Upload
shavonne-turner
View
213
Download
1
Embed Size (px)
Citation preview
SCADA Right NowBetsy Woudenberg, Co-founder
115 August 2012
This presentation is © 2012 by IntelligenceArts, LLC.
Thank you for your interest in this presentation! These slides combine my original research with data sources
as cited in the slide notes area. You are welcome to cite my work, but please do not re-post this presentation online without my permission.
Thank you!Betsy Woudenberg
2
What we’re talking aboutControl systems
Other control systemsIndustrial control systems (ICS)
Critical infrastructure Facility controlManufacturing
SCADASupervisory Control and Data
Acquisition
DCSDistributed Control Systems
WaterOil & gasPower
3
The SCADA industry•People are expensive, but computers are cheap.▫Commercial and profit-driven▫A truly global industry
• Idiosyncratic▫Few standards▫New processes bolted on to existing facilities
•Pragmatic and functional▫Built to last▫Early systems are still running
4
The process: Many thousands of valves, switches, and sensors (temperature, pressure, flow, etc)
Many Programmable Logic Controllers (PLC)(watching system and making routine decisions)
A few Human-Machine Interfaces (HMI)(computer screens and buttons for people)
Hundreds of Remote Terminal Units (RTU)(reading sensors and controlling valves and switches)
Basic SCADA structure
HMI “Lightboard”HMI device
RTUPLC
RTU
HMI software
5
Valves, switches, and sensors
Programmable Logic Controllers (PLC)
Human-Machine Interface (HMI)
Remote Terminal Units (RTU)
Modern enterprise SCADA
“Support services”
Facility front office
Regional office
Corporate headquarters
Engineers and vendors with dial-in or Internet access
Executives, salespeople,
travelers
Business or Corporate network
Operations or
SCADA network(“SCADAland”)Field
devices
6
Human-Machine Interface (HMI)
SCADA systems today: Two worlds
Facility front office
Regional office
Corporate headquarters
Valves, switches, and sensors
Programmable Logic Controllers (PLC)
Remote Terminal Units (RTU)
What you will need
8
The capability to issue commands to the SCADA system
Proficiency with the SCADA system to produce an effect
• Hack into the system• Recruit an insider• Steal an insider’s credentials• Place a software tool• Place modified equipment
• Survey the system• Select an effect you can produce• Experiment and practice• Defeat countermeasures• Stay hidden?
Access Expertise+
9
Access: Technical targets
Support services
Facility front office
Regional office
Corporate headquarters
Remote access modems
Remote users
Corporate network• Microsoft Windows• Internet protocol• Email and HTTP• Passwords, encryption
SCADAland• Analog and digital
signals• Wired and wireless
transport• Proprietary protocols• Clear-text
communications• Serial interfaces
• Element-level security
• Perimeter security
Human-Machine Interface (HMI)
Valves, switches, and sensors
Programmable Logic Controllers (PLC)
Remote Terminal Units (RTU)
10
A question of prioritiesInformation security SCADA
• Confidentiality• Integrity• Authenticity
• Integrity• Availability• Resilience• ...• …• Authenticity• Confidentiality
Worst case scenario:Loss of View
Loss of Control
Worst case scenario:Data Loss
Security Breach
11
Access: Human targets
Facility front office
Regional office
Corporate headquarters
People who built it
People who own it
People who run it
Designers & suppliersPlanning engineersProcess engineersSCADA engineersConstruction co.Supply chain vendorsSCADA system vendor
The ownersExecutives
InvestorsAdministrators
ManagersIT security
The operatorsManagersEngineers
MaintenanceSecurity
Human-Machine Interface (HMI)
Valves, switches, and sensors
Programmable Logic Controllers (PLC)
Remote Terminal Units (RTU)
12
Access in review•SCADA systems rely on perimeter security. ▫SCADA systems and equipment do not follow
“standard” security conventions.▫Most (anecdotally, all) SCADA systems have some
communications channel to the outside world.•SCADA systems are surrounded by people.▫Owners: At the corporate level▫Operators: Hands-on access▫Designers: Schematics and equipment lists▫Don’t forget the SCADA system vendors, supply chain,
maintenance, security…
13
Expertise
Se-ries1
DamageClandestinity
The more damage you do, the more likely you’ll get caught.
