Iran had a fallout problem at two nuclear facilities last July, but it wasn't radiation that leaked. Rather, after the plants' computer systems were infected with a worm, later dubbed Stuxnet, fallout took the form of a dramatic shift in what cyberattackers are capable of and how they must respond.
This was clearly the opening salvo in what many suspect could be a new strategy in attacking an enemy. The worm, according to a Symantec report, exploited four zero-day vulnerabilities, compromised two digital certificates and injected code into the programmable logic controllers, or PLCs, of industrial control systems used to manage industrial environments – such as power plants, oil refineries and gas pipelines. The malware relayed instructions to the physical machinery that literally made the equipment blow a gasket.
Iranian scientists at a uranium processing center in Natanz and a nuclear reactor in Bushehr quickly replaced centrifuge machines that were affected by the worm – so actual disruption of their forging of low-enriched uranium was limited – but the cyberattack has put the global security community on notice that their enterprise or government infrastructure is susceptible to a similar infection that could cripple computer systems that control physical facilities.
"Stuxnet has changed our jobs entirely," says Kevin Rowney, founder of the data leakage prevention division at Symantec. "How could it be more clear?" Panic is not necessary at this time, but security does need to be re-evaluated, he says.
Certainly with the arrival of Aurora, a cyberattack that reached into the networks of Google and 30 other large corporations, Stuxnet and disclosures by WikiLeaks, it has been an "off-the-hook" year, says Rowney, who is also director of the breach response team at Symantec. "How fast things have progressed."
One finite result is that executives are more in sync with reality, he says. Board members are asking questions of security teams and executives are paying attention. Further, these major events have been covered in the business press in a way that makes an impact on people who don't necessarily have a technology background, he says.
"The urgency around this was quite clear," Rowney says. "A lot of parties were infected. It is on everybody's mind."
Stuxnet pointed out that it is not technology that is required to safeguard systems, but placing emphasis on policies and procedures, says Amichai Shulman (left), CTO at Imperva, a Redwood Shores, Calif.-based data security vendor. Stuxnet was successful because the code was distributed using USB sticks or key fobs, probably giveaways at some event, he says. These were then inserted carelessly in protected networks which unleashed the bug.
"So, Stuxnet was distributed from inside," he says. The single most important lesson we can take from this experience and its consequences, he adds, is that we cannot completely obliterate this behavior.
"What I see is organizations trying to forbid access to keys and USB sticks across the entire network," Shulman says. "This is bound to fail because there are some areas where employees need to use USB sticks and other external devices."
Organizations must create safe environments for a few workstations that involve SCADA and deploy solutions, he advises. The general rule is that the easiest way to attack SCADA systems is not through control systems, as occurred with the Stuxnet attack, but through a management system, which is built on standard technologies, like Java, and is likely connected with the internet. These are usually more complex and powerful than the controllers behind them, but since they are connected to the internet are susceptible to malware attack, particularly of a moibile nature, he says.
And this bodes ill for the future, he warns, as more and more mobile devices, such as iPhones, are brought into the enterprise environment. In the near future, he expects some sort of iPhone app infected with malware to attack management systems. "This backdoor can allow an attacker to take down or tamper with a management system," he says.
This is likely to happen because these management platforms are often not custom made, but commercially available products, so attackers can prepare in advance.
Shulman says that rather than focusing efforts on protecting the control systems in SCADA networks, as he has seen in some government entities, it would be better to beef up security around management systems, using the same tools and techniques used to protect web-facing applications. IT professionals should consider everything outside of the SCADA network to be hostile. To protect the power grid, isolate the SCADA management network away from other functions, such as HR, finance and transportation, he says
But, this might not be enough as the SCADA systems in Iran were protected well by most standards, says Charlie Miller (right), principal analyst of software security at Independent Security Evaluators, a security consulting firm. They ran on an isolated (non-internet-connected) network that consisted of fully patched Windows computers running up-to-date anti-virus.
"This is really all you could hope for for in these critical infrastructures," he says. But, he agrees that someone can always walk in with a USB stick with a worm packed with zero-day exploits.
