The Stuxnet worm is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The worm used both known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-practice security technologies and procedures.
Since its discovery, there has been extensive analysis of Stuxnet’s internal workings. What has not been discussed is how the worm might have migrated from the outside world to supposedly isolated and secure industrial control systems (ICS). Understanding the routes that a directed worm takes as it targets an ICS is critical if these vulnerable pathways are to be closed for future worms.
To help address this knowledge gap, this White Paper describes a hypothetical industrial site that follows the high security architecture and best practices defined in vendor documents. It then shows the ways that the Stuxnet worm could make its way through the defenses of the site to take control of the process and cause physical damage.
It is important to note that the analysis presented in this paper is based on a security model that, though it is accepted in industry as a best practice, is often not implemented in practice. System architectures in the real world are typically much less secure than the one presented in this paper. The paper closes with a discussion of what can be learned from the analysis of pathways in order to prevent infection from future ICS worms. Key findings include the following:
A modern ICS or SCADA system is highly complex and interconnected, resulting in multiple potential pathways from the outside world to the process controllers.
- Assuming an air-gap between ICS and corporate networks is unrealistic, as information exchanges are essential for process and business operations to function effectively.
- All mechanisms for transfer of electronic information (in any form) to or from an ICS must to be evaluated for security risk. Focusing security efforts on a few obvious pathways (such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense.
- Industry must accept that the complete prevention of ICS infection is probably impossible and that instead of complete prevention, industry must create a security architecture that can respond to the full life cycle of a cyber breach.
- Industry must address the containment of attacks when prevention fails and aggressively segment control networks to limit the consequences of compromise. In particular, securing last-line-of-defense critical systems, such as safety integrated systems (SIS), is essential.
- Combining control and safety functionality in highly integrated ICS equipment exposes systems to common-cause security failures. For critical systems, diversity is important.
- Providing security by simply blocking or allowing entire classes of protocols between manufacturing areas is no longer sufficient. Stuxnet highlights the need for the deep packet inspection (DPI) of key SCADA and ICS protocols.
- The Remote Procedure Call (RPC) protocol is an ideal vector for SCADA and ICS attacks because it is used for so many legitimate purposes in modern control systems.
- Industry should start to include security assessments and testing as part of the system development and periodic maintenance processes in all ICS.
- There is a need to improve the culture of industrial security among both management and technical teams.
If the critical infrastructures of the world are to be safe and secure, then the owners and operators need to recognize that their control systems are now the target of sophisticated attacks. Improved defense-in-depth postures for industrial control systems are needed urgently. Waiting for the next worm may be too late.
The Stuxnet worm is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC, S7 and PCS 7 control systems. The worm used both known and previously unknown vulnerabilities to spread, and was powerful enough to evade state-of-the-practice security technologies and procedures.
Since the discovery of the Stuxnet worm in July 2010, there has been extensive analysis by Symantec, ESET, Langner and others of the worm’s internal workings and the various vulnerabilities it exploits. From the antivirus point of view, this makes perfect sense. Understanding how the worm was designed helps antivirus product vendors make better malware detection software. What has not been discussed in any depth is how the worm might have migrated from the outside world to a supposedly isolated and secure industrial control system (ICS).
It is easy to imagine a trivial scenario and a corresponding trivial solution:
Joe finds a USB flash drive in the parking lot and brings it into the control room where he plugs it into the PLC programming station.
Ban all USB flash drives in the control room.
While this may be a possibility, it is far more likely that Stuxnet travelled a circuitous path to its final victim. Certainly, the designers of the worm expected it to – they designed at least seven different propagation techniques for Stuxnet to use. Thus, a more realistic analysis of penetration and infection pathways is needed.
This White Paper is intended to address this gap by analyzing a range of potential “infection pathways” in a typical ICS system. Some of these are obvious, but others less so. By shedding light on the multitude of infection pathways, we hope that the designers and operators of industrial facilities can take the appropriate steps to make control systems much more secure from all threats.
The first part of the analysis starts with an introduction to the Siemens SIMATIC PCS 7 product line, since this was the target of the Stuxnet worm.
In the second part, we provide an overview of the worm and how it infects a system. We outline how it spreads between computers as it attempts to locate its ultimate victim. Finally, we briefly describe how the worm affects a control system using Siemens SIMATIC products.
