1 www.limessecurity.com

Industrial Security

5 years post-Stuxnet

Industrial Security

5 years post-Stuxnet

2

Company Introduction

Vendor-independent security consulting

Founded in 2012, part of Softwarepark Hagenberg

Operating in DACH, Northern Europe

2 Major Business fields

Secure Software

Development

Industrial Security

Consulting

3

“Everything changed with Stuxnet”

4

A quick recap. In 2010…

The automation world considered itself to be peaceful, due to

The success of automation engineers shielding their systems from

enterprise IT

The belief that the automation systems were closely isolated or even

air-gapped

Nobody outside automation would understand its proprietary workings

The usage of OEM software components

was not seen as a security issue

Security practices/technologies were

commonly not applied in industrial control

systems (ICS)

Safety

5

What was Stuxnet about?

A major, professionally developed cyber security threat

Targeted automation systems with a very specific

configuration on the automation side

Received large public attention due to

the usage of 4 0-day vulnerabilities

multiple infection/persistence vectors

its abilities to inflict physical damage through cyber operation

manipulations of an industrial process

its political “cyber-warfare” connotation

6

The day when I “met” Stuxnet: July

15th, 2010:

Small group of Eastern AV experts had found malware

containing references to Siemens WinCC and Step7:

…

SOFTWARE\Microsoft\MSSQLServer

pdl

GracS\

2WSXcder

WinCCConnect

master

.\WinCC

sqloledb

GracS\cc_tlg7.sav

Step7\Example

…

7

July 13th: First details of preliminary analysis

were published

8

On July 14th, a German AV researcher took a

deeper look and noticed the SCADA part

9

Coming back to when Stuxnet began

for me: July 15th, 2010

Initial question: Why might malware carry names of an

industrial vendor’s product inside?

What’s the purpose and application fields of these products:

WinCC, STEP7?

Who would be able to explain?

Most importantly: How do I find this guy within 350k+

employees?

My secret weapon: Office phone & org chart

10

Most important task: Finding out what

this was all about

More light was shed on the general purpose of the software

by specialists, leading to different security speculations

Next step: Getting our hands on the relevant software

(without a P.O.!)

Setting the software up in a contained environment including

system monitoring capabilities

Offline analysis of the malware (reverse engineering)

Runtime analysis of the malware (behavioural monitoring)

Goal: Come up with indications of the malware’s functions

and what exactly it is after

11

Some early learnings

I learned the necessary difference between incident

coordination & incident handling the hard way from the first

day

Having CERT-like capabilities at hand including deep

malware reverse engineering know-how really was more

than helpful

Splitting analysis of a threat into offline & online analysis in

parallel is more than helpful – each approach sees different

aspects

During crisis, even large organizations can react fast – on

the second day a diverse, professional crisis team was

established

12

Already on the 3rd day,

a website on how to

detect and remove

Stuxnet, was

established and

improved over time,

reflecting the state of

analysis and research

Scaling status information distribution: The

famous support website on Stuxnet

Source: http://support.automation.siemens.com/

WW/llisapi.dll?func=ll&objid=43876783&nodeid0=10805583

13

Challenges and personal learnings when

handling Stuxnet

Incident handling is really difficult if you have to start from

scratch with security basics in the ICS world

Cyber security crash course for ICS engineers would

have helped

Authorities were also still learning back then

Judging the extent of a problem

Takes time – ~700 kB of code (doesn’t help if all

good malware reversers hang out at Blackhat in

Vegas)

Is difficult when you’re the victim – or even if you’re

not sure if you are the victim – information release

Finding reliable IOCs of determining the extent and how to

detect an attack may be challenging

14

For critical incidents, resource-wise separation between

incident coordination and incident handling necessary

Informing customers is not as straightforward as it may

seem, only works if you know your customers, nearly

impossible in an OEM business

Industrial safety is priority number one, but necessary

compatibility tests delay release of any (security) software

updates

Informational duties vs. giving unwanted hints may be a

tightrope walk if a threat is still active

Targeted threats may require anti-virus-like actions from

industrial vendors

Challenges and personal learnings when

handling Stuxnet

15

And to: „Stuxnet was so cool and James-Bond-like, it

brought cyber security finally to the real world“

Handling a crisis like Stuxnet is much less cool if you‘re

forced into the driving seat – vague assumptions &

decisions with large impact

No rogue female agents trying to seduce me

Still driving the same Audi – no Aston Martin

On the other hand: Best chance to learn in my entire

career

16

Stuxnet consequences

17

Industrial software vendors were under scrutiny of

researchers, as a direct consequence after 2010

Security researchers started to

analyze industrial software in

2011:

Billy Rios & Terry McCorkle

Luigi Auriemma

Dillon Beresford

…Beresford's Blackhat presentation on S7

industrial control system vulnerabilities.

