15 August 2012
1
Thank you for your interest in this presentation!
These slides combine my original research with data sources
as cited in the slide notes area. You are welcome to cite my work,
but please do not re-post this presentation online without my permission.
Thank you!
Betsy Woudenberg
betsy@intelligencearts.com
SCADA Right Now
Betsy Woudenberg, Co-founder
This presentation is © 2012 by IntelligenceArts, LLC.
2
What we’re talking about
Control systems
Industrial control systems
(ICS)
Manufacturing
Critical
infrastructure
DCS
Distributed Control Systems
Other control systems
Facility control
SCADA
Supervisory Control and Data
Acquisition
Power
Oil & gas
Water
3
The SCADA industry
• People are expensive, but computers are cheap.
▫ Commercial and profit-driven
▫ A truly global industry
• Idiosyncratic
▫ Few standards
▫ New processes bolted on to existing facilities
• Pragmatic and functional
▫ Built to last
▫ Early systems are still running
4
Basic SCADA structure
HMI software
A few Human-Machine Interfaces (HMI)
(computer screens and buttons for people)
HMI “Lightboard”
Many Programmable Logic Controllers (PLC)
HMI device
(watching system and making routine decisions)
PLC
RTU
Hundreds of Remote Terminal Units (RTU)
(reading sensors and controlling valves and switches)
The process: Many thousands of valves, switches,
and sensors (temperature, pressure, flow, etc)
RTU
5
Modern enterprise SCADA
Corporate headquarters
Executives,
salespeople,
travelers
Business or
Corporate
network
Regional office
Facility front office
“Support services”
Human-Machine Interface (HMI)
Engineers and
vendors with dial-in
or Internet access
Programmable Logic Controllers (PLC)
Remote Terminal Units (RTU)
Valves, switches, and sensors
Operations or
SCADA
network
(“SCADAland”)
Field
devices
6
SCADA systems today: Two worlds
Corporate headquarters
Regional office
Facility front office
Human-Machine Interface (HMI)
Programmable Logic Controllers (PLC)
Remote Terminal Units (RTU)
Valves, switches, and sensors
7
How to attack SCADA systems
8
What you will need
Access
+
Expertise
The capability to issue
commands to the SCADA system
•
•
•
•
•
Hack into the system
Recruit an insider
Steal an insider’s credentials
Place a software tool
Place modified equipment
Proficiency with the SCADA
system to produce an effect
•
•
•
•
•
Survey the system
Select an effect you can produce
Experiment and practice
Defeat countermeasures
Stay hidden?
9
Access: Technical targets
Corporate headquarters
Corporate network
Remote
users
Regional office
Facility front office
Support services
•
•
•
•
•
Microsoft Windows
Internet protocol
Email and HTTP
Passwords, encryption
Element-level security
Human-Machine Interface (HMI)
SCADAland
•
Programmable Logic Controllers (PLC)
Remote access
modems
•
Remote Terminal Units (RTU)
•
•
Valves, switches, and sensors
•
•
Analog and digital
signals
Wired and wireless
transport
Proprietary protocols
Clear-text
communications
Serial interfaces
Perimeter security
10
A question of priorities
Information security
SCADA
• Confidentiality
• Integrity
• Authenticity
•
•
•
•
•
•
•
Worst case scenario:
Data Loss
Security Breach
Integrity
Availability
Resilience
...
…
Authenticity
Confidentiality
Worst case scenario:
Loss of View
Loss of Control
11
Access: Human targets
The owners
Executives
Investors
People who
own it
Administrators
Managers
IT security
The operators
Managers
People who
run it
Engineers
Maintenance
Security
Corporate headquarters
Regional office
Facility front office
Human-Machine Interface (HMI)
Programmable Logic Controllers (PLC)
Remote Terminal Units (RTU)
Valves, switches, and sensors
Designers & suppliers
Planning engineers
Process engineers
People
built it
SCADAwho
engineers
Construction co.
Supply chain vendors
SCADA system
vendor
12
Access in review
• SCADA systems rely on perimeter security.
▫ SCADA systems and equipment do not follow
“standard” security conventions.
▫ Most (anecdotally, all) SCADA systems have some
communications channel to the outside world.
• SCADA systems are surrounded by people.
▫
▫
▫
▫
Owners: At the corporate level
Operators: Hands-on access
Designers: Schematics and equipment lists