In the third part of the paper, we propose a hypothetical “high security site” that is the target of Stuxnet or the next generation of Stuxnet-like worms. The architecture used in the paper assumes this fictitious site is following all the guidance provided in Siemens SIMATIC “Security Concept PCS 7 and WinCC – Basic Document.” From a security point of view, this assumption is probably optimistic, as the gap between guidance and reality in the ICS world is often large. However, it is a good model for two reasons – it provides a conservative starting point and it highlights that current “best practices” in ICS security might still have a way to go.
Part four proposes several ways Stuxnet could move from an infected computer of little importance on the corporate network to deep inside the control system. We also look at how the Peer-to-Peer (P2P) and Command and Control (CC) components of Stuxnet could be effective in an otherwise isolated industrial plant.
Finally, we close with a brief analysis of what this means for the security of industrial control systems in the longer term. In particular, we discuss how other “non-Siemens” systems should consider the vulnerabilities exploited by Stuxnet on a Siemens architecture and prepare for dealing for the next generation worm that could exploit other ICS platforms.
What is SIEMENS PCS 7 Industrial Control Systems – A Primer
In order to understand the directed attack Stuxnet performed against Siemens ICS systems, a brief overview of the Siemens SIMATIC PCS7 architecture is in order.
SIMATIC is a comprehensive term used by Siemens, which includes their complete portfolio of industrial automation solutions ranging from machine vision to distributed I/0 systems and programmable controllers. SIMATIC WinCC is a specialized process visualization system that comprises the core Supervisory Control and Data Acquisition System (SCADA). It can be used with Siemens-branded control equipment, such as the S7 line of programmable logic controllers (PLC) or it can be used independently with other control products.
The SIMATIC STEP 7 software environment is used specifically for the programming of the Siemens S7 line of controllers. An integrated solution, composed of S7 PLC’s, WinCC visualization software, and STEP 7 configuration software, is then referred to as SIMATIC PCS 7. All computer software components run on Microsoft Windows operating systems, including XP, Server 2003 and Windows 7.
In understanding the SIMATIC PCS 7 system, it is important to separate the functional components that are called “systems” from their platform components that commonly carry names like “stations” or “servers”.
The basis of the SIMATIC PCS 7 control system is divided into three functional components as shown in Figure 2:
- Operator System (OS)
- Automation System (AS)
- Engineering System (ES)
The Operator System (OS) permits the secure interaction of the operator with the process under control of PCS 7. Operators can monitor the manufacturing process using various visualization techniques to monitor, analyze and manipulate data as necessary. The Operator System architecture is highly flexible, but always consists of a client and server function, which may be implemented on the same or separate physical platforms.
The Automation System (AS) is the name given to the class of programmable logic controllers (PLC) used with PCS 7. This includes both the Microbox solution based on a software controller running on a standard computer, and the S7-300 and S7-400 lines of hardware controllers.
The Engineering System (ES) consists of software that is responsible for configuring the various PCS 7 system components. The ES is further broken down into the engineering software required to configure either the Operator System (OS) or Automation System (AS), since the OS requires different engineering software for configuration than the AS. The ES allows for configuration and management of the following PCS components and functions:
- Control system hardware including I/O and field devices
- Communication networks
- Automation functionality for continuous and batch processes (Application System engineering via STEP 7 software)
- HMI functionality (Operator System engineering via WinCC software)
- Safety applications (Safety Integrated for Process Automation)
- Diagnostics and asset management functionality
- Batch processes, automated with SIMATIC BATCH
- Material transport, controlled by SIMATIC Route Control
- Cooperation with host CAD/CAE planning tools (import and export of process tags and example solutions)
Since the ES functions are so broad, and cover such a wide range of tasks, Figure 3 below helps clarify the individual components of the ES.
A few Siemens SIMATIC PCS 7 software or platform components that are important to note in understanding this paper include the following:
SOURCE: How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems by: Eric Byres, P. Eng. ISA Fellow, Andrew Ginter, CISSP, Joel Langill, CEH, CPT, CCNA (www.tofinosecurity.com www.abterra.ca www.scadahacker.com) – Develop best practice guidelines to certify the security and reliability of your infrastructure and information assets[/fancy_box]