Stuxnet is one of the most sophisticated pieces of malware seen to date, say researchers, but what should and could security professionals in businesses be doing in response?
Technology alone is not the answer
Professor John Walker, member of ISACA Security Advisory Group and CTO of Secure-Bastion
I recall the time when malware was written with some miscreant intention, to derive some sense of fun - notwithstanding the ramifications for the infected end-point. Viruses ranging from Cascade, with the interesting side-effect of dropping letters from the screen, to the Joshi virus, with the side-effect of communicating a birthday greeting were all very noisy and, to some extent, seen by the originators as a fun and cool thing to do.
Come up to date with worms such as Stuxnet, and we are in a whole new ball game - well-written code, no doubt constructed under robust coding conditions, with a potential profile underpinning some exploitation, through to delivering profiled cyber war attacks.
However, there has been some debate over the implications of aggressive worms like Stuxnet in relation to impacting - what control systems (Scada) do utilities and power suppliers have? The implications here could be severe. It has been observed that many such systems may not be connected to the internet (but, of course, some will be). But let us not forget the Cuckoo's Egg Attack, where systems were compromised through third-party connected systems - and that recent malware impacts on operational government systems were the result of a USB key introducing the infection.
So, just how do organisations defend against such malicious code and its implications?
The first obvious measure is to deploy an anti-malware solution, and assure it is kept up to date. However, this alone does not provision the entire security landscape. The second most important (possibly the most important) element is to watch out for vendor security notifications and alerts, and to apply patches or workarounds as soon as possible. Next, ensure that users are kept up to date through a tuned security education and awareness programme. Last, but not least, know your assets, identify your perimeter of secure operations, and maintain a high level of situational awareness to ensure you are aware of, and can respond to, incidents in a timely manner for the sake of operational survival.
But technology alone does not solve all the problems. After all, if that were the case, there would be far fewer breaches now with all the technological advances. People, processes, organisation and technology must all be addressed. ISACA includes these elements in the new, holistic Business Model for Information Security.
Education, education and education
Peter Wenham, committee member of the BCS Security Forum strategic panel and director of information security consultancy Trusted Management
The question being asked of security professionals, well certainly those associated with the UK's critical national infrastructure, is what should they be doing in response to the recent discovery of one of the most sophisticated pieces of malware yet seen - Stuxnet? My answer is education and awareness and I see this being broken down into a number of areas:
- Education in the classroom, where tomorrow's software developers and network architects can be found. We need them to think security from the outset.
- Education in colleges and the commercial education aftermarket, where people learn how to write software and learn how to design and manage networks. Security needs to be a byword.
- Education at board level to convey the message that security should be primarily business-led and that support is required to ensure security is part of an organisation's ethos - so security is led from the top. Understanding (from a business perspective) the threats and risks to an organisation and how these interact with the cyber world is key to this understanding.
- Education at management level to ensure the message that good security requires secure software and well-designed and maintained networks. In other words, security must be baked in from the outset and part of this is ensure that staff skillsets are maintained appropriately and continuously. It is key to understand the risks and threats to an organisation and be able to translate and/or augment the board's view of risk and threat into action plans.
- Finally, the security professional needs to be just that. Skillset maintenance is not an option, belonging to professional organisations is not an option, interfacing and carrying the security message to the board, management and staff level is not an option. That professional must be comfortable with assessing the risks to an organisation based on what is on the ground and input from the board, management and industry. Being able to translate a risk assessment into a security get-well programme and/or continuous security improvement programmes is a key part of the security professional's job.
Adopt a four-pronged attack on malware
Adrian Davis, principal research analyst at ISF for the Stuxnet Think Tank
Yes, Stuxnet is very sophisticated; yes, it can cross platforms; and yes, it has the potential to cause damage. But it has several weaknesses. First, it was found; second, it was highly specific; third, it attacked "cut down" versions of Windows - those that cannot be patched, or are difficult to patch; and fourth, that level of sophistication doesn't come cheap and may be difficult to replicate.
But these weaknesses are not reasons for complacency. There is much we can learn from this attack and much we can do to lessen the impact of a similar attack. I'm going to divide the responses into four groups:
- People. Educate your staff, encourage people to tell you if something doesn't seem right or if they have an unusual problem. Change your policies around the use and control of USB and Scada.
- Basics. IT equipment - configure laptops, servers, desktops, multifunction devices and process-control machinery (Scada) securely. Shut down unnecessary processes, applications and protocols, and change default user names and passwords. All systems must be up to date with patches for the operating system and applications. In some cases, where you can't patch or configure devices because of guarantees or system limitations, consider the approaches below.