Don’t forget the SCADA system vendors, supply chain,
maintenance, security…
13
Expertise
The more damage you do, the more likely you’ll get caught.
Damage
Clandestinity
Nation-state
actors, crafty
insiders, and
other people
who don’t
want to get
caught
Hackers,
amateurs, and
other people
Terrorists
who don’t
think they will
get caught
14
Expertise: Selecting a process
Objective:
Shut off power to this city
15
Expertise: Achieving your objective
• The process: What you’re going to do
• The SCADA system: How you’re going to do it
• The environment: When you’re going to do it
Process
Chemistry
and physics
Process
design
SCADA
system
Environment
Vendor, software,
and equipment
Process variables
SCADA protocol
Facility variables
Defeat the system
Hide your tracks
Environmental
variables
16
Expertise: Managing human factors
• Every place has a culture.
▫ Culture derives from and determines human behavior
▫ Small problems versus Big Problems
 Be a small problem!
• People can help or hinder your attack.
▫ Understand the culture at your target facility
▫ Will “blame the human” work?
• Culture is hard to read from a distance.
▫ Find and recruit an insider… there are many!
17
Expertise in summary
• The more damage you do, the more likely you will be
caught.
▫ Many human and technical factors work against you
• Controlling SCADA requires a lot of information
about your target.
▫ What to do: The processes you need to affect
▫ How to do it: The commands you need to issue
▫ When to do it: The external factors outside your
control
• People can defeat your SCADA attack… or help you.
▫ Insider knowledge is critical to managing human
factors
18
Remember…
Access makes the attack possible
Expertise makes the attack successful
19
An overview of known cyber incidents involving critical infrastructure
control systems
20
Who is targeting SCADA?
To take
control
Intent
Goal
Evidence
Actor
To
demonstrate
capabilities
For destructive
attack
To get
information
To case a target
For economic
advantage
21
Stuxnet
• Trojan active since 2008, discovered “in the wild” in June 2010
▫ “Escaped” from its intended target in 2009
• Very effective Microsoft Windows-based “missile” carrying a
highly targeted SCADA “warhead”
USB drive
Rides a USB
drive, CD, or
DVD…
Windows PCs
Siemens SCADA
software
Siemens
SCADA
equipment
Motor
speed
controllers
Centrifuge cascades
Missile
Warhead
Delivery system
Produces SCADA effect
Lands on a
PC network
and
spreads…
Looks for HMI
software, PLCs,
and device
codes…
Is carried
onto the
Siemens
PLC…
Issues
commands
to the speed
controllers…
… and modifies the
rate of spin of the
centrifuges.
22
Stuxnet in the structure
Corporate headquarters
Regional office
Facility front office
Enters at Windows PC
running HMI software
Human-Machine Interface (HMI)
Programmable Logic Controllers (PLC)
Remote Terminal Units (RTU)
PLC directs RTUs to
direct controllers to
change speed of
centrifuge motors
Centrifuge processes
Modifies programming
Loss
of View
on the PLC
and
Loss of Control
23
Stuxnet’s effects on centrifuge spin
Drive speed in Hz
1500
Observation of
normal range
(807-1210 Hz)
Reset to higher than
normal speed
(1410 Hz)
Normal
Stress
Phase I
~ 12.8 days
Phase II
~ 27 days
Catastrophic
crash
from 1410 to 2
to 1064 Hz
Reset to
new normal
(1064 Hz)
Reset to
Higher than
normal speed
(1410 Hz)
New Normal
Stress
Phase IV
~ 27 days
Phase II
~ 27 days
1000
500
0
Phase III
15 or 50 minutes
Initial
infection
Quick note for Stuxnet fans: This is 315 code, not 417 code.
24
The Stuxnet operation
Cascades at Natanz,
2007-2012
Capacity: Total number of
cascades in place
Success: Cascades up
and running
60
40
20
2007
2008
2009 – mid 2010
Post-Stuxnet
0
Feb-07
Jul-07
Dec-07 May-08 Oct-08 Mar-09 Aug-09 Jan-10
Preparation
Decision to target
Access development
Technical survey
Tool development
Survey tool: Flame?
Stuxnet Version 1.0
Jun-10 Nov-10 Apr-11
Stuxnet Version 2.0
Mid-2009
Escape of code
to wild
June 2010
Public discovery
of Stuxnet
Sep-11 Feb-12
25
Who is targeting SCADA?
To take
control
Intent
Goal
Evidence
Actor
To
demonstrate
capabilities
To get
information
For destructive
attack
To case a target
Stuxnet
Flame
Nation-state
