Critical infrastructure protection has grabbed a lot of headlines lately, but talk about weaponized exploits targeting these areas has been mostly academic.
Stuxnet first surfaced in the middle of last month, and since then it has been spreading fast — with some estimates indicating as many as 9,000 infection attempts per day.
It also is the first instance of an attack that specifically targets one of our nation’s critical infrastructures, throwing much of the information security industry into a frenzy. One reason is that, although German engineering company Siemens has effectively responded to the issue and delivered a tool for the detection and removal of Stuxnet, the attack is seen by many as a shot over the bow of the bulk energy systems, a potential strike in the elusive campaigns of cyberwar.
It is not fully understood yet what the full effects of Stuxnet will be, but one thing is certain: Whether it is a targeted attack or not, it is at the very least a proof-of-concept that such an attack can occur.
Stuxnet is an interesting and worrisome attack for a few reasons.
First, it is sophisticated, utilizing a zero-day exploit (CVE-2010-2568) as a delivery mechanism. Second, it is targeted, focusing on specific Siemens process control devices. And finally, it uses a known (but not widely known) default password within those Siemens systems, which indicates that the attacker understands that target extremely well.
The first two, on their own, aren’t anything new. There always will be zero-days, and almost anything can be targeted, for almost any reason. An outside threat that understands the inner workings of a control system, however, is new—and it is fundamental in the consideration of Stuxnet and the true threat that it represents.
Historically, SCADA (supervisory control and data acquisition) and DCS (distributed control systems) have been extremely isolated physically, digitally, and intellectually — but this isolation is rapidly deteriorating as business and control system become increasingly interconnected.
Stuxnet uses a default password used to connect WinCC and STEP 7 programs to the STIXINT database. You simply can’t walk down to Fry’s Home Electronics, buy a Siemens control system and hack it until you find some internal default account to exploit. You also can’t access someone else’s control system to do that same reconnaissance, at least not easily, as these systems are — or should be — completely isolated from the internet. Right?
The problem is that these systems are built for reliability, first and foremost, and that means products are designed to have life spans measured in decades.
It is for this reason that many such systems are replete with what most IT professionals would classify as “legacy” equipment, and most IS professionals would label as “vulnerable.” This includes a variety of “dumb” line controllers and other devices that lack internal security monitoring or logging, many of which still operate serially (and some of those have been upgraded to operate serially over TCP/IP, using relatively insecure protocols such as Modbus or DNP3).
You simply can’t take a critical asset offline for an upgrade, or to apply a patch, so even the best efforts of control system vendors can sometimes go unimplemented. Everything’s structured, and there are a myriad of dependencies among assets that ensure everything works as intended to reliably deliver energy, or pump water, or manufacture a vaccine.
This is the heart of the issue, and it is a blessing and a curse all in one. Simply put, SCADA and DCS systems that run our nation’s critical infrastructures are predictable.
The really good news is that this predictability is also one of its strengths. What security operations analyst wouldn’t love to have a reliable and dependable baseline of normal activity?
Unlike the average enterprise network, which is a free fire zone of sometimes near-random activity, control systems accurately can be defined and baselined. Armed with that, any variation of activity — a sudden increase in traffic on a certain segment, or a new user logging into a system for the first time, or a file seen in use where it isn’t expected — can be considered suspect, and because very little happens that is out of the ordinary, those suspect events are manageable.
If anyone ever doubted the intentions of NERC CIP, and the massive amounts of documentation and logging that it requires, it is time to embrace the truth that knowledge is power.
Working with definable baselines is one thing: Understanding the policies, procedures, assets and enclaves within your network allows you to do something even more powerful. Having gone through the process of documenting users, you can monitor user activity, and look for accounts that aren’t documented. Identifying critical assets, and which other cyber assets are (or aren’t) allowed to communicate with them, allows you to look for invalid network communication paths.
Understanding which applications are allowed makes it easy to spot unwanted activity, and understanding how authorized applications are supposed to operate lets you look for the more subtle threats — like Stuxnet — that are using legitimate application calls in illegitimate ways.