Nation-state actors, crafty insiders, and other people
who don’t want to get
caught
Terrorists
Hackers, amateurs, and other people
who don’t think they will
get caught
15
Expertise: Achieving your objective•The process: What you’re going to do•The SCADA system: How you’re going to do it•The environment: When you’re going to do it
16
Expertise: Managing human factors•Every place has a culture.▫Culture derives from and determines human behavior▫Small problems versus Big Problems
Be a small problem!•People can help or hinder your attack.▫Understand the culture at your target facility▫Will “blame the human” work?
•Culture is hard to read from a distance.▫Find and recruit an insider… there are many!
17
Expertise in summary•The more damage you do, the more likely you will be
caught.▫Many human and technical factors work against you
•Controlling SCADA requires a lot of information about your target.▫What to do: The processes you need to affect▫How to do it: The commands you need to issue▫When to do it: The external factors outside your control
•People can defeat your SCADA attack… or help you.▫Insider knowledge is critical to managing human factors
19
What’s out thereAn overview of known cyber incidents involving critical infrastructure control systems
Who is targeting SCADA?
20
To take control
To get information
For destructive attack
To demonstrate capabilities
For economic advantageTo case a target
Intent
Goal
Evidence
Actor
21
Stuxnet• Trojan active since 2008, discovered “in the wild” in June 2010▫ “Escaped” from its intended target in 2009
• Very effective Microsoft Windows-based “missile” carrying a highly targeted SCADA “warhead”
Rides a USB drive, CD, or DVD…
USB drive
Is carried onto the Siemens PLC…
Siemens SCADA
equipment
Looks for HMI software, PLCs, and device codes…
Siemens SCADA software
Issues commands to the speed controllers…
Motor speed
controllers
… and modifies the rate of spin of the centrifuges.
Centrifuge cascades
Lands on a PC network and spreads…
Windows PCs
MissileDelivery system
WarheadProduces SCADA effect
22
Remote Terminal Units (RTU)
Stuxnet in the structure
Centrifuge processes
Human-Machine Interface (HMI)
Facility front office
Regional office
Corporate headquarters
Programmable Logic Controllers (PLC)Loss of View
andLoss of Control
Enters at Windows PC running HMI software
Modifies programming on the PLC
PLC directs RTUs to direct controllers to
change speed of centrifuge motors
Stuxnet’s effects on centrifuge spin
0200400600800
1000120014001600
Observation of normal range (807-1210 Hz)
Phase I~ 12.8 days
Phase II ~ 27 days
Phase III 15 or 50 minutes
Phase IV~ 27 days
Driv
e sp
eed
in H
z
Reset to higher than normal speed
(1410 Hz)
Catastrophic crash
from 1410 to 2 to 1064 Hz
Reset to new normal
(1064 Hz)
Phase II~ 27 days
Reset toHigher than
normal speed (1410 Hz)
Stress New Normal Stress
Initial infection
Normal
Quick note for Stuxnet fans: This is 315 code, not 417 code.
23
24
The Stuxnet operation
0102030405060
Capacity: Total number of cascades in place
Cascades at Natanz, 2007-2012
Success: Cascades up and running
2008 2009 – mid 20102007
Decision to targetAccess development
Technical surveyTool development
Survey tool: Flame?
Stuxnet Version 1.0 Stuxnet Version 2.0
June 2010Public discovery
of Stuxnet
Mid-2009Escape of code
to wild
Preparation
Post-Stuxnet
Feb-07 Mar-09 Aug-09 Jan-10 Jun-10 Nov-10 Apr-11 Sep-11 Feb-12Oct-08May-08Dec-07Jul-07
Who is targeting SCADA?
25
To take control
To get information
For destructive attack
To demonstrate capabilities
For economic advantageTo case a target
Intent
Goal
Evidence
Actor
Stuxnet
Nation-state actors
Flame
26
South Houston•November 2011: Springfield, Illinois announces
destruction of a water utility pump by Russian hackers
•Subsequently proved to be mundane pump failure▫FBI and DHS investigated: “Russian hack” was remote
access by SCADA engineer on vacation• Lesson learned: Examining cyber logs without
understanding SCADA culture leads to mistaken assumptions
•But this is not our story!