actors
For economic
advantage
26
South Houston
• November 2011: Springfield, Illinois announces
destruction of a water utility pump by Russian
hackers
• Subsequently proved to be mundane pump failure
▫ FBI and DHS investigated: “Russian hack” was remote
access by SCADA engineer on vacation
• Lesson learned: Examining cyber logs without
understanding SCADA culture leads to mistaken
assumptions
• But this is not our story!
27
“Second water utility reportedly hit by hack
attack”
• 18 November 2011: Hacker “pr0f” posts a message to pastebin.com
▫ Offended by FBI and DHS downplaying the Springfield “hack”
▫ Sought to highlight the vulnerabilities of control systems
28
South Houston: Yep, he got in
29
pr0f: Conscientious hacker?
• Opportunistic target
▫ No grudge against South Houston
▫ Likely used Shodan search tool to look for connected
and responsive devices
▫ South Houston had no real security set up
 This is an expression of human culture!
• “No damage was done”?
30
Shodan: “Google for hackers”
31
Who is targeting SCADA?
To take
control
Intent
Goal
To
demonstrate
capabilities
Evidence
South
Houston
Actor
Hackers
To get
information
For destructive
attack
To case a target
Stuxnet
Flame
Nation-state
actors
For economic
advantage
32
Brazil power outages
• “Hacker extortionists” behind multiple power outages in
Brazil
▫ January 2005: North of Rio de Janeiro, “tens of thousands
of people”
▫ September 2007: Espirito Santo, 3 million people
• Brazil continues to deny hacking
▫ “Our systems are not connected to the Internet”
▫ Blamed 2007 outage on weather and “sooty insulators”
• If true…
▫ Hackers followed through on threats and disrupted the
power grid
 Were outages demonstrations or escalations?
▫ Were insiders involved?
33
Who is targeting SCADA?
To take
control
Intent
Goal
To
demonstrate
capabilities
Evidence
South
Houston
Actor
Hackers
To get
information
For destructive
attack
Brazil
Criminals
To case a target
Stuxnet
Flame
Nation-state
actors
For economic
advantage
34
China and global oil & gas companies
• China is conducting a series of espionage operations
to collect information from U.S. and foreign energy
companies.
▫ Short-term: Advantage in energy deals
▫ Long-term: Less energy dependence
• Two recent well-known cyber attacks against energy
industry targets demonstrate this.
▫ Shady RAT (2006-2010)
▫ Night Dragon (2009-2011)
35
Shady RAT
Who they
targeted
From 2006 to 2011, 70 global entities including a U.S.
natural gas wholesaler from February to December 2009.
What they
stole
“… A historically unprecedented transfer of wealth—
[including] negotiation plans and exploration details for new
oil and gas field auctions, document stores, legal contracts,
supervisory control and data acquisition (SCADA)
configurations, design schematics, and much more …”
How they
stole it
“A spear-phishing email … a download of the implant
malware… backdoor communication channel … live
intruders jumping on to the infected machine … targeting
for quick exfiltration the key data they came for.”
– Dmitri Alperovitch, McAfee
36
Night Dragon
Who they
targeted
From November 2009 to early 2011, “attackers using
several locations in China … [waged] attacks against global
oil, gas, and petrochemical companies, as well as individuals
and executives in Kazakhstan, Taiwan, Greece, and the
United States to acquire proprietary and highly confidential
information.”
What they
stole
“Files of interest focused on operational oil and gas field
production systems and financial documents related to field
exploration and bidding…”
How they
stole it
“… social engineering, spear- phishing attacks, exploitation
of Microsoft Windows operating systems vulnerabilities,
Microsoft Active Directory compromises, and the use of
remote administration tools (RATs) … In certain cases, the
attackers collected data from SCADA systems.”
–McAfee
37
China’s foreign oil/gas deals and cyber attacks
Purchase of major stake in Kazakh oil company
Purchase of Rumaila oil field, Iraq, at auction
McKay River and Dover oil sands deal with Athabasca, Canada
LNG deal with QatarGas
LNG deal with QatarGas
Aggressive bidding on multiple Iraqi oil fields at auction
