This is the first of a focused two part discussion of the threats and
challenges involved with cyber security.
The exploration of cyber threats and challenges is conducted using the Stuxnet
attack as a lens. The following post
picks up with an allegorical analysis of the cyber threat posed by nation-state
attacks as well as ideas about how information systems can be built so that
they are less tempting targets.
Stuxnet is widely described as the first cyber weapon. In fact, Stuxnet was the culmination of an orchestrated
campaign that employed an array of cyber weapons to achieve destructive effects
against a specific industrial target. This
piece explores Stuxnet’s technology, its behavior and how it was used to
execute a cyber-campaign against the Iranian uranium enrichment program. This discussion will continue in a subsequent
post describing an orthogonal view on the art and practice of security – one
that proposes addressing security as a design-time concern with runtime
impacts.
Stuxnet, discovered in June 2010, is a computer worm that
was designed to attack industrial programmable logic controllers (PLC). PLCs automate
electromechanical processes such as those used to control machinery on factory
assembly lines, amusement park rides, or, in Stuxnet’s case, centrifuges for
separating nuclear material. Stuxnet’s
impact was significant; forensic analyses conclude that it may have damaged or
destroyed as many as 1,000 centrifuges at the Iranian nuclear enrichment
facility located in Natanz. Moreover, Stuxnet
was not successfully contained, it has been “in the wild” and has appeared in
several other countries, most notably Russia.
There are many aspects of the Stuxnet story, including who
developed and deployed it and why. While
recent events seem to have definitively solved the attribution puzzle,
Stuxnet’s operation and technology remain both clever and fascinating.
A Stuxnet attack begins with a USB flash drive infected with
the worm. Why a flash drive? Because the targeted networks are not usually
connected to the internet. These
networks have an “air gap” physically separating them from the internet for
security purposes. That being said, USB
drives don’t insert themselves into computers.
The essential transmission mechanism for the virus is, therefore,
biological; a user.
I’m tempted to use the word “clueless” to describe such a
user, but that wouldn’t be fair. Most of
us carbon-based, hominid, bipedal Terran life forms are inherently entropic –
we’re hard-wired to seek the greatest return for the least amount of effort. In
the case of a shiny new flash drive that’s just fallen into one’s lap, the
first thing we’re inclined to do is to shove it into the nearest USB port to
see what it contains. And if that port
just happens to be on your work computer, on an air-gapped network. . .well,
you get the picture.
It’s now that Stuxnet goes to work, bypassing both the
operating system’s (OS) inherent security measures and any anti-virus software
that may be present. Upon interrogation
by the OS, it presents itself as a legitimate auto-run file. Legitimacy, in the digital world, is
conferred by means of a digital certificate.
A digital certificate (or identity certificate) is an electronic
cryptographic document used to prove identity or legitimacy. The certificate includes information about a
public cryptographic key, information about its owner's identity, and the
digital signature of an entity that has verified the certificate's contents are
correct. If the signature is valid, and
the person or system examining the certificate trusts the signer, then it is
assumed that the public cryptographic key or software signed with that key is
safe for use.
Stuxnet proffers a stolen digital certificate to prove its
trustworthiness. Now vetted, the worm
begins its own interrogation of the host system. : Stuxnet confirms that the OS is a compatible
version of Microsoft Windows and, if an anti-virus program is present, whether
it is one that Stuxnet’s designers had previously compromised. Upon receiving positive confirmation, Stuxnet
downloads itself into the target computer.
It drops two files into the computer’s memory. One of the files requests a download of the
main Stuxnet archive file, while the other sets about camouflaging Stuxnet’s
presence using a number of techniques, including modifying file creation and
modification times to blend in with the surrounding system files and altering
the Windows registry to ensure that the required Stuxnet files run on
startup. Once the archived file is downloaded,
the Stuxnet worm unwraps itself to its full, executable form.
Meanwhile, the original Stuxnet infection is still on the
USB flash drive. After successfully
infecting three separate computers, it commits “security suicide.” That is, like a secret agent taking cyanide
to ensure that she can’t be tortured to reveal her secrets, Stuxnet deletes
itself from the flash drive to frustrate the efforts of malware analysts.
Internally to the target computer, Stuxnet has been
busy. It uses its rootkit to modify, and
become part of the OS. Stuxnet is now
indistinguishable from Windows; it’s become part of the computer’s DNA. It’s now that Stuxnet becomes a detective,
exploring the computer and looking for certain files. Specifically, Stuxnet is looking for industrial
control system (ICS) software created by Siemens called Simatic PCS7 or Step 7
running on a Siemens Simatic Field PG notebook (a Windows-based system
dedicated for ICS use).