“Second water utility reportedly hit by hack attack”• 18 November 2011: Hacker “pr0f” posts a message to pastebin.com
▫ Offended by FBI and DHS downplaying the Springfield “hack”▫ Sought to highlight the vulnerabilities of control systems
27
29
pr0f: Conscientious hacker?
•Opportunistic target▫No grudge against South Houston▫Likely used Shodan search tool to look for connected
and responsive devices▫South Houston had no real security set up
This is an expression of human culture!• “No damage was done”?
Who is targeting SCADA?
31
To take control
To get information
For destructive attack
To demonstrate capabilities
For economic advantageTo case a target
Nation-state actors
Intent
Goal
Evidence
Actor
Stuxnet Flame
Hackers
South Houston
32
Brazil power outages• “Hacker extortionists” behind multiple power outages in
Brazil▫ January 2005: North of Rio de Janeiro, “tens of thousands of
people”▫September 2007: Espirito Santo, 3 million people
• Brazil continues to deny hacking▫ “Our systems are not connected to the Internet”▫Blamed 2007 outage on weather and “sooty insulators”
• If true…▫Hackers followed through on threats and disrupted the power
grid Were outages demonstrations or escalations?
▫Were insiders involved?
Who is targeting SCADA?
33
To take control
To get information
For destructive attack
To demonstrate capabilities
For economic advantageTo case a target
Hackers Nation-state actors
Intent
Goal
Evidence
Actor
StuxnetSouth Houston Flame
Criminals
Brazil
China and global oil & gas companies•China is conducting a series of espionage operations
to collect information from U.S. and foreign energy companies.▫Short-term: Advantage in energy deals▫Long-term: Less energy dependence
•Two recent well-known cyber attacks against energy industry targets demonstrate this.▫Shady RAT (2006-2010)▫Night Dragon (2009-2011)
34
Shady RAT
“A spear-phishing email … a download of the implant malware… backdoor communication channel … live intruders jumping on to the infected machine … targeting for quick exfiltration the key data they came for.”
– Dmitri Alperovitch, McAfee
Who they targeted
What they stole
How they stole it
“… A historically unprecedented transfer of wealth—[including] negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations, design schematics, and much more …”
From 2006 to 2011, 70 global entities including a U.S. natural gas wholesaler from February to December 2009.
35
Night Dragon
“Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding…”
From November 2009 to early 2011, “attackers using several locations in China … [waged] attacks against global oil, gas, and petrochemical companies, as well as individuals and executives in Kazakhstan, Taiwan, Greece, and the United States to acquire proprietary and highly confidential information.”
“… social engineering, spear- phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) … In certain cases, the attackers collected data from SCADA systems.”
–McAfee
Who they targeted
What they stole
How they stole it
36
Framework for LNG deal with Russia
LNG deal with Uzbekistan
LNG deal with Australia
LNG deal with Australia
LNG deal with France
Finalization of South Pars Phase 11 with Iran
LNG deal with QatarGas
LNG deal with QatarGas
LNG deal with QatarGas
LNG deal with Shell
LNG deal with Exxon
Shale gas deal with Chesapeake Energy in Texas
Aggressive bidding on multiple Iraqi oil fields at auction
Purchase of major stake in a second Kazakh oil company
China-Taiwan trade deal for petrochemicals
Purchase of Rumaila oil field, Iraq, at auction
McKay River and Dover oil sands deal with Athabasca, Canada
Development of Iran’s Masjed Soleyman oil field
Oil development deal with Afghanistan
Purchase of major stake in Kazakh oil company
China’s foreign oil/gas deals and cyber attacks
2012201120102009 20132008
37
Shady RAT ( U.S. natural
gas wholesaler)
Night Dragon
(Kazakhstan, Taiwan, Greece, U.S.)
Who is targeting SCADA?
38
To take control
To get information
For destructive attack
To demonstrate capabilities
For economic advantageTo case a target
Hackers Criminals Nation-state actors
Intent
Goal
Evidence
Actor
StuxnetSouth Houston FlameBrazil China’s
cyber theft
China(Economic espionage)
What’s the scariest thing on here?
