1 / 27

Stuxnet : The Future of Malware?

Stuxnet : The Future of Malware?. Stephan Freeman. Theme. Systems physically controlling something… Getting hacked… Disasters averted. Just. The reality isn’t so different…. Previous Incidents.

minor
Télécharger la présentation

Stuxnet : The Future of Malware?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stuxnet: The Future of Malware? Stephan Freeman

  2. Theme • Systems physically controlling something… • Getting hacked… • Disasters averted. Just. • The reality isn’t so different…

  3. Previous Incidents • Slammer disables safety systems at Ohio Davis-Besse Nuclear Plant in US for five hours in 2003 • Blaster affects US powergrid during 2003 blackout • Disgruntled employee in Australia logs in over WiFi at his old employers and releases over a million litres of raw sewage • 14 year-old in Lodz, Poland, derails trams after taking over the signaling system in 2008 • Many more undisclosed

  4. Previous Incidents • All either accidental/side effects of non-targeted attacks • Or bored/disgruntled individuals • Stuxnet signifies something new: Malware specifically targeted at a country’s physical infrastructure.

  5. What is it? • Windows-based malware, targeting very specific configurations • Used four zero-day vulnerabilities • Is the first Process Control-specific malware seen • Almost certainly state-sponsored • Possibly an insight into the future of malware

  6. Process Control Systems • Systems used to bridge the logical and physical interface • Several types of components, used in industrial environments (PLCs, DCSs…) • Manufactured by Siemens, GE, ABB, Westinghouse • Often referred to as SCADA systems (Supervisory Control And Data Acquisition)

  7. SCADA • Controls almost anything, e.g.: • Traffic signals • Train signals • Amusement parks rides • Water processing systems • Power station generators • Factory assembly lines • Electrical substations

  8. Vulnerabilities • COTS components used with known vulnerabilities • Lag between patches being released and being certified for a particular system • Poorly-written OS or TCP/IP stack on individual components • Lack of understanding of the risk • Multiple 3rd parties involved in integration of large-scale systems

  9. Stuxnet - Detail • Targeted Windows PCs connected to Siemens PLCs (specifically S7-300) • Spread via USB sticks and over the Internet using 4 zero-day vulnerabilities • Installs itself as a rootkit in Windows, using stolen driver signing certificates • Modified the Step-7 application used to reprogram PLCs • Installs itself on the Siemens PLC

  10. What is a PLC?

  11. Stuxnet - Detail • Once on the PLC, checks whether either Vacon (Finnish) or FararoPaya (Iranian) frequency converter drives are attached • Checks what frequency they’re running at: if they’re between 807 Hz and 1210 Hz, it changes the frequency of the drives periodically. • The frequencies happen to correspond to those needed for gas centrifuges, such as those used in the enrichment of uranium • Done in such a way as to hide any error messages being passed back to the controller • Automatically deletes itself on the 24th of June 2012

  12. Target? Iranian uranium enrichment centrifuges, inspected by President Ahmedinejad

  13. Stuxnet - Infections From Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

  14. Impact • US not affected – very few infections • Possible links to 10 large-scale explosions in Iranian oil and petrochemical plants • Affected numerous centrifuges at Iran’s main uranium processing plant in Natanz • Could have caused “large scale accidents and loss of life” in Iran, according to AP

  15. Why do it? • Deniability • Physical distance • Stealth • Unclear response

  16. Stuxnet – Author? • Difficult to tell who wrote it • Common consensus is that it was state-sponsored • Too much technical knowledge to be casual hackers

  17. This may have happened before… • Pipeline explosion in former Soviet Union in 1982 • CIA alleged to have deliberately sabotaged SCADA equipment destined for the Trans-Siberian Pipeline, stolen by the KGB • Supposedly used a logic-bomb • Resultant explosion had a force of three-kilotons of TNT

  18. What does the future hold? • More targeted attacks • Private companies on the front-line • Over 30 countries have cyber-warfare programmes • More hacktivists • General need to “batten down the hatches”

  19. Who receives targeted attacks? Worldwide industry sector since 2008 18172 targeted attacks during 2010 Targeted Attacks - Infosec

  20. What can we do? • Loads of advice available • Organisations should think hard aboutthe threats they face • Take a holistic approach, looking at physical security as well as information security • Accept that it may not be possible to defend networks against concerted, well funded attack and consider keeping the most critical information offline.

  21. Further reading • http://www.computerworld.com/s/article/84510/Blaster_worm_linked_to_severity_of_blackout?taxonomyId=083 • http://www.scadasecurity.org • http://www.theregister.co.uk/2008/01/11/tram_hack/ • http://www.cpni.gov.uk/advice/infosec/business-systems/scada/ • http://news.yahoo.com/s/nm/20110417/ts_nm/us_iran_nuclear_stuxnet_1 • http://www.symantec.com/connect/blogs/stuxnet-breakthrough

  22. Thank You Stephan Freeman BSc MSc MBCS CITP Information Security Manager London School of Economics & Political Science Secretary, ISSA UK s.freeman@lse.ac.uk / stephan.freeman@issa-uk.org

More Related