This is how computer security has been since the beginning, he adds, although people tended to ignore it since most networks were susceptible to old, easily detectable attacks. "We are only now trying to think of ways to defend against zero-day attacks, such as the one here or the one used in Aurora."
And, he says, there aren't great solutions available to defenders at this moment. It is hard to defend against the unknown, he says, as most networks cannot even defend against known attacks, much less unknown ones.
Others agree. Stuxnet was definitely a game-changer in terms of what it could do, says David Kennedy (left), director of information security at Diebold, a security integrator that provides protection and detection solutions. "What it showed was that our current ways of thinking about security are flawed."
The fact that the intrusion happened from the inside points out that hackers are bypassing traditional defenses, he says. "Stuxnet should have been detected."
He says enough anamolous traffic on the system should have alerted somebody. "We can't treat the internal environment as a safe haven anymore," Kennedy says. "Internal users are untrusted now."
One problem he points to is the fact that employees are not up to speed on security concerns, singling out the USB stick situation. "We've built a world where everyone has access to everything," he says. "Currently, there is a ton of communication between the corporate network and internal SCADA systems. This has to stop," he says.
The way to prevent infection is to first identify what is considered absolutely critical and then to isolate that system. "We need to look at critical infrastructure and put controls around it," Kennedy says.
Education is a critical component as well, as is being able to detect anomalies. "We need a comprehensive security program with access management to minimize the impact of attacks," he says. "Network access control is essential in a full defense-in-depth approach, so there are layers in place."
Attackers are using common techniques for exploiting weaknesses, he adds. "We need to harden systems to stop intrusions or at the least alert us."
Still, the complexity of infrastructure systems invites any number of exploits that, experts say, can only be thwarted by staying on top of the latest threat intelligence. Attackers are constantly changing and adapting, so the best defense is one that is dynamic and flexible, says Don Jackson (right), director of threat intelligence at Dell SecureWorks. His recommendation is that those responsible for building and managing critical infrastructure systems employ the services of objective security professionals to continuously refine threat models by incorporating data from the latest incidents and intelligence on emerging threats.
"These threat models are used to assess the effectiveness of security in the context of modern threats," says Jackson. "That is, assessments need to take into account new information learned about the financial resourcefulness, technical sophistication, determination and the impact of threat agents such as those behind Stuxnet." Those assessments inform funding and policy regarding critical infrastructure protection, and the success of Stuxnet indicates that current approaches are inadequate, Jackson says.
New approaches need to account for well-funded international groups with expert-level domain knowledge and access to zero-day exploits, he says. "Findings may dictate shifting focus away from patching known vulnerabilities and reliance on system isolation and toward developing whitelist approaches for code packages, integrity controls and anomaly detection features that operate at supervisory layers, operating systems that have smaller attack surfaces, and security models that are more strict about access to process memory and the kernel." These are some of the measures that could be requirements in the secure system development lifecycle (SDLC) approaches to next-generation systems like those used to build the smart grid, Jackson says.
However, he warns, issues found in existing systems will require that systems be reconfigured or new controls be bolted on. Obviously, even simple issues – such as allowing USB devices to be connected – need to be revisited, he says.
"The public hears that critical systems are safe in large part because they are 'air-gapped,' or not connected to other systems or networks like the internet," Jackson says. "However, U.S. Office of Management and Budget (OMB) reports and analysis of the Stuxnet worm tell us otherwise. We need to recognize that these systems are not air-gapped in practice and deploy controls accordingly. USB drives and CD-ROMs are often used to update systems that are supposed to be air-gapped. Using USB drives and CDs is how Stuxnet spreads."
It is important to keep these SCADA systems updated, and there are advantages in linking them with some other systems for monitoring and centralized control, but these require deploying security measures accordingly, Jackson says. "We can't afford to justify lack of investment in state-of-the-art controls under the myth that these systems are sufficiently isolated from threat agents like those behind Stuxnet."
To fight against zero-days, strong edge policies are needed to make it harder to access the target networks, and strict whitelisting is required inside those target networks, says Eric Knapp, director of critical infrastructure markets at NitroSecurity. "Most importantly, because no single defense is good enough, situational awareness is required from start to finish."