39
To case a target
To take control
To get information
For destructive attack
To demonstrate capabilities
For economic advantage
Hackers Criminals Nation-state actors
China(Economic espionage)
Intent
Goal
Evidence
Actor
Stuxnet China’s cyber theft
South Houston FlameBrazil
40
Who is/could be casing SCADA systems?
• Everyone.▫ Terrorists
Al Qa’ida▫ Competitors
Economic espionage▫ Hackers
For the lulz▫ Criminals
For profit▫ Nation-state actors
For covert action▫ China
For economic espionage
• SCADA casing is…▫ Difficult to detect▫ Difficult to prevent▫ Difficult to characterize
“Dual use” Illegal? Precursor to SCADA attack?
▫ Impossible to quantify Relies on victim to report it
41
Key indicators• What’s the target?▫ Corporate entity: The target, or a means to an end?▫ SCADA vendor: Look at the customers▫ Facility: One place, or the whole sector?▫ Opportunistic exploration: Because it was there
• Who’s the attacker?▫ Not just where it came from, but what they did
Did the cyber activity penetrate SCADAland? What data did the attacker exfiltrate? How well does the attacker know the target?
• How far along are things?▫ Early stages
Access: Target research and selection▫ Later stages
Expertise: Drilling down to data to shape the attack What other information sources have been hit?
42
In conclusion•SCADA vulnerability is a consequence of its priorities.▫Integrity, availability, and resilience
•For effective attack, you need access and expertise.▫Technology targets and human targets
• Lots of cyber activity appears to touch SCADA …▫Stuxnet▫Hackers and criminals▫Economic espionage
•… But it’s hard to determine precursors to SCADA attack.▫Control access and monitor expertise sources▫Look for indicators of serious capability and intent
43
Thank you!Betsy [email protected]
The entirety of this presentation is © 2012 by IntelligenceArts, LLC. The information and insights herein are solely those of IntelligenceArts, LLC and do not derive from or represent the U.S. Government.
46
Stuxnet facts• What it is
▫ A worm/trojan detected “in the wild” in June 2010
• What it targeted▫ Windows PCs running Siemens
WinCC and Step7 SCADA software WinCC is a Windows-based
HMI Step7 (S7) runs on the PC to
configure Siemens PLCs▫ Siemens PLCs that control two
specific high-frequency converter drives Vacon (Finland) and Fararo
Paya (Iran)
• How it spread▫ Propagates by USB thumb drive,
LAN, and other close-range techniques
▫ Four zero-day exploits for propagation between Windows machines
• What it did▫ Late September 2010: 100,000
infected PC hosts worldwide 60% in Iran
Forensic data and credited diagrams taken from Symantec’s W32.Stuxnet Dossier, February 2011
47
Stuxnet’s purpose• Stuxnet was a destructive clandestine attack on the uranium
enrichment centrifuge cascades at Natanz, Iran.• Stuxnet looks for Siemens PLCs
controlling an array of 31 Vacon or Fararo Paya converter drives▫ Must operate between
807-1210 Hz for ~13 days
• It then modifies the frequency output from the drives in a repeating cycle▫ Normal 1410 Hz 2 1064 Hz ▫ Resets timer for next round
• And it hides the drive speed changes from the HMI
Uranium gas (UF6) centrifuge
The frequency converter drive controls the speed of the motor that spins the centrifuge rotor
48
Stuxnet’s code
Lands on PC Establish Spread Infect Implement
Thumb driveCheck OS version .INF or .LNK
Look for WinCC and S7 software
Monitor drive output values
LANGet admin privileges Network shares
Look for specific PLCs by ID code
Initiate timed sequences
Digital certificates
Decrypt and load files
Print spooler vulnerability
Modify S7 code on PC
Intercept 16 of 109 routines
Phone home and send profile
WinCC DB and project files
Peer-to-peer update
Inject code onto PLCs
Issue spoofed data to HMI
MissileDelivery system
WarheadProduces effect
49
Phase I: Planning•2006-2007: Planning and tool development▫Study of Iran’s centrifuges
Based on P-1 and P-2 Pakistani design▫Data collection on SCADA system inside Natanz
Was this Flame?
0102030405060
In 2006, Iran set up, tested, and began operating its first UF6 cascade of 164 linked centrifuges.
By November 2007, Iran had assembled and was operating its first “unit” of 18 linked cascades with a total of 2,952 working centrifuges.
