Safeguarding critical infrastructure from the next Stuxnet
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
While it has been disturbing to see Internet threats become driven by financial gain, Stuxnet signals the arrival of something more worrisome: a new class of threat designed to seize and control critical infrastructure.
Stuxnet is one of the most complex threats observed to date. Not only did it utilize interesting antivirus evasion techniques and complex process injection code, it also pioneered new frontiers in virus design, including the use of four separate zero-day vulnerabilities and the first ever rootkit designed specifically for programmable logic controller systems.
Most notably, however, is the fact that it was designed to reprogram industrial control systems -- computer programs used to manage industrial environments such as power plants, oil refineries and gas pipelines. It is the first known malware designed to specifically target such systems with the goal of impacting real-world equipment and processes.
Stuxnet's ultimate objective was to alter the speed at which certain frequency converter drives -- power supplies that control the rotational speed of electric motors -- operated. Stuxnet only targeted systems with drives that functioned at a certain frequency, most notably, gas-centrifuge-based systems used in uranium enrichment. Altering the frequencies of the drives, as Stuxnet is designed to do, will effectively sabotage the enrichment procedure, likely damaging the affected centrifuges in the process.
Much of the threat posed by Stuxnet has been neutralized, but this epochal change in the threat landscape still raises many troubling questions. Enterprises that run or manage critical infrastructure have much to learn from Stuxnet. For those charged with the management of industrial control systems, implementing specific recommended defenses can spell the difference between a safeguarded and properly functioning system or an infected system.
What follows is a breakdown of best practices to help erect a defense-in-depth barrier to this new type of threat.
* Leverage reputation-based detection techniques. Traditional protections, such as signature-based antivirus, are the most common method of defending against the initial infection stage. Unfortunately, many modern pieces of targeted malware rely on mutated code that is altered before each new attack and tested against antivirus solutions to ensure it will evade detection. Some malware even utilizes self-mutating code that makes it all but invisible to traditional signature-based protection. In addition, signature-based detection is ineffective at identifying brand new, never-before-seen malware. Such was the case with many of the initial Stuxnet infections. Look for a reputation-based detection system that leverages massive databases containing demographic information on virtually all good and bad files in existence to single out unknown and likely malicious software applications.
* Take advantage of managed security services. Managed security services are offered by many security vendors. The goal is to shift the burden of security operations to a qualified vendor. In the case of Stuxnet, managed security services would, for example, watch for downloaded data traffic carrying .LNK files, which could potentially be related to one of the now patched zero-day vulnerability exploits used by the threat.
* Implement and enforce device control policies. A feature of advanced endpoint protection solutions, device control provides administrators with the ability to monitor and control the behavior of devices by creating and enforcing related policies. Because industrial control systems are often disconnected from the Internet and overall corporate networks for security reasons, thumb drives are frequently used to transfer data to and from such systems and also to implement patch updates. Stuxnet authors knew this and the spread of the threat relied on this fact. In fact, infected thumb drives carried into organizations by unwary contractors was likely one of the initial propagation methods used to spread the threat. Device control policies can control what files and applications are allowed to run off thumb drives and, if properly set, will prevent malicious executable files, like those used by Stuxnet, from running on targeted systems.
* Install, and if necessary lobby for the ability to install, host-based intrusion prevention systems. Installing intrusion prevention software directly on industrial control systems is another effective way of preventing a Stuxnet infection. Such a host-based intrusion prevention system would watch for suspicious behavior taking place on the actual industrial control system and force the lockdown of the system when called for so new malware cannot be injected. Many industrial control system developers are reluctant to load third-party software that they will have to validate and support, but Stuxnet demonstrated the game has changed and greater cooperation is warranted.
* Ensure your tempo of software certificate revocation updating is appropriate. In order to further evade detection and bury itself deeper into targeted systems, Stuxnet used two stolen digital certificates, one from JMicron and another from Realtek, to try and make itself appear as a legitimate program. Both of these certificates were revoked, but if a system were not kept up-to-date in terms of certificate revocations, the stolen certificates used by Stuxnet would have still serve as an effective deception. There is no reason to think that future threats will not also attempt to exploit compromised certificates.
* Use endpoint management software to ensure adequate patching procedures. As previously mentioned, Stuxnet -- like many targeted and non-targeted attacks -- used previously unknown software vulnerabilities to gain access to susceptible systems. Security updates were issued to fix the vulnerabilities exploited by Stuxnet, but unless the patches were actually applied, systems were as vulnerable as ever. Endpoint management solutions can help manage patch updates and ensure they are applied properly. This is especially important when it comes to patches issued out-of-band, as these updates can often be overlooked because they fall outside the routine patch schedule.
* Capitalize on effective data loss prevention solutions. Data loss prevention technology specializes in finding and preventing internal data spill events. It is not yet widely understood, but many data breach events are the result of internal data spills left unintentionally by well-meaning insiders. Not using data loss prevention technology to identify these spill events, clean them up and encrypt the content, simply makes the job of an attacker that much easier. In the case of Stuxnet, to target specific organizations the attackers needed sensitive data describing the systems the targeted organizations were running and their configurations. By preventing attackers from acquiring this detail, a similar attack in the future is much less likely to be successful.
* Where able, employ automated compliance monitoring to root out default password use. Some industrial control system manufacturers insist that their systems -- no matter where they are deployed -- use default password setups. This may be for legitimate reasons, but Stuxnet highlighted the obvious weakness in such a strategy. Because Stuxnet targeted a specific industrial control system, one in which the default passwords were public knowledge and easily attained. In environments where default password use is not necessary -- a situation that will hopefully increase -- automated compliance monitoring can assert detection and control over default password setups, ensuring default passwords are not used. It also identifies failed password guess attempts.
Stuxnet was of such great complexity and required such significant resources to develop that few attackers will be capable of producing a similar threat in the near future. Thus, we do not expect masses of threats of similar sophistication to suddenly appear. However, the real-world dangers of Stuxnet-like threats are obvious.
The threat highlighted that attack attempts on critical infrastructure facilities are not just theoretical, but entirely possible and more are likely. We implore all organizations to implement defenses to ward off such attacks; this is more than a suggestion, it is the only responsible thing to do.
Francis deSouza is senior vice president of the Enterprise Security Group at Symantec.
Read more about wide area network in Network World's Wide Area Network section.