04 October 2010

Stuxnet: Digital Sabotage of Critical Infrastructure...

The Chief Information Security Officer's (CISO) are getting significant new understanding of the new threat emerging in the digital domains. The Energy, Chemical, Water, Transportation and other Critical Infrastructure sectors are on high alert. The Operational Risks associated with their Programmable Logic Controller (PLC) systems using Siemens technologies are being attacked. Stuxnet is a new worm that has emerged over the past few months and is being analyzed from several vectors. One analysis that is forthcoming is who developed this new sophisticated industrial sabotage cyber weapon? Let's consider this logic from Ralph Langner:

Many aspects of Stuxnet are so completely different from malware as we know it that it's only natural that so many hard-working experts at some point in the analysis ended in frustration. The best way to approach Stuxnet is not to think of it as a piece of malware like Sasser or Zotob, but to think of it as part of an operation -- operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution.
Stage 1, preparation:
- Assemble team, consisting of multiple units (intel, covert ops, exploit writers, process engineers, control system engineers, product specialists, military liaison)
- Assemble development & test lab, including process model
- Do intel on target specifics, including identification of key people for initial infiltration
- Steal digital certificates

Stage 2, infiltration:
- Initial infiltration using USB sticks, perhaps using contractor's comprised web presence
- Weapon spreads locally via USB stick sharing, shared folders, printer spoolers
- Contact to command & control servers for updates, and for evidence of compromise
- Update local peers by using embedded peer-to-peer networking
- shut down CC servers

Stage 3, execution:
- Check controller configuration
- Identify individual target controllers
- Load rogue ladder logic
- Hide rogue ladder logic from control system engineers
- Check PROCESS condition
- Activate attack sequence

For the CISO and executives who are sitting around the latest emergency CISCO Telepresence call at companies such as Entergy, American Electric Power, Dominion Resources and dozens of others in the power grid industry; the reliability factor is uncertain.

If this new malware had an initial project budget cost of seven figures $,$$$,$$$.00 to achieve the three stages described previously, preparation, infiltration, and execution then the price will soon be more affordable. A price for a malware exploit kit such as this one as it is reengineered for other purposes or types of targets will decrease dramatically as it propagates across the Internet.

The significance of the decrease in price is that now it will be more affordable for the transnational economic crime syndicates. How they will utilize the new Stuxnet capability in their toolkit for cyber extortion, digital sabotage and other schemes remains to be seen. What is certain is that it will not be long before this becomes a reality. Gary McGraw comments further:

Stuxnet is a fascinating study in the future of malware. Not only did it reveal at least 4 0days (which are still being patched by Microsoft), it clearly demonstrated that physical process control systems of the sort that control power plants and safety-critical industrial processes are ripe for compromise.

Now that the genie is out of the bottle, it is hardly possible to stuff it back in. Expect the techniques and concepts seen in Stuxnet to be copied. Attacks on process control systems are no longer the fantasies of paranoids in tinfoil hats — they are here.


The next Operational Risk that will be on the horizon are the plaintiff law suits, each time we have an event like this one:


Pacific Gas and Electric Co. on Monday announced it would put as much as $100 million towards rebuilding areas of the Crestmoor neighborhood destroyed in the flames. PG&E president Chris Johns maintained that money in that relief fund would be spent on reconstructing the San Bruno neighborhood, not paying off potential legal claims. Nonetheless, the utility company reportedly already cut the city a $3 million check to cover expenses associated with responding to the disaster. PG&E is also expected to pay victims whose homes were destroyed up to $50,000 to help pay for their everyday necessities. “I realize money can’t return lives. It can’t heal scars, it can’t replace memories… But there does come a time for healing and for rebuilding, and we are committed to helping that happen,” Johns added.

A full probe would be required to determine what might have caused the 30-inch high-pressure gas pipeline to burst at Earl Avenue and Glenview Drive around 6:15 p.m. that Thursday evening. Thirty-seven homes were apparently leveled in the blast. A 30-foot-wide crater could also be seen in the aftermath of the explosion. Authorities evacuated over 100 people in the area immediately after the blast. Now the California Public Utilities Commission has ordered PG&E to check all high-pressure gas lines located in densely populated areas. The National Transportation Safety Board (NTSB) is leading the investigation into the fatal San Bruno natural gas explosion.


It is too early to determine the exact nature of the cause of the San Bruno, CA disaster yet the corporate general counsel's of major utilities are preparing for their defense. The legal risks could go well beyond the exact scene of the explosion. Why? As the plaintiffs examine the number of PLC and SCADA controllers involved in the area of the incident, you can be certain they will be looking at the software systems associated with them. They will be requesting the Information Technology organization at PG&E to produce evidence of their policies, procedures, and best practices as it pertains to SCADA exploits such as the Stuxnet worm.

Managing the Operational Risks associated with the Energy and Chemical "Critical Infrastructure" sectors goes well beyond the norm of security and safety. Even BP has established a new Operational Risk initiative in the aftermath of their Gulf of Mexico catastrophe.

BP is to create a new safety division with sweeping powers to oversee and audit the company’s operations around the world.

The Safety & Operational Risk function will have authority to intervene in all aspects of BP’s technical activities.

It will have its own expert staff embedded in BP’s operating units, including exploration projects and refineries. It will be responsible for ensuring that all operations are carried out to common standards, and for auditing compliance with those standards.

The powerful new organisation is designed to strengthen safety and risk management across the BP group. It will be headed by Mark Bly and report directly to incoming chief executive Bob Dudley.

The company said the decision to establish the new function follows the Deepwater Horizon accident in the Gulf of Mexico and BP’s investigation into the disaster. It is one of a number of major changes announced by Dudley as he prepares to take over his new role on October 1.

Who will be in charge of the "Stuxnet Task Force" ?