The problem, he explains, is that most information security products aren't suitable to protect or to monitor the target network, which in this case is an industrial automation network using specialized protocols and applications.
"We've always hardened the entry points into SCADA and internet connection sharing (ICS) networks by securing the enterprise network that contains them, while leaving those critical networks relatively unprotected from the inside," he says, adding that this approach isn't good enough anymore. "The control systems have to be as hard if not harder to breach – a defense-in-depth strategy comprising elements including specialized ICS firewalls, and compatible network and application whitelisters."
But it's not just technology that will thwart intrusions, it will also take new approaches. More questions should be asked about the critical systems and their networks, says Michael Sconzo, principal security consultant at NetWitness. He believes that through the exercise of asking more questions the capability to analyze system behavior, baseline and anomalies will be developed.
"By gaining a better understanding of the critical systems and the networks and systems surrounding them is crucial for detecting new and unknown threats, as well as the impact that these threats can have," Sconzo says. "Having continued conversations between process control experts and security experts is also a necessary step. Vendors should also be engaged to develop in-house security programs to ensure that their devices are resilient to attack."
Lessons from Stuxnet
Few would argue that traditional security strategies are sufficient in a post-Stuxnet world. Stuxnet should have taught security professionals many things, says Michael Assante (left), president and CEO of the National Board of Information Security Examiners (NBISE), a nonprofit that develops examinations and certification requirements. "One important realization is that the perimeter protection model used to protect critical systems is more aligned with cyberthreats of yesterday and is most effective against less directed and intelligent types of cyberattacks. There are significant issues – such as how easy it is to inject code on controllers – that are not be directly addressed."
Another important lesson, he says, is that any attempt to regulate or manage these types of risks through standards needs to think through not only what to require, but the implications of how they are to be implemented and enforced. "Stuxnet shows us that we must value learning, and find ways to allow critical system owners to maintain flexibility and be innovative if we hope to best manage the risk represented by an intelligent and adaptive set of cyber actors," Assante says.
Stuxnet also demonstrates the need to address security and resilience at the design and building stage, says Assante, former CSO at the North American Electric Reliability Corp. (NERC), which works to ensure the reliability of the bulk power system in North America. "We can't continue to look solely toward owners and operators and expect to bolt on security to manage risk around difficult-to-secure technology."
“The key will be balance."
– – Michael Assante, president and CEO of the National Board of Information Security Examiners
There are a number of initiatives that need to gain a broader acceptance to significantly improve the security and resilience of SCADA systems and industrial networks, Assante says. It is important that progress be made on all fronts that include technology, people and process/practice. "Asset owners and operators need to continue to use procurement specifications to demand the removal of weak system architectures and designs and enhance the security delivered by product vendors," he says. "We must better develop and equip the workforce at operating entities to detect more sophisticated threats, learn, adapt and enhance their protection strategies. Finally, we need to update our process to assess and manage security risk by infusing current ground truth about how adversaries compromise systems."
Meanwhile, legislation may help fundamentally change the regulatory structure around critical infrastructure protection, he says. "The key will be balance. Incentives are not the entire answer, neither is prescriptive regulation."
While at NERC, Assante raised the profile and priority of the issue within the electric industry, all the way up to the CEO level. A very important effort, he says, was to bring together system operators, planners and protection specialists with a strong understanding of the unique challenges and risk that comes with cyber.
"I believe my most important contribution was to underscore the importance of identifying what needs additional protection by considering how an attacker can misuse technology and assets to damage components and disrupt the system," he says.
He also worked with others to launch an effort to consider the research and engineering challenges in how to design, configure and operate the smart grid's systems and components in a manner that prevents an adverse cyber-physical event – whether accidental or malicious in origin – from having a catastrophic impact on the grid and on society at large. He says he also worked to implement a set of baseline standards that, at a minimum, were the source of a lot of learning and dialog.