Feb-07 Aug-07
50
Phase II: Covert attack•2008: First attacks▫Tool placed in the Natanz control network▫Moderate success but “no wholesale destruction”
“The Iranians had grown so distrustful of their own instruments that they had assigned people to sit in the plant and radio back what they saw.”
0102030405060
Iran quickly began assembling additional cascades based on the first successful unit.
However, the second unit was not operating at full capacity. By late 2008, only 24 of the 36 total cascades were operating.
Feb-07 Aug-08Feb-08Aug-07
51
Phase III: Success and escape• 2008 – mid 2010: Repeated operations▫Additional versions inserted into Natanz
Improvements to propagation mechanism•Mid to late 2009: Critical period▫Significant disruption of Iran’s program▫Emergence of first virus samples in the wild
0102030405060 Iran built a third
unit, for a total of 54 cascades.
But the number of working cascades remained stalled at 20-30.
Feb-07 Aug-09 Feb-10 Aug-10Feb-09Aug-08Feb-08Aug-07
52
Phase III: Success…
0
5
10
15
20
0
10
20
Operating with UF6
Under vacuum, but not operating
Idle, not under vacuum
Centrifuges disconnected
0
5
10
15
20
August 2009
August 2010
November-December 2009
A24
A26
A28
Pilot unit, no major problems
Can’t bring these new cascades into service
Serious problems starting late 2009
Phase III: Escape?
• Symantec found versions in the wild dating back to three “waves”▫ June 2009▫ March 2010▫ April 2010
• Initially thought to be insertions into Natanz
• Now look like evidence of escape from Natanz
53
Credit to Symantec, W32.Stuxnet Dossier, February 2011
Domain E
Domain D
Domain C
Domain B
Domain A
Domain A
Domain B
Domain B
54
Phase IV: Discovery and aftermath• Mid-2010: Public discovery
▫ June: Stuxnet found by VirusBlokada▫ July: Stuxnet characterized as SCADA attack
Intensive public forensics begin▫ August: AEOI meets to discuss ramifications▫ September: Symantec counts 100,000 global infections▫ November: Iran begins to admit infection at Natanz
0102030405060
Discovery
Feb-07 Mar-09 Aug-09 Jan-10 Jun-10 Nov-10 Apr-11 Sep-11 Feb-12Oct-08May-08Dec-07Jul-07
55
How did Stuxnet get out of control?• “An error in the code… had led [Stuxnet] to spread to an engineer’s computer
when it was hooked up to the centrifuges … We think there was a modification done by the Israelis and we don’t know if we were part of that activity.”
• Symantec’s data seems to indicate two versions in the wild by mid-2009 ▫ Error persisted across multiple versions of the virus
• September 2010: 100,000 infections worldwide▫ Counted by samples and callbacks to the same C&C servers
0102030405060
Covert Escape 1 Escapes 2 & 3 Data
100,000 infections
Feb-07 Mar-09 Aug-09 Jan-10 Jun-10 Nov-10 Apr-11 Sep-11 Feb-12Oct-08May-08Dec-07Jul-07
56
Did the Iranians know?• At least two years of suffering in silence
• Post-Stuxnet Barrage of press about Iranian cyber expertise Arrests of “nuclear spies,” October 2010 Stars virus, April 2011 DigiNotar compromise, September 2011
What was going on?
0
20
40
60
Feb-07 Mar-09 Aug-09 Jan-10 Jun-10 Nov-10 Apr-11 Sep-11 Feb-12Oct-08May-08Dec-07Jul-07
Stuxnet’s sources for information
57
Cyber targeting
International Atomic Energy Agency (IAEA)
No access to detailed information
Computers at Natanz No inbound Internet accessNatanz engineers Low likelihood of chatter
Passive methods High security
Human targeting
SCADA system vendor Siemens
People who own it Atomic Energy Organization of Iran (AEOI)
People who run it Most direct, highly protected
People who built it Less direct, less protected
Humans certainly provided physical access to Natanz, and likely provided information as well.
59
Unanswered question #1•Why did Stuxnet evolve?
