Upload
camron-riley
View
216
Download
0
Embed Size (px)
Citation preview
How Stuxnet changed the How Stuxnet changed the landscape for plant landscape for plant
engineersengineers
Richard Trout, Richard Trout,
Director for Client Solutions, Trout I.T.Director for Client Solutions, Trout I.T.
[email protected]@troutit.com.au
IntroductionIntroduction
This presentation is not:This presentation is not:• A technical discoveryA technical discovery• A landmark engineering projectA landmark engineering project• About an innovative new processAbout an innovative new process• Engineers in SocietyEngineers in Society
It is about a mysteryIt is about a mystery
Natanz Uranium Enrichment PlantNatanz Uranium Enrichment Plant
January 2010 IAEA January 2010 IAEA inspection anomalyinspection anomaly• Centrifuge Centrifuge
replacementreplacement
VirusBlokAdaVirusBlokAda
June 17 2010June 17 2010• Computer reboot loop in IranComputer reboot loop in Iran• Rare Zero Day ExploitRare Zero Day Exploit• Microsoft labels as ‘Stuxnet’Microsoft labels as ‘Stuxnet’• Identified 3 versions dating from June Identified 3 versions dating from June
20092009• Targets Siemens Simatic systemsTargets Siemens Simatic systems
PerseverancePerseverance
July 2010July 2010• Liam O Murchu, SymantecLiam O Murchu, Symantec
Many unusual characteristicsMany unusual characteristics• 500kb of code > 10kb code500kb of code > 10kb code• Not an obvious class of malwareNot an obvious class of malware• First to hide Windows DLL in memoryFirst to hide Windows DLL in memory• Modular components for modificationModular components for modification
More ZDE’sMore ZDE’s
Hard-coded password vulnerability in Hard-coded password vulnerability in Siemens Step7Siemens Step7
Local network and devicesLocal network and devices
TimelineTimeline June 2008 ISIS notes centrifuge susceptibilityJune 2008 ISIS notes centrifuge susceptibility June 2009June 2009
• oldest Stuxnet in wild oldest Stuxnet in wild • 12 centrifuges known operating at Natanz A2612 centrifuges known operating at Natanz A26
August 2009 only 10 cascades operatingAugust 2009 only 10 cascades operating Early 2010 IAEA finds high centrifuge Early 2010 IAEA finds high centrifuge
replacementreplacement February 2010 2 of 3 Natanz modules February 2010 2 of 3 Natanz modules
unproductiveunproductive June 2010 VirusBlokAdaJune 2010 VirusBlokAda July 2010 Symantec identifies Iran targetJuly 2010 Symantec identifies Iran target
Conspiracy TheoryConspiracy Theory
February 2003 Natanz enrichment facilityFebruary 2003 Natanz enrichment facility USA Iran tensionsUSA Iran tensions April 2007 3,000 centrifuges in defiance of April 2007 3,000 centrifuges in defiance of
UN orderUN order January 2009 NYT covert operationJanuary 2009 NYT covert operation September 2009 US ultimatum to IranSeptember 2009 US ultimatum to Iran November 2010 assassination attemptsNovember 2010 assassination attempts
Smoking GunSmoking Gun
Ralph LangerRalph Langer• Industrial control system securityIndustrial control system security
September 16 accusationsSeptember 16 accusations• Targeting a specific Siemens installationTargeting a specific Siemens installation• Bushehr nuclear power plantBushehr nuclear power plant• Stuxnet a product of government Stuxnet a product of government
agencyagency• Targeting enrichment centrifugesTargeting enrichment centrifuges
Key PointsKey Points
Stuxnet was the first publicly Stuxnet was the first publicly identified malware to target an identified malware to target an industrial control system industrial control system
Disclosure practises of Siemens for Disclosure practises of Siemens for computer security were criticisedcomputer security were criticised
Stuxnet Zero Day Exploits had been Stuxnet Zero Day Exploits had been previously identifiedpreviously identified
Stuxnet’s was not typical and Stuxnet’s was not typical and exploited local networks and devicesexploited local networks and devices
A New LandscapeA New Landscape
Typical plant networks (LAN and PLC) Typical plant networks (LAN and PLC) are vulnerable to the same exploits are vulnerable to the same exploits used by Stuxnetused by Stuxnet
Are vendors prepared? Are vendors prepared? Change control practises and Change control practises and
security maintenancesecurity maintenance Long history of virus evolutionLong history of virus evolution The black hats of computer securityThe black hats of computer security Agency involvementAgency involvement
Further ReadingFurther Reading
““How Digital Detectives Deciphered How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in Stuxnet, the Most Menacing Malware in History” History” • This presentation draws heavily from Kim This presentation draws heavily from Kim
Zetter’s story for Wired.com, and is used with Zetter’s story for Wired.com, and is used with permissionpermission
• Buy the book – coming soon!Buy the book – coming soon! Ralph Langner’s 16 September findingsRalph Langner’s 16 September findings
• http://www.langner.com/en/2010/09/16/stuxnet-logbook-sep-http://www.langner.com/en/2010/09/16/stuxnet-logbook-sep-16-2010-1200-hours-mesz/#more-21716-2010-1200-hours-mesz/#more-217
Symantec’s Stuxnet analysisSymantec’s Stuxnet analysis• http://www.symantec.com/connect/blogs/w32stuxnet-network-http://www.symantec.com/connect/blogs/w32stuxnet-network-
information information
About the PresenterAbout the Presenter
• Richard TroutRichard TroutDirector of Client Solutions, Trout I.T.Director of Client Solutions, Trout [email protected]@troutit.com.au
• Please email for copies of the Please email for copies of the presentation or information on Stuxnet presentation or information on Stuxnet and Duquand Duqu