Purchase of major stake in a second Kazakh oil company
Shady RAT (
Night Dragon
China-Taiwan trade deal for petrochemicals
U.S.
natural
LNG deal
with QatarGas
(Kazakhstan,
Taiwan, Development of Iran’s Masjed Soleyman oil field
gasLNG deal with
Exxon
Greece, U.S.)
Oil development deal with Afghanistan
wholesaler)
Finalization of South Pars Phase 11 with Iran
LNG deal with Shell
Framework for LNG deal with Russia
LNG deal with Australia
LNG deal with Uzbekistan
LNG deal with Australia
Shale gas deal with Chesapeake Energy in Texas
LNG deal with France
2008
2009
2010
2011
2012
2013
38
Who is targeting SCADA?
To take
control
Intent
Goal
To
demonstrate
capabilities
Evidence
South
Houston
Actor
Hackers
To get
information
For destructive
attack
Brazil
Criminals
To case a target
Stuxnet
Flame
Nation-state
actors
For economic
advantage
China’s
cyber theft
China
(Economic
espionage)
39
What’s the scariest thing on here?
To take
control
Intent
Goal
To
demonstrate
capabilities
Evidence
South
Houston
Actor
Hackers
To get
information
For destructive
attack
Brazil
Criminals
To case a target
Stuxnet
Flame
Nation-state
actors
For economic
advantage
China’s
cyber theft
China
(Economic
espionage)
40
Who is/could be casing SCADA systems?
• Everyone.
▫ Terrorists
 Al Qa’ida
▫ Competitors
 Economic espionage
▫ Hackers
 For the lulz
▫ Criminals
 For profit
▫ Nation-state actors
 For covert action
▫ China
 For economic espionage
• SCADA casing is…
▫ Difficult to detect
▫ Difficult to prevent
▫ Difficult to characterize
 “Dual use”
 Illegal?
 Precursor to SCADA attack?
▫ Impossible to quantify
 Relies on victim to report it
41
Key indicators
• What’s the target?
▫
▫
▫
▫
Corporate entity: The target, or a means to an end?
SCADA vendor: Look at the customers
Facility: One place, or the whole sector?
Opportunistic exploration: Because it was there
• Who’s the attacker?
▫ Not just where it came from, but what they did
 Did the cyber activity penetrate SCADAland?
 What data did the attacker exfiltrate?
 How well does the attacker know the target?
• How far along are things?
▫ Early stages
 Access: Target research and selection
▫ Later stages
 Expertise: Drilling down to data to shape the attack
 What other information sources have been hit?
42
In conclusion
• SCADA vulnerability is a consequence of its priorities.
▫ Integrity, availability, and resilience
• For effective attack, you need access and expertise.
▫ Technology targets and human targets
• Lots of cyber activity appears to touch SCADA …
▫ Stuxnet
▫ Hackers and criminals
▫ Economic espionage
• … But it’s hard to determine precursors to SCADA
attack.
▫ Control access and monitor expertise sources
▫ Look for indicators of serious capability and intent
43
Thank you!
Betsy Woudenberg
betsy@intelligencearts.com
The entirety of this presentation is © 2012 by IntelligenceArts, LLC.
The information and insights herein are solely those of IntelligenceArts, LLC and do not derive from or represent the U.S. Government.
44
Backup slides
45
Index to backup slides
•
•
•
•
More on Stuxnet
Duqu and Stuxnet
What’s next?
Why culture matters
46
Stuxnet facts
• What it is
▫ A worm/trojan detected “in the
wild” in June 2010
• What it targeted
▫ Windows PCs running Siemens
WinCC and Step7 SCADA
software
 WinCC is a Windows-based
HMI
 Step7 (S7) runs on the PC to
configure Siemens PLCs
▫ Siemens PLCs that control two
specific high-frequency
converter drives
• How it spread
▫ Propagates by USB thumb drive,
LAN, and other close-range
techniques
▫ Four zero-day exploits for
propagation between Windows
machines
• What it did
▫ Late September 2010: 100,000
infected PC hosts worldwide
 60% in Iran
 Vacon (Finland) and Fararo
Paya (Iran)
Forensic data and credited diagrams taken from Symantec’s W32.Stuxnet Dossier, February 2011
47
Stuxnet’s purpose
• Stuxnet was a destructive clandestine attack on the uranium
enrichment centrifuge cascades at Natanz, Iran.
• Stuxnet looks for Siemens PLCs
controlling an array of 31 Vacon or
Fararo Paya converter drives
Uranium gas (UF6) centrifuge
▫ Must operate between
807-1210 Hz for ~13 days
• It then modifies the frequency output
from the drives in a repeating cycle
