“One of the greatest technical blockbusters in malware history.”Stuxnet, a 500-kilobyte digital worm that infected the software of at least 14 industrial areas in Iran, including a uranium-enrichment plant. First traces of Stuxnet was observed in July 2010, when Industrial Control System Emergency Response Team officer informed Seán McGurk (then director, Control Systems Security at the US Department of Homeland Security) about a call which they received from a partner agency from Germany about a malware sample which they had received, that had some very unique characteristics.
Iran bore the biggest loss, losing over one-sixth of centrifuges in its Natanz plant, and countries like Indonesia, India, Azerbaijan, The US and a handful of others also felt its wrath. The emergence of Stuxnet- a digital weapon that targeted Supervisory Control & Data Acquisition (SCADA) marked the beginning of a new era of Cybercrimes in the area of ICS.
A brief of Stuxnet
Stuxnet was first identified in June 2010 by VirusBlokAda. The reason for the discovery of Stuxnet at this time is attributed to the fact that the worm started accidentally spreading beyond its intended target (the Natanz plant).
With the release of a malware specifically targeting Industrial Control Systems, we entered into a new domain of cyber-risk, before Stuxnet, the key focus zone of information security was on networks, also business and personal information. Most of the concern was on committing theft or fraud but not the destruction of physical systems through cyber means.
It only targeted the automation processes which are electro-mechanical processes. These processes are controlling all kinds of machinery like motor, fan, heaters and all kinds of sensors. Stuxnet exploited about four zero-days flaws by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens software.
Stuxnet design and architecture are not domain-centric and it could be tailored to attack any modern Supervisory Control and Data Acquisition (SCADA) and PLC systems. Targeting industrial control systems, Stuxnet infected over 2lakh computers and caused thousand system to physically degrade.
How it worked
Process 1: INFECTION Stuxnet enters a system via a USB stick and proceeds to infect all the machines running on Microsoft Windows. By brandishing a digital certificate which seems to prove it comes from a reliable company, the worm is successful in evading automated detection system.
Process 2: SEARCH Stuxnet then checks whether a given machine is a part of the targeted Industrial System manufactured by Siemens. Such systems are in place to run High-Speed centrifuges that help to enrich nuclear fuel.
Process 3: UPDATE If the system isn’t the target Stuxnet does nothing; if it is then the worm attempts to target internet and download a more version of itself and update.
Process 4: COMPROMISE The worm later compromises the target systems SCADA’s (LogicLadders), exploiting ‘zero-day’ vulnerabilities SCADA weakness which has not been identified by the security experts.
Process 5: CONTROL In the beginning, Stuxnet spies on the operations of the targeted system then it uses the information which it has gathered to take control of the (PLC), making them spin themselves to failure
Process 6: Deceive & Destroy Meanwhile it provides false feedback to outside controllers, ensuring that they won’t know what’s going wrong until its too late to do anything about it.
- Stuxnet made use of five vulnerabilities one previously patched(CPLINK vulnerability and a vulnerability used by the Conficker worm) & 4 zero-day vulnerabilities.
- Two Stuxnet variants used different valid digital certificate derived from technology companies at Hsinchu Technological Park (Taiwan).
- Stuxnet can perform over 4000 functions, as much as any commercial software products.
- Stuxnet employs many evasive techniques, including bypassing antivirus software, advanced process injection, and the quick removal of temporary files.
- After infecting a system, the malware then gathers substantial data from MS SQL server, Windows registry, and application software.
Modern day cyber weapons
Stuxnet worm left a deep scare in the minds of all critical infrastructure security providers, but this happened 8 years ago. Cyber weapons are more sophisticated. Also, as a result of Stuxnet, we not only see the capability to disrupt but willingness to do so.
There have been many malware attacks post Stuxnet Mahdi , Shamoon, Duqu, Skywiper, Black Energy, Flame and Petya/Notpetya, Triton (or Trisis/Hatman) Malware which was intended to deny, disrupt and destroy the ability to conduct business and deliver goods and services.
Preventive measures to combat attacks like Stuxnet
Effective security policies and procedures
- Policies and Procedures are the building blocks for securing control systems. These policies and procedures then need to be reviewed and updated on a continual basis.
- Security Policies should be tailor-made specific to host-to-host and zone-to-zone communication requirements, including protocols, ports, etc.
- Implement a Security Awareness & education drive on regular basis to keep the stakeholders up to date.
- USB drives should be disabled for all the security zones (as per Industrial Automation and Control Systems Security, ISA-99)
- Software Restriction Policies (SRP) should be implemented so that it prevents the execution of code on removable media (Pendrive, CD, DVD etc.)
- All systems should be audited on regular basis.
- Implementation of Security Information and Event Management (SIEM) should be in place.
- “Whiteboxing” should be preferred over “blackboxing” or “Heuristic history” based solutions.
- IDS should be implemented with all alerts consolidated and reconciled within the SIEM.
- SCADA honeypot should also be implemented.