Monday, December 20, 2010

Stuxnet – An Example of Cyber Attack Capabilities

Technical analysis shows that Stuxnet consists of two separate malware attacks. These attacks are considerably different. One runs on Siemens S7-315 controllers and is fairly simple. Attack two runs on S7-417 controllers and is much more complex. Technical analysis shows that both attacks were developed using different tools. *

It appears that attacks one and two were deployed in combination as an all-out cyber strike against devices that manage process control devices. ** The following are some of the characteristics of the Stuxnet. In terms of complexity it exceeds anything ever seen:

1. Stuxnet targets the sabotage of process control equipment that is isolated from the Internet, but otherwise connected to selected administrative systems. It manipulates specific processes. The effects are completely hidden from the operators.
2. The deployment of Stuxnet suggests that the originators of the attacks must have possessed detailed insider knowledge about the operations of the target equipment.
3. The Stuxnet attack was combined with conventional hacker skills used to overcome primary defenses such stealing certificates.
4. Stuxnet is custom-designed by experts who have detailed Siemens process control knowledge. They are not amateurs engaged in the adaptation of off-the-shelf attack software.
5. To be worth all the enormous effort devoted to launching the attacks, the target for Stuxnet had to be of high value.
6. The central flaw in defending against Stuxnet is a total dependence on well-documented Siemens software. Software instructions manuals, including maintenance instructions, for Siemens controllers are downloadable and therefore completely exploitable.
7. Stuxnet’s attack software versions are reusable. Unlike explosives, they can be used over and over again. The vulnerabilities that Stuxnet exploits cannot be “patched” by Siemens. In effect, Stuxnet can be viewed as multiple zero-day attacks wrapped into several packages that aim at specific targets, such as Windows.

Stuxnet is most likely going to be the best-studied piece of malware for a long time. The attackers must know this. Therefore, the whole attack only makes sense within a very limited timeframe. After Stuxnet is analyzed, the specific attack form will not work any more. It’s a one-shot weapon that will be most likely reloaded, with modifications.

From the standpoint of DoD this has ominous implications. Stuxnet-like attacks should be seen as a custom-made weapon that has the purpose of taking down well-defended targets, at a critical time.

The complexity of Stuxnet is designed to first install itself on Internet-connected administrative computers. If undetected Stuxnet can use already corrupted platforms for infecting other computers that were previously considered to be invulnerable because they did not connect to the Internet. Getting through the external perimeter is difficult, but well within the current state of the hacking art.

If a similar attack were launched against DoD’s critical cyber operations DoD will suffer from dependence on readily exploitable software already implanted in both the external as well as in the internal defense rings.

The software currently in use by DoD operations is mostly unclassified. The current proliferation of contractor-managed systems is very large. As compared with the complexity and sophistication that was necessary to breach relatively small defenses that protected standardized Siemens process controllers, the diversity of DoD targets will make it relatively easy to locate a wide range of attack opportunities.