▫ Normal 1410 Hz  2 1064 Hz
▫ Resets timer for next round
• And it hides the drive speed changes
from the HMI
The frequency converter drive
controls the speed of the motor that
spins the centrifuge rotor
48
Stuxnet’s code
Lands on PC
Establish
Spread
Infect
Implement
Thumb drive
Check OS
version
.INF or .LNK
Look for WinCC
and S7 software
Monitor drive
output values
LAN
Get admin
privileges
Network shares
Look for specific
PLCs by ID code
Initiate timed
sequences
Digital
certificates
Decrypt and
load files
Print spooler
vulnerability
Modify S7 code
on PC
Intercept 16 of
109 routines
Phone home
and send profile
WinCC DB and
project files
Inject code onto
PLCs
Issue spoofed
data to HMI
Missile
Delivery system
Peer-to-peer
update
Warhead
Produces effect
49
Phase I: Planning
• 2006-2007: Planning and tool development
▫ Study of Iran’s centrifuges
 Based on P-1 and P-2 Pakistani design
▫ Data collection on SCADA system inside Natanz
 Was this Flame?
60
In 2006, Iran set up, tested, and began operating its first UF6
cascade of 164 linked centrifuges.
40
By November 2007, Iran had assembled and was operating its
first “unit” of 18 linked cascades with a total of 2,952 working
centrifuges.
20
0
Feb-07
Aug-07
50
Phase II: Covert attack
• 2008: First attacks
▫ Tool placed in the Natanz control network
▫ Moderate success but “no wholesale destruction”
 “The Iranians had grown so distrustful of their own
instruments that they had assigned people to sit in the
plant and radio back what they saw.”
60
Iran quickly began assembling additional cascades
based on the first successful unit.
40
However, the second unit was not operating at
full capacity. By late 2008, only 24 of the 36 total
cascades were operating.
20
0
Feb-07
Aug-07
Feb-08
Aug-08
51
Phase III: Success and escape
• 2008 – mid 2010: Repeated operations
▫ Additional versions inserted into Natanz
 Improvements to propagation mechanism
• Mid to late 2009: Critical period
▫ Significant disruption of Iran’s program
▫ Emergence of first virus samples in the wild
Iran built a third
unit, for a total of
54 cascades.
60
40
But the number of
working cascades
remained stalled
at 20-30.
20
0
Feb-07
Aug-07
Feb-08
Aug-08
Feb-09
Aug-09
Feb-10
Aug-10
52
Phase III: Success…
20
10
Pilot unit, no major
problems
A24
0
20
Operating with
UF6
10
Under vacuum,
but not
operating
Can’t bring these new
cascades into service
A26
0
20
10
Serious problems
starting late 2009
A28
0
August
2009
November-December
2009
August
2010
Idle, not under
vacuum
Centrifuges
disconnected
53
Phase III: Escape?
• Symantec found
versions in the wild
dating back to three
“waves”
Domain D
Domain C
Domain B
Domain A
Domain B
▫ June 2009
▫ March 2010
▫ April 2010
• Initially thought to be
insertions into Natanz
• Now look like evidence
of escape from Natanz
Domain B
Domain A
Domain E
Credit to Symantec, W32.Stuxnet Dossier, February 2011
54
Phase IV: Discovery and aftermath
• Mid-2010: Public discovery
▫ June: Stuxnet found by VirusBlokada
▫ July: Stuxnet characterized as SCADA attack
 Intensive public forensics begin
▫ August: AEOI meets to discuss ramifications
▫ September: Symantec counts 100,000 global infections
▫ November: Iran begins to admit infection at Natanz
Discover
y
60
40
20
0
Feb-07
Jul-07
Dec-07 May-08 Oct-08 Mar-09 Aug-09
Jan-10
Jun-10
Nov-10 Apr-11
Sep-11
Feb-12
55
How did Stuxnet get out of control?
• “An error in the code… had led [Stuxnet] to spread to an engineer’s
computer when it was hooked up to the centrifuges … We think there
was a modification done by the Israelis and we don’t know if we were
part of that activity.”
• Symantec’s data seems to indicate two versions in the wild by mid-2009
▫ Error persisted across multiple versions of the virus
• September 2010: 100,000 infections worldwide
▫ Counted by samples and callbacks to the same C&C servers
Covert
Escape 1
Escapes 2 & 3
Data
60
100,000
infections
40
20
0
Feb-07
Jul-07
Dec-07 May-08 Oct-08 Mar-09 Aug-09
Jan-10
Jun-10
Nov-10 Apr-11
Sep-11
Feb-12
56
Did the Iranians know?
• At least two years of suffering in silence
60
40
20
0
Feb-07
Jul-07
Dec-07 May-08 Oct-08 Mar-09 Aug-09
Jan-10
Jun-10
Nov-10 Apr-11
What was going on?
• Post-Stuxnet