- Networks. Never allow anything on your network to connect directly to the internet. Route all traffic through your firewalls and DMZ. If there are devices that need to connect directly, don't put them on your network, or put a firewall between them and your network. Control connections to devices by using VPN access. Next, consider physical or logical segregation of your networks. If you have Scada, put them on a separate network to the office IT. Implement network access control to enforce policies and configurations.
- USB devices. Where possible, disable the use of USB devices, either by physically or logically blocking the ports on both Scada and IT equipment, and deploy malware protection software and encryption. If you have to use USB sticks to transfer data or updates, consider using dedicated USB devices.
Finally, be vigilant.
Basic security measures can stop it
John Pescatore, research vice-president, Gartner
The recent Stuxnet malware was a clever piece of software that incorporated a number of different exploitation and stealth techniques. However, with some simple precautions, it was a piece of cake to be invulnerable to Stuxnet:
- Stuxnet exploited "zero day" flaws in Microsoft's Internet Explorer 6 browser - IE7 has been available for over three years, while IE6 has known security deficiencies. A simple upgrade to IE7 closes this hole.
- Stuxnet exploited known hardcoded passwords in Siemens HMI (human machine interaction) software - buying software with known hardcoded passwords is a huge mistake in the first place, but at system install, it is not hard to make sure all default passwords are changed. Doing so years later is hard.
- Stuxnet included a means for spreading via USB portable storage media. Many manufacturing and utility systems have based their security approaches on having a control network that is physically separate from the "business network". This is rarely true, but even where such isolation actually exists, there are always "sneaker net" connections - the ability to get files and software updates onto the control network. Making sure media control was enabled on all PCs would have stopped this vector.
None of those three precautions is all that complicated or expensive, and if all three were done, Stuxnet would have been stopped dead in its tracks. Certainly, more proactive mechanisms, such as intrusion prevention systems and network forensics on such critical networks, would have been even better, but those who got hit by Stuxnet really suffered from a lack of basic levels of security.
The major reason is the pretence of the high-value control systems being totally separate from the general purpose business networks and the internet. In this day and age, such "security through obscurity" never works and those who rely on physical separation to justify doing the basic block and tackling of minimising vulnerabilities invariably have security incidents.
Make sure systems are isolated and protected
John Colley, CISSP, managing director, EMEA (ISC)2
Stuxnet, and the viability of attacks like it, may be the key motivation behind the National Security Council recently declaring cyber-crime as the high priority risk for the UK. In its 39-page document, released last month, cyber crime (cyber attack by other states and by organised crime) was ranked one of our country's four highest risks, alongside international terrorism, international military crises and major accidents or natural hazards. It is good that the whole area of cyber security is being highlighted as a priority, and in some respects it seems incredible. What is really being said here is that we don't have effective defences against such attacks.
Certainly, corporations must also respond. The major vulnerability sits within industrial control systems (ICS), usually called Scada, which control "physical" devices, such as open/close valves in all sorts of installations, including water, gas, electricity, sewage, and so on. The Stuxnet worm has established the viability of attacks against these systems. The overall protocols of these systems are weak and easily subverted. In fact, the main protocol used, Modbus, has no security whatsoever.
Although such systems were isolated from other systems on their own networks, which traditionally was the case, they are now increasingly connected to corporate networks. IT departments have not yet taken full account of how fragile and vulnerable they are. Stuxnet should change this. The security and IT departments must take account of whether they use industrial control systems. In most cases, the answer will be yes. Most modern buildings use ICS to control the air conditioning, the lighting and heating, and also the elevators, not to mention the CCTV equipment. They need to include these systems within their remit, develop an understanding of the vulnerabilities and issues with these systems, then make sure they are properly isolated and protected. In other words, they need to treat them like they would any other connected system.
Keep employees alert to the dangers
Dani Briscoe, services manager, The Corporate IT Forum
When polled, the majority of Corporate IT Forum members replying to a recent member Q&A about the impact of Stuxnet agreed that its complexity had deservedly heightened security concerns. However, most felt that the issues raised were, by and large, those that IT security professionals already face day to day.
Employee awareness of the risks associated with malware goes a long way to protecting corporate systems. The response to Stuxnet has been to raise malware awareness among support staff and control engineers, and reiterate that Scada security can be as important as network or information systems security. In reality, many sectors' Scada security should be considered just as important as data security.
