7. Damaging Impact in Four Steps
To develop protective measures against Stuxnet-like attacks, a basic
understanding of the worm’s activities is essential. It unfolds its damaging impact
in four steps on different layers:
1. Infection of Windows PCs: Stuxnet utilizes a total of four zero-day exploits of
previously unknown vulnerabilities
2. Abuse and Manipulation of Automation Software: Stuxnet abuses and
manipulates any found WinCC databases and STEP 7 project files. It also
renames (s7otbxdx.dll) to (s7otbxdsx.dll) and replaces it with a DLL of its
own.
3. Injection of Malicious Code into Controllers: This manipulated DLL enables
Stuxnet to infiltrate malicious code into the projected PLCs. The malicious
code is combining denial-of-control and denial-of-view techniques.
4. Communication with Command & Control Servers on the Internet: Infected
computers will contact C&C servers to upload collected information from the
target and its environment to those servers as well as new instructions and
updates to the worm can be received and executed.
7
9. Industrial Malware Mitigations
Secure Enclaves
Logically group networks, assets, the operations that they perform, and even
the users who are responsible for those operations.
Perimeter defenses like firewalls, Network IDS, and IPS, Router Access Control
Lists can be configured to isolate the defined members of an enclave.
Enclaves protect the internal systems from insider attacks/or an attack that
somehow circumvents the established perimeter defenses (USB Flash drives)
9
10. Industrial Malware Mitigations - Cont
Patch Management
Establish a patch management enclave, to provide an additional
barrier between online patch management and the systems requiring
upgrades
The patch management methodology:
Download required vendor/applications patches
Verify the integrity of these patches and scan them for viruses
Archive the validated files to a read-only media
Install patches on test systems to verify the ramifications of
the update
Install on production systems
10
13. Industrial Malware Mitigations - Cont
Blacklisting
A “blacklist” solution compares the monitored object to a list of
what is known to be bad. Traditional HIDs, Antivirus, IPS depend
on blacklisting
Two Issues with blacklisting:
A blacklist must be continuously updated as new threats are
discovered
There is no way to detect or block certain attack such as zero-
days (Stuxnet)
13
14. Industrial Malware Mitigations - Cont
Application Whitelisting (AWL)
Creates a list of what is known to be good and applies very
simple logic: if it is not on the list block it
No signatures or virus definitions (Stuxnet lived for a year before
it was detected by AV vendors)
AWL can block zero-day industrial malware like Stuxnet
14
16. Industrial Malware Mitigations
Firewalls
• Block access to Internet from workstations which configure
and control PLCs (This prevent any interaction with C&C
servers)
• Block access to Internet hosts with bad reputation (Threat
Intelligence feed and IP Blacklists)
• Block IP addresses which generate abnormal network traffic
until you investigate the incident (External/Internal)
• Block connections to un-used protocol or service
• Implement SCADA-aware firewalls to control traffic
16
18. Standards Organizations
North American Reliability Corporation (NERC)
The North American Reliability Corporation is tasked by the Federal Energy Regulatory
Commission (FERC) to ensure the reliability of the bulk power system in North
America. NERC enforces several reliability standards, including the reliability standard
for Critical Infrastructure Protection (NERC CIP). In addition to these standards, NERC
publishes information, assessments and trends concerning bulk power reliability,
including research of reliability events as they occur. The NERC CIP standards are
comprised of nine standards documents, all of which are available from NERC’s
website at:
http://www.nerc.com/page.php?cid=2|20
18
19. Standards Organizations - Cont
The United States Nuclear Regulatory
Commission (NRC)
The United States Nuclear Regulatory Commission is responsible for the safe use of
radioactive materials, including nuclear power generation and medical applications of
radiation. The NRC publishes standards and guidelines for Information Security, as well
as general information and resources about nuclear materials and products, nuclear
waste materials, and other concerns.