Barrage of press about Iranian cyber expertise
Arrests of “nuclear spies,” October 2010
Stars virus, April 2011
DigiNotar compromise, September 2011
Sep-11
Feb-12
57
Stuxnet’s sources for information
Cyber
targeting
Human
targeting
International Atomic Energy
Agency (IAEA)

No access to detailed information
Computers at Natanz

No inbound Internet access
Natanz engineers

Low likelihood of chatter

Passive methods

High security
SCADA system vendor

Siemens
People who own it

Atomic Energy Organization of Iran (AEOI)
People who run it

Most direct, highly protected
People who built it

Less direct, less protected
Humans certainly provided physical access to Natanz,
and likely provided information as well.
58
Unintended consequences
Flame
Duqu
Stuxnet
What will they find next?
Gauss?
59
Unanswered question #1
• Why did Stuxnet evolve?
Wave 1
June 2009
•
AUTORUN.INF
exploit requires
human enablement
Waves 2 and 3
Mar – May 2010
Nov – Dec 2009:
Iran starts
dismantling
centrifuges
Could it be that…

Wave 1 code been found and removed?

The Iranians were tightening network security?

The attackers didn’t know whether Wave 1 was working?
•
•
•
Encrypted payload
.LNK exploit needs no
human enablement
Signed, legitimate
digital certificates
60
Unanswered question #2
• Did Stuxnet contain unused code?
▫ Sequences A (Vacon) and B (Fararo Paya), aka the 315 code,
appeared operational
▫ To Symantec, Sequence C (the 417 code) was not functional
 More sophisticated randomized effects = more clandestine
 Inactive due to missing piece of code
 Not copied onto PLC
 Possibly unfinished
▫ No agreement between experts that 417 was not operational
But…

Why launch with unnecessary code?

Where would the missing activation code come from?

