 DigiNotar compromise, September 2011 Feb-07 Jul-07 Dec-07 May-08 Oct-08 Mar-09 Aug-09 Jan-10 Jun-10 Nov-10 Apr-11 Sep-11 Feb-12 What was going on?

57 Stuxnet’s sources for information
Cyber targeting International Atomic Energy Agency (IAEA) No access to detailed information Computers at Natanz No inbound Internet access Natanz engineers Low likelihood of chatter Passive methods High security Human targeting SCADA system vendor Siemens People who own it Atomic Energy Organization of Iran (AEOI) People who run it Most direct, highly protected People who built it Less direct, less protected Humans certainly provided physical access to Natanz, and likely provided information as well.

58 Unintended consequences
Flame Duqu Stuxnet Gauss? What will they find next?

59 Nov – Dec 2009: Iran starts dismantling centrifuges
Unanswered question #1 Why did Stuxnet evolve? Wave 1 June 2009 Waves 2 and 3 Mar – May 2010 AUTORUN.INF exploit requires human enablement Nov – Dec 2009: Iran starts dismantling centrifuges Encrypted payload .LNK exploit needs no human enablement Signed, legitimate digital certificates Could it be that… Wave 1 code been found and removed? The Iranians were tightening network security? The attackers didn’t know whether Wave 1 was working?

60 Unanswered question #2 Did Stuxnet contain unused code?
Sequences A (Vacon) and B (Fararo Paya), aka the 315 code, appeared operational To Symantec, Sequence C (the 417 code) was not functional More sophisticated randomized effects = more clandestine Inactive due to missing piece of code Not copied onto PLC Possibly unfinished No agreement between experts that 417 was not operational Data from Symantec. But… Why launch with unnecessary code? Where would the missing activation code come from? Are there other variants out there that haven’t been found?

61 Stuxnet’s fatal flaw? Why didn’t Stuxnet have a better kill switch?
Didn’t have enough information about the target network Didn’t have confidence in the seeding mechanism Forced by urgency or political pressure Underestimated human movements Assumed code would never be found

62 Summary Stuxnet relied on humans and technology.
Hard targets can be penetrated by a combination of technical and human targeting. Strengthening SCADA perimeter security against cyber intrusion won’t necessarily protect a high-value facility. The Iranians unwittingly helped Stuxnet. Humans will defy common sense according to cultural factors. “Cyber covert action” is becoming an oxymoron. Partnering multiplies risk. The global hunt is on.

63 Duqu Timeline: Active since 2007 Targets: Variety
Discovered September 2011 by CrySyS (Budapest University of Technology and Economics) Targets: Variety Variety of corporate targets in Iran, Sudan, India, Vietnam, Ukraine, Switzerland, France and the Netherlands Tactics: Trojan Infostealer Perpetrator: Unknown Driver files similar or identical to Stuxnet Same missile, different warhead Effects Capable of stealing information about control systems, but no code to command a control system No consensus about purpose or targets Is this a SCADA attack?

64 Duqu, “Son of Stuxnet” What it is What it targets How it spreads
A trojan announced by Symantec on 20 October 2011 What it targets Microsoft Windows How it spreads Zero-day exploit in Microsoft Word documents What it does System profiler and info-stealer Exfiltrates data to C&C servers Unspecified companies in France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan, Vietnam, UK, Austria, Hungary, Indonesia… Who did it No attribution to date Why “Son of Stuxnet”? Methodology and portions of code identical to Stuxnet Effects and purpose appear different Forensic data and credited diagrams taken from Symantec’s W32.Stuxnet Dossier, February 2011

65 Stuxnet and Duqu, side by side
Earliest apparent creation date of virus June 2009 2007 Operational period June 2009 – July 2010 December 2010 through 17 October 2011; re-emergence in February 2012 Variants Four Seven Propagation Four zero-day exploits; LAN/thumb drive/etc; self-propagation One zero-day (so far); no self-propagation Payload Code for Siemens WinCC and PLCs; written in Microsoft Visual C++ Infostealer, backdoor; written in a custom “Object Oriented C dialect” Command and control Malaysia, Denmark; no activity observed India, Belgium; active executable code transmitted via .JPGs and encrypted data Time limits 3 offspring per infection; drop-dead in June 2012 8-day window; 36 days per infection; can be extended via downloaded files Digital certificates JMicron and Realtek in Hsinchu City, Taiwan C-Media Electronics in Taipei, Taiwan Intended targets Natanz uranium enrichment facility Unknown Forensic data from “W32.Duqu: The precursor to the next Stuxnet”, version 1.2 (October 20, 2011), from Symantec and published on the Internet. Duqu propagation described in “Duqu Exploited ZeroDay Vulnerability in Microsoft Windows Kernel”, Eweek, 03 November 2011 Country targets identified in Agence France Presse, 03 Nov 2011, quoting Symantec. Info on payload coding is from March 2012. Some data from