The problem facing Stuxnet at this point is that a computer
can contain millions, if not tens of millions, of files and finding the right
Step 7 file is a bit like looking for a needle in a haystack. In order to systematize the search, Stuxnet
needs to find a way to travel around the file system as it conducts its
stealthy reconnaissance. It does this by
attaching itself to a very specific kind of process.: One that is trusted at the highest levels by
the OS and that looks at every single file on the computer. Something like. . .
. . .the scan process used by anti-virus software. (In the attack on the facility in Natanz, Stuxnet
compromised and used the scan processes from leading anti-virus programs. (It’s worth noting that all of the companies whose
products were compromised have long since remedied the vulnerabilities that
Stuxnet exploited.) Along the way,
Stuxnet compromises every comparable process it comes across, pervading the
computer’s memory and exploiting every resource available to execute the
search.
All the while, Stuxnet is constantly executing housekeeping
functions. When two Stuxnet worms meet,
they compare version numbers, and the earlier version deletes itself from the
system. Stuxnet also continuously evaluates its system
permission and access level. If it finds
that it does not have sufficient privileges, it uses a previously unknown
system vulnerability (such a thing is called a “Zero-Day,” and will be
discussed below) to grant itself the highest administrative privileges and
rights. If a local area network (LAN) connection is
available, Stuxnet will communicate with Stuxnet worms on other computers and
exchange updates – ensuring that the entire Stuxnet cohort running within the
LAN is the most virulent and capable version.
If an Internet connection is found, Stuxnet reaches back to its command
and control (C2) servers and uploads information about the infected computers,
including their internet protocol (IP) addresses, OS types and whether or not
Step 7 software has been found.
As noted earlier, Stuxnet relied on four Zero-Day
vulnerabilities to conduct its attacks.
Zero-Days are of particular interest to hacker communities.: Since they’re unknown, they are by definition
almost impossible to defend against.
Stuxnet’s four Zero-Days included:
- The Microsoft Windows shortcut automatic file execution vulnerability which allowed the worm to spread through removable flash drives;
- A print spooler remote code execution vulnerability; and
- TWO different privilege escalation vulnerabilities.
Once Stuxnet finds Step 7 software, it patiently waits and
listens until a connection to a PLC is made.
When Stuxnet detects the connection, it penetrates the PLC and begins to
wreak all sorts of havoc. The code
controlling frequency converters is modified and Stuxnet takes control of the
converter drives. What’s of great
interest is Stuxnet’s method of camouflaging its control.
Remember the scene in Mission
Impossible, Ocean’s 11 and just
about every other heist movie where the spies and/or thieves insert a video
clip into the surveillance system?
They’re busy emptying the vault, but the hapless guard monitoring the
video feed only sees undisturbed safe contents.
Stuxnet turned this little bit of fiction into reality. Reporting signals indicating abnormal
behavior sent by the PLC are intercepted by Stuxnet and in turn signals
indicating nominal, normal behavior are sent to the monitoring software on the
control computer.
Stuxnet is now in the position to effect a physical attack
against the gas centrifuges. To
understand the attack it’s important to understand that centrifuges work by
spinning at very high speeds and that maintaining these speeds within tolerance
is critical to their safe operation.
Typically, gas centrifuges used to enrich uranium operate at between
807hz and 1,210hz, with 1,064hz as a generally accepted standard.
Stuxnet used the infected PLCs to cause the centrifuge
rotors to spin at 1,410hz for short periods of time over a 27 day period. At the end of the period, Stuxnet would cause
the rotor speed to drop to 2hz for fifty minutes at a time. Then the cycle repeated. The result was that over time the centrifuge
rotors became unbalanced, the motors wore out and in the worst cases, the
centrifuges failed violently.
Stuxnet destroyed as much as twenty percent of the Iranian
uranium enrichment capacity. There are
two really fascinating lessons that can be learned from the Stuxnet story. The first is that cyber -attacks can and will
have effects in the kinetic and/or physical realm. Power grids, water purification facilities
and other utilities are prime targets for such attacks. The second is that within the current design
and implementation paradigms by which software is created and deployed, if a
bad actor with the resources of a nation-state wants to ruin your cyber-day,
your day is pretty much going to be ruined.
But that assumes that we maintain the current paradigm of
software development and deployment. In
my next post I’ll discuss ways to break the current paradigm and the
implications for agile, resilient systems that can go into harm’s way, sustain
a cyber-hit and continue to perform their missions.
No comments:
Post a Comment