Threat Management, Vulnerability Management

Stuxnet worm shows critical infrastructure attacks no longer just Hollywood hype

Recent revelations about the wide-scale and targeted Stuxnet worm attack directed at a nuclear power plant in Iran should raise red flags to all IT security professionals and managers of critical infrastructure facilities, such as power plants, air traffic control sites and government agencies, around the world.

For years, there have been many Jason Bourne or Mission Impossible-type movies and best-selling novels centered around rogue hackers, fringe government operatives and assorted bad guys finding a way to break into a government facility, financial institution or a power company and shutting down the network, disrupting service or removing some secret information.

In fact, the plot of the movie Ocean's Eleven centered around George Clooney, Brad Pitt and others knocking out the power in Las Vegas so they could rob a casino.

Until the Stuxnet worm came to light, these types of attacks were more Hollywood fantasy than cyber reality. Now, the game has changed and the Stuxnet worm is bringing up important IT security issues that need to be addressed.

Media reports indicate that during the first week of October, Iranian officials acknowledged that the Stuxnet worm infected at least 30,000 Windows PCs in the country, among them some used by workers at the Bushehr nuclear power plant.

Example of an advanced persistent threat

We've been hearing a lot lately about advanced persistent threats (APTs). What are they? Are they really anything different than the malware and viruses we've seen for decades?

They are, and the Stuxnet worm flooding the news is a perfect example why.

First off, Stuxnet is advanced. Very advanced. It takes advantage of four zero-day vulnerabilities, uses two different valid (stolen) digital certificates, and contains dozens of encrypted code blocks. It uses a rootkit to hide itself, peer-to-peer capabilities for remote command and control, and alters its behavior based on the systems on which it is infecting. Utilizing a nasty vulnerability within the Windows Shell, the attack occurs upon simply viewing files within Explorer.

Secondly, it is a targeted attack. Unlike common worms and malware, its goal is not to spread everywhere or to anyone. It was designed specifically to target SCADA (supervisory control and data acquisition) systems, or industrial control systems, like those used in power plants and other critical infrastructure locations. Among other behaviors, it is designed to reprogram the PLCs (programmable logic controllers) used in these systems.

The advanced nature of the worm, along with its very specific targets, helped Stuxnet elude detection for months, perhaps even a year. Targeted attacks often fly below the radar of the major antivirus security vendors.

A new weapon of mass destruction

Lastly, most experts agree, the Stuxnet worm is the work of organized, and quite likely state-sponsored, professionals.

Its creation required detailed knowledge of the SCADA systems being targeted, it was written using multiple languages, and it rivals many commercial applications in both complexity and stability. (It is hard to perform all of the work Stuxnet does without crashing or destabilizing a system, risking detection).

At nearly 500 kilobytes in size, it is notably larger than most malicious worms we've seen. These observations suggest that a team of engineers developed Stuxnet over a significant period of time – something that requires commitment and more importantly, money.

Aside from being more advanced than traditional attacks, it is different in motivation (purpose and target) and generation (who created it).

Kudos to the army of security researchers who have, and are continuing to, dissect this worm.

But the most notable attribute of Stuxnet is, in my opinion, its initial entry point. The attack initiated from a simple USB stick, just like the an attack reportedly dubbed "Operation Buckshot Yankee," which infiltrated U.S. military systems in 2008 and required a 14-month cleanup process.

All the sophisticated techniques in its arsenal, and Stuxnet still needed to be physically inserted into “patient zero.”

Lessons learned

And therein lies two important lessons: No. 1 is that the host computer is still the most vulnerable point of an infrastructure. All the perimeter defenses in the world (IPS, IDS, firewalls, etc.) would not have stopped Stuxnet (or the Department of Defense attack involved in Operation Buckshot Yankee).

It was delivered directly to an endpoint. It is like a building with motion sensors in every hallway with office doors that open directly to the outside world. Why bother navigating the hallways when you can walk right into a room?

Not surprisingly, most of the virus outbreaks you read about today originate from computers within the perimeters of a company network — whether through physical attack (as in a USB portable drive) or the unsuspecting end user's willingness to install almost anything (social networking attacks).

No. 2 — traditional reactive and signature based technologies will continue to fail at detecting these new and unknown attacks. Don't you think there were anti-virus products on at least some of the estimated 45,000 computers infected by Stuxnet? It is not easy to create signatures for custom malware that has never been seen before and exists only on very specific networks or systems.

A number of experts have commented that Stuxnet marks a new era in cyber warfare. I agree.

Advanced threats like Stuxnet are the new weapons of mass destruction. The enemy is organized and well trained. The attacks are better planned and more sophisticated. The targets and potential damage are quite frankly, just frightening. We're not talking about receiving annoying pop-up messages or having your Facebook password stolen — we're talking about losing control of a nuclear power facility or an entire power grid.

As the attackers and their methods evolve, the defenders and our methods must as well.

The technology currently protecting most computer systems is the same technology that has been used for decades. We have operating under the paradigm that computer activity is good unless proven bad for too long. If we are to successfully defend against tomorrow's cyberthreats, we need to consider alternatives.

As Hollywood has reminded us on several occasions, you don't bring a knife to a gunfight.

Harry Sverdlove

Harry Sverdlove, Chief Technologist for Secure Workload Communication, Zscaler, Inc. (formerly Co-Founder and Chief Technology Officer of Edgewise Networks), was previously CTO of Carbon Black, where he was the key driving force behind their endpoint security platform. Earlier in his career, Harry was principal research scientist for McAfee, Inc. (formerly Chief Scientist of SiteAdvisor), where he supervised the architecture of crawlers, spam detectors and link analyzers. Prior to that, Harry was director of engineering at Compuware Corporation (formerly NuMega), and principal architect for Rational Software, where he designed the core automation engine for Rational Robot.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.