66 Duqu versus Stuxnet Same missile Different warhead
How they are the same How Duqu is different Identical functionality in Duqu’s netp191.dll and Stuxnet’s oem7a.dll Duqu’s Jminet7.sys/smi4432.sys drivers are “binary match to” Stuxnet’s mrxcls.sys Identical code in Duqu’s .zdata and Stuxnet’s .xdata Same processes hooked in ntdll.dll Same use of hashes/checksums to lookup functions “Magic keys” such as “AE” in both Same startup processes and RPC logic Signed and unsigned versions of drivers Signed versions use certificate from a Taiwanese firm Multiple variants over time Exfiltrates data Not targeting control systems Infection vehicle is MS Word document (so far) “Object Oriented C dialect” programming language Controlled propagation Active use of C&C to pass code Relies on Internet for spread First samples compiled circa 2007 Active as of March 2012 Similarities/differences taken from Symantec’s 20 October 2011 analysis. Additional info on Duqu Framework from Same missile Different warhead

67 Duqu’s code Lands on PC Establish Spread Infect Implement
Microsoft Word vulnerability Check OS version Server Message Block (SMB) Method 1: Template .exe Contact C&C 8-day window in August 2011 Get admin privileges Method 2: CreateProcessAsUser Receive AES-encrypted data Signed digital certificates Decrypt and load files Method 3: Use existing process Install infostealer? Resource 302 loads .zdata

68 Duqu: The reality No code to target control systems
Sets up backdoor access via Internet C&C No evidence of targeting of industrial control system companies Most likely… Reuse of “missile” by Stuxnet’s creators? Repurposing of Stuxnet missile against other targets?

69 We are Post-Stuxnet. The Iranian nuke program is stronger than ever.
Productivity improved Technical hardening Cultural hardening U.S. critical infrastructure is slowly getting more secure. Efforts to set up security standards Focus on strengthening inherent SCADA qualities, not introducing new protocols Perimeter security Defense-in-depth

70 We know we have problems.
Facility front office Regional office Corporate headquarters Level 4: Enterprise systems 11% Level 3: Operations management 16% Human-Machine Interface (HMI) Source: DHS Common Cybersecurity Vulnerabilities in Industrial Control Systems, May 2011, page 22 Level 2: Supervisory control Programmable Logic Controllers (PLC) 53% Level 1: Local or basic control Remote Terminal Units (RTU) 20% Level 0: Process equipment Valves, switches, and sensors 0% Source: DHS Common Cybersecurity Vulnerabilities in Industrial Control Systems, May 2011.

71 Cybersecurity: Forcing change
Vulnerability disclosures “Amateurs” describing hundreds of flaws/quirks in hardware and software Community activism Digital Bond’s “Project Basecamp” Release of Metasploit modules for exploitation of several major control system types Ralph Langner’s insight: Design flaws versus vulnerabilities

72 Cybersecurity: The scary stuff
Looking for “Son of Stuxnet” Command and control of SCADA Penetration of SCADA without command and control Attempts to penetrate SCADA Exfiltration of data from within SCADA Theft of SCADA data from operator’s corporate network Theft of proprietary non-SCADA data from operators Theft of proprietary non-SCADA customer data from vendors Theft of proprietary SCADA product data from vendors Run-of-the-mill pings against all of the above

73 Looking for Son of Stuxnet
SCADAland Looking for Son of Stuxnet Exploration Targeting Operation Exfiltration of data from within SCADA Command and control of SCADA Theft of SCADA data from operator’s corporate network Penetration of SCADA without command and control Theft of proprietary non-SCADA customer data from vendor Theft of proprietary non-SCADA data from operator Attempts to penetrate SCADA Malign intent Theft of proprietary SCADA product data from vendor Run-of-the-mill pings against corporate networks Severity

74 Here’s what Ralph Langner thinks
Ralph says… My take on it is… “‘Son of Stuxnet’ is a misnomer. What’s really worrying are the concepts that Stuxnet gives hackers… Before, a Stuxnet-type attack could have been created by maybe five people. Now it’s more like 500 who could do this.” Missile/warhead structure Code is available to the public Extensive public forensics by respected IT firms Methodology is on display “You just have to know how to copy parts of [Stuxnet]. After that, you just need a little more knowledge to make a simple but effective digital dirty bomb.” “A little more knowledge”? Access Expertise Ralph Langner, in the Christian Science Monitor, 24 September 2011. “What you still hear today from all kinds of people is how a Stuxnet-type attack requires so much insider knowledge. I finally had to publish a [simple and damaging] attack just to make sure no smart-guy tells his boss that this is impossible.” Sustained clandestine attack requires significant expertise Brute attack does not, but how effective would it be? Terrorists and criminals may not need a predictable outcome to be successful Interviewed by the Christian Science Monitor, 24 September 2011

75 Things to think about What is a SCADA attack?
Is it the target? Is it the intention? Was Stuxnet a successful operation? How do you define success? What will Son of Stuxnet be? How will this operation be used against us?

76 Why human culture matters
Low security culture “Normal” security culture High security culture More opportunity to do damage before you are detected Quicker detection means you can’t stay below the radar for long


Download ppt "Betsy Woudenberg, Co-founder"

Similar presentations


Ads by Google