Are there other variants out there that haven’t been found?
61
Stuxnet’s fatal flaw?
Didn’t have
enough
information
about the target
network
Assumed code
would never be
found
Why didn’t
Stuxnet have
a better kill
switch?
Underestimated
human
movements
Didn’t have
confidence in the
seeding
mechanism
Forced by
urgency or
political pressure
62
Summary
• Stuxnet relied on humans and technology.
▫ Hard targets can be penetrated by a combination of
technical and human targeting.
▫ Strengthening SCADA perimeter security against cyber
intrusion won’t necessarily protect a high-value facility.
• The Iranians unwittingly helped Stuxnet.
▫ Humans will defy common sense according to cultural
factors.
• “Cyber covert action” is becoming an oxymoron.
▫ Partnering multiplies risk.
▫ The global hunt is on.
63
Duqu
• Timeline: Active since 2007
▫ Discovered September 2011 by CrySyS (Budapest University of
Technology and Economics)
• Targets: Variety
▫ Variety of corporate targets in Iran, Sudan, India, Vietnam,
Ukraine, Switzerland, France and the Netherlands
• Tactics: Trojan Infostealer
• Perpetrator: Unknown
▫ Driver files similar or identical to Stuxnet
 Same missile, different warhead
• Effects
▫ Capable of stealing information about control systems, but no
code to command a control system
▫ No consensus about purpose or targets
• Is this a SCADA attack?
64
Duqu, “Son of Stuxnet”
• What it does
• What it is
▫ A trojan announced by
Symantec on 20 October 2011
• What it targets
▫ Microsoft Windows
• How it spreads
▫ Zero-day exploit in Microsoft
Word documents

▫ System profiler and info-stealer
 Exfiltrates data to C&C servers
▫ Unspecified companies in
France, Netherlands,
Switzerland, Ukraine, India, Iran,
Sudan, Vietnam, UK, Austria,
Hungary, Indonesia…
• Who did it
▫ No attribution to date
Why “Son of Stuxnet”?