New threat actor
Partnerships are key to developing effective strategies. NERC published an alert starting a much-needed conversation with industry, says Tim Roxey, manager of critical infrastructure risk analysis and technology at the nonprofit. "It is NERC's intent to continue this discussion with industry to ensure that remaining issues are addressed," he says, adding that partnerships between NERC and government players also is critical to furthering security of the bulk power system.
While the creators behind the Stuxnet attack have yet to be conclusively identified, it is widely speculated the attack originated in Israel, the United States, or perhaps both nations. Yet, cyber gangs – such as those that initiated Stuxnet – whether independent groups or nation-states, are simply another threat actor, Roxey says. "Gangs can sometimes look for commercial gain, such as the exfiltration of valuable data or malicious actions intended to disable the systems," he says. "As such, a cyber gang is very much like other threat actors, just with a different name. SCADA security actually strives to clearly protect the pathways and attack surfaces of the network against all of the various threat actors, not just those called gangs."
In just one example, NERC is working with the vendor community through the Department of Homeland Security's Industrial Control Systems Joint Working Group (DHS ICSJWG), Roxey explains. NERC is also working with the National Institute of Standards and Technology (NIST), the federal technology agency that fosters technology, measurements and standards, and the Department of Energy (DOE) on developing further security guidelines.
"Today, the cyber threats need to be deflected by use of proper access authentication, authorization and intrusion detection systems besides the anti-virus, firewalls, software patch management and sound auditing processes for compliance purposes," says Ajay Jain, president and CEO of Quantum Secure, a vendor of physical identity and access management solutions protecting critical infrastructure
Equally important is the physical protection of the cyber assets, which includes proper authentication and authorization of employees, contractors, third parties and visitors accessing these critical cyber assets, Jain says. A risk- and policy-based access mechanism in place, including multifactor authentication and a proper/systematic access revocation process, will ensure compliance to NERC regulations and protection from untoward incidents, he says. "A continuous, real-time security assessment, including auditing and logging of physical and cyber accesses, compliance to NERC policies and configuration changes/management in an executive dashboard is needed to eradicate vulnerabilities and to increase an overall risk posture of an organization."
NitroSecurity's Knapp adds he sees policy-makers running full throttle to protect SCADA and other infrastructure systems. "In direct reaction to Stuxnet, I've observed two heartening trends," he says, "First, the industrial network owners are taking security much more seriously than they were, and are thinking about security best practices in addition to compliance audits. Second, a new breed of security vendors are developing products designed to actively protect industrial networks inside of the control systems."
Additionally, he points out that new application whitelisting products can lock down high-risk hosts against zero-day attacks. "Prior to this, there were only a handful of readily available, and therefore easily evaded, SCADA signatures," he says. "Now, there's a growing arsenal. And defense-in-depth needs to, and can, become a reality in control systems."
NetWitness' Sconzo says companies are beginning to remove the low-hanging fruit and raising the bar that an attacker must hurdle to gain access to process control networks. "Good security processes and controls are beginning to be adopted by organizations that genuinely care about keeping systems in a reliable state," he says. "The trend of creating new and maturing existing security operations programs is also encouraging." This includes the adoption of new monitoring technologies and new analysis methodologies as well as reinvestment in current control, he says.
Following Stuxnet, Quantum Secure's Jain sees that effective risk mitigation will come from the unification of physical and logical cyber threats in real time with the ability to correlate data and systems together. "Many of the incidents/events are non-threatening within each domain, but becomes critical when correlated with multiple domains," he says, citing as an example a login attempt made to a SCADA system but with the identity of who is logging on not badged into the building where SCADA system reside. These two events, taken separately, do not cause alarm, but when correlated together, create a valid alarm and detect intrusion in real time.
Dell SecureWorks' Jackson adds that part of the collaboration between NERC, NIST and the DOE is a research partnership established to attract the best security talent and bring their considerable intellectual capital to bear on the security issues facing today's and tomorrow's infrastructure initiatives.
While this investment will take time to pay off, critical infrastructure operators are already turning to security companies to reassess their systems' security using threat models based on the latest intelligence regarding vulnerabilities, new attack methods and more sophisticated, well-funded threat agents, says Jackson.