NRC Title 10 CFR 73.54
NRC Title 10 of the Code of Federal Regulations, Part 73.54 regulates the “Protection
of digital computer and communication systems and networks” used in member
Nuclear Facilities. More information on CFR 73.54 is available from NRC’s website at:
http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html
19
20. Standards Organizations - Cont
The United States Nuclear Regulatory
Commission (NRC)
NRC RG 5.71
The United States Nuclear Regulatory Commission’s Regulatory Guide 5.71 offers
guidance on how to protect digital computer and communication systems and
networks. RG 5.71 is not a regulatory standard but rather guidance on how to comply
with the standard, which is Title 10 of the Code of Federal Regulations, Part 73.54.
Information on RG 5.71 is available from NRC’s website at:
http://nrc-stp.ornl.gov/slo/regguide571.pdf
20
21. Standards Organizations - Cont
United States Department of Homeland Security (DHS)
The Department of Homeland Security’s (NHS) mission is to protect the United States
from a variety of threats including (but not limited to) counter-terrorism and cyber
security. One area where cyber security concerns and anti-terrorism overlap is in the
protection of chemical facilities, which are regulated under the Chemical Facilities
Anti-Terrorism Standards (CFATSs). CFATS includes a wide range of security controls,
which can be measured against a set of Risk-Based Performance Standards (RBPSs).
Chemical Facilities Anti-Terrorism Standard
The Chemical Facility Anti-Terrorism Standards (CFATSs) are published by the United
States Department of Homeland Security, and they encompass many areas of chemical
manufacturing, distribution and use including cyber security concerns. More
information on CFATS can be found on the DHS’s website at:
http://www.dhs.gov/files/laws/gc_1166796969417.shtm
21
22. Standards Organizations - Cont
United States Department of Homeland
Security (DHS)
CFATS Risk-Based Performance Standards
The United States Department of Homeland Security also publishes recommendations
in the form of Risk-Based Performance Standards (RBPSs) for CFATS. These standards
provide guidance for the compliance to the Chemical Facility Anti-Terrorism Standards.
More information on the CFATS RBPS can be found on the DHS’s website at:
http://www.dhs.gov/xlibrary/assets/chemsec_cfats_riskbased_performance_standard
s.pdf
22
23. Standards Organizations - Cont
International Standards Association (ISA)
The International Standards Association (ISA) and the American National Standards
Institute (ANSI) have published three documents concerning industrial network
security under the umbrella of ISA-99. These documents are: ANSI/ISA-99.02.01-2009,
“Security for Industrial Automation and Control Systems: Establishing an Industrial
Automation and Control Systems Security Program”; ANSI/ISA-99.00.01-2007,
“Security for Industrial Automation and Control Systems: Concepts, Terminology and
Models”; and ANSI/ISA-TR99.00.01-2007, “Security Technologies for Manufacturing
and Control Systems.”
These documents, as well as additional information and resources relevant to ISA-99
are available at the ISA website, at:
http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821
23
24. Standards Organizations - Cont
The International Standards Organization (ISO)
and International Electrotechnical Commission
(IEC)
The International Standards Organization (ISO) and the International Electrotechnical
Commission (IEC) produced the ISO/IEC 27002:2005 standard for “Information
technology—Security techniques—Code of practice for information security
management.” While ISO/IEC 27002:2005 does not apply exclusively to SCADA or
industrial process control networks, it provides a useful basis for implementing
security in industrial networks, and is also heavily referenced by a variety of
international standards and guidelines. More information on the ISO/IEC 27002:2005
can be found on the ISO website at:
http://www.iso.org/iso/catalogue_detail?csnumber=50297
24
25. Conclusions
Security through obscurity no longer works
with SCADA
The belief that PLCs are not vulnerable
because they are not connected to the
Internet is not true
SCADA security standards and industrial
security solutions can decrease attacks
Stuxnet cyberweapon looks to be one on a
production line
25