Wave 1June 2009
Waves 2 and 3Mar – May 2010
• AUTORUN.INF exploit requires human enablement
• Encrypted payload• .LNK exploit needs no
human enablement• Signed, legitimate
digital certificates
Nov – Dec 2009: Iran starts
dismantling centrifuges
Could it be that… Wave 1 code been found and removed? The Iranians were tightening network security? The attackers didn’t know whether Wave 1 was working?
60
Unanswered question #2• Did Stuxnet contain unused code?▫ Sequences A (Vacon) and B (Fararo Paya), aka the 315 code,
appeared operational▫ To Symantec, Sequence C (the 417 code) was not functional
More sophisticated randomized effects = more clandestine Inactive due to missing piece of code
Not copied onto PLC Possibly unfinished
▫ No agreement between experts that 417 was not operational
But… Why launch with unnecessary code? Where would the missing activation code come from? Are there other variants out there that haven’t been found?
62
Summary•Stuxnet relied on humans and technology.▫Hard targets can be penetrated by a combination of
technical and human targeting.▫Strengthening SCADA perimeter security against cyber
intrusion won’t necessarily protect a high-value facility.•The Iranians unwittingly helped Stuxnet.▫Humans will defy common sense according to cultural
factors.• “Cyber covert action” is becoming an oxymoron.▫Partnering multiplies risk.▫The global hunt is on.
63
Duqu• Timeline: Active since 2007▫ Discovered September 2011 by CrySyS (Budapest University of
Technology and Economics)• Targets: Variety▫ Variety of corporate targets in Iran, Sudan, India, Vietnam, Ukraine,
Switzerland, France and the Netherlands• Tactics: Trojan Infostealer• Perpetrator: Unknown▫ Driver files similar or identical to Stuxnet
Same missile, different warhead• Effects▫ Capable of stealing information about control systems, but no code to
command a control system▫ No consensus about purpose or targets
• Is this a SCADA attack?
64
Duqu, “Son of Stuxnet”• What it is
▫ A trojan announced by Symantec on 20 October 2011
• What it targets▫ Microsoft Windows
• How it spreads▫ Zero-day exploit in Microsoft
Word documents
• What it does▫ System profiler and info-stealer
Exfiltrates data to C&C servers
▫ Unspecified companies in France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan, Vietnam, UK, Austria, Hungary, Indonesia…
• Who did it▫ No attribution to date
Forensic data and credited diagrams taken from Symantec’s W32.Stuxnet Dossier, February 2011
Why “Son of Stuxnet”? Methodology and portions of code identical to Stuxnet Effects and purpose appear different
Stuxnet and Duqu, side by side
Stuxnet Duqu
Earliest apparent creation date of virus June 2009 2007
Operational period June 2009 – July 2010 December 2010 through 17 October 2011; re-emergence in February 2012
Variants Four Seven
Propagation Four zero-day exploits; LAN/thumb drive/etc; self-propagation
One zero-day (so far); no self-propagation
Payload Code for Siemens WinCC and PLCs; written in Microsoft Visual C++
Infostealer, backdoor; written in a custom “Object Oriented C dialect”
Command and control Malaysia, Denmark; no activity observed India, Belgium; active executable code transmitted via .JPGs and encrypted data
Time limits 3 offspring per infection; drop-dead in June 2012
8-day window; 36 days per infection; can be extended via downloaded files
Digital certificates JMicron and Realtek in Hsinchu City, Taiwan
C-Media Electronics in Taipei, Taiwan
Intended targets Natanz uranium enrichment facility Unknown
65
66
Duqu versus StuxnetHow they are the same How Duqu is different
• Identical functionality in Duqu’s netp191.dll and Stuxnet’s oem7a.dll
• Duqu’s Jminet7.sys/smi4432.sys drivers are “binary match to” Stuxnet’s mrxcls.sys
• Identical code in Duqu’s .zdata and Stuxnet’s .xdata
• Same processes hooked in ntdll.dll• Same use of hashes/checksums to
lookup functions• “Magic keys” such as “AE” in both• Same startup processes and RPC logic• Signed and unsigned versions of drivers• Signed versions use certificate from a
Taiwanese firm • Multiple variants over time
• Exfiltrates data• Not targeting control systems• Infection vehicle is MS Word document
(so far)• “Object Oriented C dialect” programming
language• Controlled propagation• Active use of C&C to pass code• Relies on Internet for spread• First samples compiled circa 2007• Active as of March 2012
Same missile Different warhead
Spread
Signed digital certificates
Duqu’s code
67
Lands on PC Establish Infect Implement
Microsoft Word vulnerability
Check OS version
Method 1:Template .exe
Contact C&C
Get admin privileges
Method 2: CreateProcessAsUser
Receive AES-encrypted data
Decrypt and load files
Method 3:Use existing process
Install infostealer?