"SCADA networks and control systems often share the same technologies and look deceptively similar to traditional IP network counterparts," he says. "While some security expertise can be applied to both, these security companies will often focus intelligence efforts on areas specific to control systems. Sources may include specialized research groups or government organizations, like the U.S. Industrial Control Systems Computer Emergency and Readiness Team (ICS-CERT). The security companies then provide security services that integrate this threat intelligence into part of a dynamic defensive strategy, working as partners with operators to implement this strategy in their specific corporate, industry, and regulatory environments.
Copycat attacks to follow
But perhaps the biggest impact from Stuxnet is yet to come. It is the descendents of the worm that are causing concern for a lot of security personnel.
"Even if they can't get hold of sample code from Stuxnet, it helps ill-intentioned people understand which threat vectors are vulnerable," says Symantec's Rowney.
A version of the code was among a cache of emails that the Anonymous hacking group stole from HBGary, a security company that was allegedly studying the threat. Though this easier-to-read "study" version is a reduction of the original binary code, experts contend there is enough there to supply miscreants with a foundation on which to build copycat attacks. Some expect these to occur within weeks.
And just where the next attack may come from or who it may target is anyone's guess. Symantec's Rowney also points to the fact that Stuxnet was clearly written with a disciplined approach that likely took six to 10 coders working for six months to produce. "It doesn't sound like hackers in a basement or an Eastern European cyber gang," he says. "This sounds like nation-state."
As far as the aftermath of Stuxnet, Diebold's Kennedy says it's been coming for a long time. It really hasn't made a significant change other than bolstering the argument for stronger security and increasing security budgets, he says.
Rowney hopes nothing like Stuxnet is seen again. But, he admits, it is hard to rule anything out. "The stakes are entirely raised," he says.
• Stuxnet was a targeted attack on five different organizations.
• 12,000 infections can be traced back to these five organizations.
• Three organizations were targeted once, one was targeted twice, and another was targeted three times.
• Organizations were targeted in June 2009, July 2009, March 2010, April 2010, and May 2010.
• All targeted organizations have a presence in Iran.
• Three variants exist (June 2009, April 2010, March 2010) and a fourth variant likely exists but has never been recovered.
Symantec hosted a gathering at its Mountain View, Calif.-headquarters following the Stuxnet disclosure to conduct an open dialog about the worm's effects. The rough consensus among the CISOs of utilities, large financial institutions and other major enterprises in attendance:
Leverage reputation-based detection techniques.
Take advantage of managed security services.
Implement and enforce device control policies.
Install, and if necessary lobby for the ability to install, host-based intrusion prevention systems.
Ensure your tempo of software certificate revocation updating is appropriate.
Use endpoint management software to ensure adequate patching procedures.
Capitalize on effective data loss prevention solutions.
Where able, employ automated compliance monitoring to root out default password use.
To defend U.S. SCADA and other infrastructure systems from infection or attack, both security technologies are not the entire picture. Educating workers as well as adhering to policies is also key.
Install access controls, such as firewalls, between all levels in SCADA networks. Currently, many manufacturers make them desirable not mandatory.
Install intrusion monitoring systems on all IP-based segments. Block where possible, but acknowledge that blocking and SCADA networks do not make good bedfellows.
Add other awareness technologies, such as network behavior monitoring, asset and service discovery. It is important to choose technologies that are passive in nature as scans can crash SCADA systems.
Educate users on the dangers of USB devices. Do not use USB sticks on any SCADA control system or attempt to charge smartphones from USB ports (they look like USB sticks to the computer). Suggest organizations fit locks to the USB ports or fill them with heat-glue to render them unusable.
Do not fall into the trap of thinking that your controller is rare and therefore not likely to be owned by an attacker. In the age of virtual machines and advanced persistent threats, this is simply not true.
Do not assume your SCADA network is not connected to the internet. If you don't think it is, you are probably wrong. Look especially for Global System for Mobile Communications (GSM)/cell network connections (often 'helpful' support connections by vendors).
– Dominic Storey, technical director for EMEA, Sourcefire