Basic mitigation is a fairly simple process, if sometimes harder to put into practice. Defined system ownership and management carries responsibilities for implementation of patching and anti-virus against a strict policy (of course ensuring patches are verified). Removable media cannot be used without express permission of the system manager and all must be checked for viruses, for example via an offline PC. Many anti-virus systems can also monitor and alert upon the use of any portable media or network device being used on the system.
To quote one member: "It's a relatively old lesson: training, training, and training. Teach people not to accept updates blindly. Put a process in place that allows them to check that updates are genuine and uncorrupted quickly and easily. And check the process is being followed." As an IT professional, your challenge is to keep the message fresh and in the minds of all employees, irrespective of their role.
Use open-source intelligence to find out if you are a target
Gerry O'Neill, senior adviser, KPMG's I-4 Team
Since first reports of the Stuxnet worm attack in June 2010, there has been speculation about its origins and intended target. Some suggest embedded messages and clues in the malware code may indicate authorship, while doom-merchants herald it as the first "cyber guided missile" because it is the first worm to seek, identify and alter the operation of industrial programmable logic controllers (PLCs).
According to reports from security technology companies, the main countries affected in terms of number were: Iran, Indonesia, India, Azerbaijan, Pakistan, Malaysia, the USA, Uzbekistan, Russia and the UK, with the number of known infected hosts exceeding 100,000.
Stuxnet is complex malware code that aims to infect, reprogram and control industrial control systems to cause malfunction in Siemens Step7 PLCs. More worryingly, it uses multiple techniques and components, including: four zero-day exploits; stealth and anti-virus evasion techniques; valid digital certificates; propagation via removable USB drives and auto-execution; LAN infection capabilities; the ability to update itself over the LAN using peer-to-peer mechanisms; the use of a Windows rootkit; presence of a command and control interface; and the modification of PLC code on the target system - while hiding the changes.
It appears that a specific installation in Iran was the main intended target, although additional infections appear to be considered legitimate collateral damage. Regardless of any criminal or political motivation, this is the first reasonably complete example of a "weaponised" cyber attack capable of disabling or disrupting an industrial complex. So with proof of concept, the concern is that copycat exploits, which might be motivated by terrorism or extortion, could target electricity generation, water processing, petrochemical and transportation control systems.
The positive news has been the industry-wide response - particularly the co-operation between Microsoft, Siemens and security vendors to produce guidance and fixes to remove Stuxnet vulnerabilities. But many millions of unpatched and vulnerable systems are still out there.
The advice must be to ensure that we deploy up-to-date patching and software versioning, multi-layered anti-malware and, importantly, the use of open-source intelligence to identify whether "you" are a potential target. And, of course, it is vital to have a tested incident response plan in place.
Those who manage industrial control systems must reassess the risks urgently and apply the patches and fixes. They should also consider a more multi-layered approach to in-depth defence, including potential isolation of key components of critical infrastructure.
Look at both whitelisting and blacklisting
Raj Samani, ISSA UK
Dubbed the "best malware ever" and rumoured to specifically target critical infrastructure within a specific foreign state, the Stuxnet worm has potentially changed the way malware and security will be viewed in the future. Much like 2005, when Microsoft released the MS05-039 advisory, a coder was paid to develop a worm to exploit unpatched machines. Within four days of the advisory being published, the Zotob worm was born, and the age of long testing periods was over. Cyber crime had hit the big time.
However, protecting Scada (supervisory control and data acquisition) systems against Stuxnet need not be as difficult as first feared, regardless of whether the worm exploited zero day vulnerabilities, or whether it was propagated via USB. Security professionals who embraced the latest security controls could have avoided not only the Stuxnet worm, but potentially any unauthorised code, from running.
Much has been made of the limitations of traditional antivirus meaures. They do consume resources and require constant updates, but for dynamic environments they still provide a good level of protection. However, Scada networks are different. What tends to run on these systems is known, so it would be better to simply allow only "authorised" (hashed) executables to run and deny everything else. All of this can be achieved without any updates. The case for whitelisting can be extended to a multitude of environments and, when combined with a defence in depth approach (including disabling auto-run on USB memory sticks, or disabling USB ports altogether), the risk of infection would be considerably lower.
Ignore the hyperbhole about the "death of blacklisting" or the "death of antivirus". Any security professional who simply disregards ANY control based on marketing spin is on the fast track to front-page news. Rather, look at both whitelisting and blacklisting (in conjunction with other recommended security controls and practices) as a means of providing appropriate protection, depending on the environment. Future attacks could well focus on transit systems: how would major cities cope with a loss of integrity on systems that manage city-wide transport systems? After all, what the Zotob worm taught us all was that this is only the beginning.