(Credit: Seth Rosenblatt/CNET)

18

Industrial vulnerability research and

disclosure jumped to high level

90 6 1 7 7

1731 28

43

172

240

176 182

0

50

100

150

200

250

300

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

Dis

clo

sure

s

Year

ICS (SCADA/DCS) Disclosures by year

ICS (SCADA/DCS) Disclosures by year

Estimation,

final

numbers not

yet

publishedData obtained from the Open-Source Vulnerability Database (OSVDB)

19

The motivation of ICS vulnerability researchers

changed over time

Do the right thing to make the world a

safer/more secure place (becoming less

important)

Publicity to gain reputation (always a

good reason)

Financial benefit due to exploit creation

(becoming more important)

20

Industrial Security Weakness Presentations became

“Mainstream” at Hacker Conferences

Large number of SCADA security presentations

e.g. at Blackhat Conference

“How to own an industrial facility from 40 miles

away”

“Why Control System

Cyber-Security Sucks”

“How I Will PWN Your

ERP Through 4-20

mA Current Loop”

21

New activities at industrial vendors resulted,

e.g. public vulnerability handling posture

Source: http://www.siemens.com/innovation/pool/innovations/technologiefokus/it-software/siemens_vulnerability_handling.pdf

22

ICS Vendors rethought their security posture,

following initial SDL-programs 10 years later

Common protection technologies quickly adapted to ICS: Application-

Level Firewalls, AntiVirus, Application Whitelisting, IDS, SIEM, …

Existing security schemes (e.g. airgaps) get deprecated

23

Researchers developed better tools to easily

find insecurely operated ICS systems

Security community shows strong interest in (ab)using

SHODANHQ, Google and other search engines for

finding insecure ICS systems connected to the internet

Source: SHODANHQ / IRAM

24

The number of security breaches is increasing, 1/3rd

do happen in ICS industries

2012-2013: 42% increase in breaches, ~35% of targeted breaches

affect ICS-industries

Supply chain breaches increasingly attractive

Transparent market prices for cyber crime services have developed

ICS resource abuse likely, extortion attempts possible

Industries affected by security breaches / targetted breaches according to Symantec and Mandiant

25

Baseline security assumptions slowly

changed, ICS stakeholders need to catch up

Assumption of being able to maintain a clean

system environment during operation is

deprecated

Since 2013 a large number of security vendors

offer “threat intelligence” services

Selling information on “indicators of compromise”

How shall industrial operators incorporate threat

intelligence?

26

Consumeration of IT endangers industrial

systems

Trend of interacting with ICS systems through

consumer IT devices

Trend of bring-your-own-device (BYOD) has not

reached its peak yet

BYOD leads to additional weak points in the

supply chain of critical infrastructures

Security solutions for BYOD-scenarios currently

not geared toward industrial sites

27

Nation-state funded hacking has become

mainstream

Since 2013, many publications document

offensive operations in different regions of the

world

Russia (Since early September 2013)

China (e.g. APT1 through Mandiant report)

Middle-East (e.g. Syrian Electronic Army, Iran)

“Tailored access operations” by NSA & partners

Nation-state actors have strong interest in learning

about foreign ICS

28

A recent attack example from the ICS world:

The Havex malware found in 2014

Havex is a Remote Access Tool (RAT) used in

targeted attacks, that was used in the

“Crouching Yeti” malware campaign

After infection of a host, it scans the system

and connected resources for information that

may be of use in later attacks.

The collected data is forwarded to remote

servers.

Why is it special?

Targeted attack

Uses ICS-specific attack techniques

29

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf

Spear phishing (emails with DF attachments)

Havex: a closer look (1)

• Timeline Havex Waterholing attacks

30

Havex: a closer look (2)

Targets:

Identified targets of the Havex malware / campaign

were mainly US and UK organizations within the

energy sector

But spread across several other countries:

• Spain, France, Italy, Germany, Turkey, …

Further Malware activity:

Web browser recovery tool

Cleaning up of traces

Enumerates all connected network resources:

Computers, shared resources

Scan for ICS related software

31

Havex: ICS related Activity

Havex uses the Open Platform

Communications (OPC) Standard to retrieve

information:

Class Identification (CLSID), server name, Program

ID, OPC version, vendor information, running state,

group count, server bandwidth

Enumerate OPC tags: tag name, type, access, and

id

Havex causes multiple common OPC platforms

to intermittently crash (unfortunately)

32

Statistics on Infected Hosts

Infected host statistics provided by Securelist, see

http://securelist.com/blog/research/69293/yeti-still-crouching-in-the-forest/

33

What was the goal?

A specific target:

A victim (industrial operator?) should download the

compromised/trojanized ICS software

Proof of concept / preparation:

How effective is such an attack? How many devices

that speak OPC can be found?

Preparation for other attacks that are OPC related

A/multiple customers of the three compromised

ICS vendors

34

Security strongly relies on physical security & cell

concept

Strong Trust between systems

The „legacy“ technology & patching problem

Operators are process experts but usually not

security experts

Security state is often unknown at sites which are

operational since decades

Vendor vs. integrator vs. operator duties

Inability to see threats on the industrial the network

For most companies, Stuxnet is not the biggest

issue – a list from our field project experience

35

So what did change with Stuxnet?

Some statements

True / false?

My friends and neighbors now understand what I do for a living as an

industrial cyber security guy

Industrial site operators no longer have to justify their annual budget for

ICS cybersecurity

Vendors no longer tell their clients its their own problem to secure the

system

Vendors no longer tell their clients their warranty is voided if they try to

secure their systems

There is only one global ICS cybersecurity standard that everyone

follows and certifies to

The industrial world has become more secure because Stuxnet was

discovered

Partly taken from Walter Sikora, ICSJWG 2010

36

Thank you!

Questions?

37

For inquiries please contact

Web: www.limessecurity.com

Mail: office@limessecurity.com