Methodology and portions of code identical to Stuxnet

Effects and purpose appear different
Forensic data and credited diagrams taken from Symantec’s W32.Stuxnet Dossier, February 2011
65
Stuxnet and Duqu, side by side
Stuxnet
Duqu
Earliest apparent creation date of virus
June 2009
2007
Operational period
June 2009 – July 2010
December 2010 through 17 October
2011; re-emergence in February 2012
Variants
Four
Seven
Propagation
Four zero-day exploits; LAN/thumb
drive/etc; self-propagation
One zero-day (so far); no selfpropagation
Payload
Code for Siemens WinCC and PLCs;
written in Microsoft Visual C++
Infostealer, backdoor; written in a
custom “Object Oriented C dialect”
Command and control
Malaysia, Denmark; no activity observed
India, Belgium; active executable code
transmitted via .JPGs and encrypted data
Time limits
3 offspring per infection;
drop-dead in June 2012
8-day window; 36 days per infection; can
be extended via downloaded files
Digital certificates
JMicron and Realtek in
Hsinchu City, Taiwan
C-Media Electronics in
Taipei, Taiwan
Intended targets
Natanz uranium enrichment facility
Unknown
66
Duqu versus Stuxnet
How they are the same
• Identical functionality in Duqu’s
netp191.dll and Stuxnet’s oem7a.dll
• Duqu’s Jminet7.sys/smi4432.sys drivers
are “binary match to” Stuxnet’s
mrxcls.sys
• Identical code in Duqu’s .zdata and
Stuxnet’s .xdata
• Same processes hooked in ntdll.dll
• Same use of hashes/checksums to
lookup functions
• “Magic keys” such as “AE” in both
• Same startup processes and RPC logic
• Signed and unsigned versions of drivers
• Signed versions use certificate from a
Taiwanese firm
• Multiple variants
time
Sameover
missile
How Duqu is different
• Exfiltrates data
• Not targeting control systems
• Infection vehicle is MS Word document
(so far)
• “Object Oriented C dialect” programming
language
• Controlled propagation
• Active use of C&C to pass code
• Relies on Internet for spread
• First samples compiled circa 2007
• Active as of March 2012
Different warhead
67
Duqu’s code
Lands on PC
Establish
Spread
Infect
Implement
Microsoft Word
vulnerability
Check OS
version
Server Message
Block (SMB)
Method 1:
Template .exe
Contact
C&C
8-day window in
August 2011
Get admin
privileges
Method 2:
Receive AESencrypted data
Signed digital
certificates
Decrypt and
load files
CreateProcessAsUser
Method 3:
Use existing process
Resource 302
loads .zdata
Install
infostealer?
68
Duqu: The reality
• No code to target control systems
▫ Sets up backdoor access via Internet C&C
• No evidence of targeting of industrial control system
companies
• Most likely…
▫ Reuse of “missile” by Stuxnet’s creators?
▫ Repurposing of Stuxnet missile against other targets?
69
We are Post-Stuxnet.
• The Iranian nuke program is stronger than ever.
▫ Productivity improved
▫ Technical hardening
▫ Cultural hardening
• U.S. critical infrastructure is slowly getting more
secure.
▫ Efforts to set up security standards
▫ Focus on strengthening inherent SCADA qualities, not
introducing new protocols
 Perimeter security
 Defense-in-depth
70
We know we have problems.
Corporate headquarters
11%
Level 4: Enterprise systems
Regional office
Facility front office
Level 3: Operations management
16%
Human-Machine Interface (HMI)
Level 2: Supervisory control
Programmable Logic Controllers (PLC)
53%
Level 1: Local or basic control
Remote Terminal Units (RTU)
20%
Level 0: Process equipment
Valves, switches, and sensors
0%
Source: DHS Common Cybersecurity Vulnerabilities in Industrial Control Systems, May 2011.
71
Cybersecurity: Forcing change
• Vulnerability disclosures
▫ “Amateurs” describing hundreds of flaws/quirks in
hardware and software
• Community activism
▫ Digital Bond’s “Project Basecamp”
 Release of Metasploit modules for exploitation of several
major control system types
• Ralph Langner’s insight: Design flaws versus
vulnerabilities
72
Cybersecurity: The scary stuff
• Looking for “Son of Stuxnet”
▫
▫
▫
▫
▫
▫
▫
▫
▫
Command and control of SCADA
Penetration of SCADA without command and control
Attempts to penetrate SCADA
Exfiltration of data from within SCADA
Theft of SCADA data from operator’s corporate
network
Theft of proprietary non-SCADA data from operators
Theft of proprietary non-SCADA customer data from
vendors
Theft of proprietary SCADA product data from vendors
Run-of-the-mill pings against all of the above
73
Looking for Son of Stuxnet
Malign intent
Operation
Exfiltration of data
from within SCADA
Theft of SCADA data from
operator’s corporate network
Penetration of SCADA without
command and control
Theft of proprietary nonSCADA customer data from
vendor
Targeting
Exploration
Command and
control of SCADA
SCADAland
Theft of proprietary
non-SCADA data from
operator
Theft of proprietary SCADA
product data from vendor
Run-of-the-mill pings against
corporate networks
Severity
Attempts to
penetrate SCADA
74
Here’s what Ralph Langner thinks
Ralph says…
My take on it is…
• “‘Son of Stuxnet’ is a misnomer. What’s
really worrying are the concepts that
Stuxnet gives hackers… Before, a
Stuxnet-type attack could have been
created by maybe five people. Now it’s
more like 500 who could do this.”


• Missile/warhead structure
• Code is available to the public
▫ Extensive public forensics by
respected IT firms
• Methodology is on display
“A little more knowledge”?
“You just have to know how to copy
parts of [Stuxnet]. After that, you just
need a little more knowledge to make a
simple but effective digital dirty bomb.”

“What you still hear today from all kinds
of people is how a Stuxnet-type attack
requires so much insider knowledge. I
finally had to publish a [simple and
damaging] attack just to make sure no
smart-guy tells his boss that this is
impossible.”

Sustained clandestine attack requires
significant expertise

Brute attack does not, but how
effective would it be?
Interviewed by the Christian Science Monitor, 24 September 2011

Access

Expertise

Terrorists and criminals may not
need a predictable outcome to be
successful
75
Things to think about
• What is a SCADA attack?
▫ Is it the target?
▫ Is it the intention?
• Was Stuxnet a successful operation?
▫ How do you define success?
• What will Son of Stuxnet be?
▫ How will this operation be used against us?
76
Why human culture matters
Low security culture
More opportunity to
do damage before you
are detected
“Normal” security culture
High security culture
Quicker detection
means you can’t stay
below the radar for
long