Resource 302 loads .zdata
Server Message Block (SMB)
8-day window in August 2011
Duqu: The reality•No code to target control systems▫Sets up backdoor access via Internet C&C
•No evidence of targeting of industrial control system companies
•Most likely…▫Reuse of “missile” by Stuxnet’s creators?▫Repurposing of Stuxnet missile against other targets?
68
69
We are Post-Stuxnet.•The Iranian nuke program is stronger than ever.▫Productivity improved▫Technical hardening▫Cultural hardening
•U.S. critical infrastructure is slowly getting more secure.▫Efforts to set up security standards▫Focus on strengthening inherent SCADA qualities, not
introducing new protocols Perimeter security Defense-in-depth
70
We know we have problems.
Level 4: Enterprise systems
Facility front office
Regional office
Corporate headquarters
Human-Machine Interface (HMI)
11%
16%
53%
20%
0%
Level 3: Operations management
Level 2: Supervisory control
Level 1: Local or basic control
Level 0: Process equipment
Source: DHS Common Cybersecurity Vulnerabilities in Industrial Control Systems, May 2011.
Valves, switches, and sensors
Programmable Logic Controllers (PLC)
Remote Terminal Units (RTU)
71
Cybersecurity: Forcing change•Vulnerability disclosures▫“Amateurs” describing hundreds of flaws/quirks in
hardware and software•Community activism▫Digital Bond’s “Project Basecamp”
Release of Metasploit modules for exploitation of several major control system types
•Ralph Langner’s insight: Design flaws versus vulnerabilities
72
Cybersecurity: The scary stuff• Looking for “Son of Stuxnet”▫Command and control of SCADA▫Penetration of SCADA without command and control▫Attempts to penetrate SCADA▫Exfiltration of data from within SCADA▫Theft of SCADA data from operator’s corporate network▫Theft of proprietary non-SCADA data from operators▫Theft of proprietary non-SCADA customer data from
vendors▫Theft of proprietary SCADA product data from vendors▫Run-of-the-mill pings against all of the above
73
Looking for Son of Stuxnet
Severity
Mal
ign
inte
nt
Command and control of SCADAPenetration of SCADA without
command and control
Attempts to penetrate SCADA
Exfiltration of data from within SCADATheft of SCADA data from
operator’s corporate network
Theft of proprietary non-SCADA data from operator
Theft of proprietary non-SCADA customer data from
vendor
Theft of proprietary SCADA product data from vendor
Run-of-the-mill pings against corporate networks
SCADAland
Exploration
Targeting
Operation
Here’s what Ralph Langner thinks
74
• “‘Son of Stuxnet’ is a misnomer. What’s really worrying are the concepts that Stuxnet gives hackers… Before, a Stuxnet-type attack could have been created by maybe five people. Now it’s more like 500 who could do this.”
• Missile/warhead structure• Code is available to the public
▫ Extensive public forensics by respected IT firms
• Methodology is on display
“What you still hear today from all kinds of people is how a Stuxnet-type attack requires so much insider knowledge. I finally had to publish a [simple and damaging] attack just to make sure no smart-guy tells his boss that this is impossible.”
“You just have to know how to copy parts of [Stuxnet]. After that, you just need a little more knowledge to make a simple but effective digital dirty bomb.”
“A little more knowledge”? Access Expertise
Interviewed by the Christian Science Monitor, 24 September 2011
Sustained clandestine attack requires significant expertise
Brute attack does not, but how effective would it be? Terrorists and criminals may not
need a predictable outcome to be successful
Ralph says… My take on it is…
75
Things to think about•What is a SCADA attack?▫Is it the target?▫Is it the intention?
•Was Stuxnet a successful operation?▫How do you define success?
•What will Son of Stuxnet be?▫How will this operation be used against us?