Sue Marquette Poremba recently spoke with Anthony DiBello of Guidance Software about Stuxnet and the dangers posed to the security of our infrastructure. Stuxnet, the first malware designed to disrupt critical infrastructure, has been in the news after an attack on Iran's soon-to-be operational Bushehr Nuclear Power Station.
Poremba: A good description of Stuxnet and what it does would be helpful. How does it differ from other botnets making the rounds?
DiBello: This is the first publicized targeted attack against critical infrastructure and in some ways could be viewed as a proof of concept or a wakeup call. It was designed to remain hidden, as it has elements of a root kit, and was discovered by accident. Given the nature and resources that go into designing targeted malware, it's hard to say if there is not already other malware out there lying dormant on other control systems, waiting for the command or the proper conditions to deliver payload.
"The risks are high. This should be a wakeup call for the control engineering community."
What is particularly interesting about this is the combination of all the various aspects (the malware is over MB in size) including social engineering (introduction via USBs) in a single attack. The other key innovation here is the use of malware to incite real-world physical damage to a target. Stuxnet proves the threat is real, there are intelligent individuals out there able to create these attacks whether for monetary or political gain, and there is no reason to think our own infrastructure is immune. This, as well as the Estonian and Georgian cyber incidents over the past couple years, are signs that cyber attacks will likely be a precursor to acts of aggression in the future.
Poremba: Discuss the Stuxnet attack on the Bushehr Nuclear Power Station.
DiBello: This represents one of the most sophisticated pieces of malware seen. It probably required a team of individuals given the amount of code it contains (over a half a megabyte huge for malware), and at least one of those individuals had access to inside information as the attack was highly targeted and designed not to release payload until a specific set of conditions (that would only be met at the target location) were met. Iran has many enemies (including within) and it would be premature to even guess the source of the attack.
The exact details are kind of murky, but what has been pieced together is that some entity created this piece of malware specifically to target some kind industrial control site. Eventually that malware was loaded onto USB sticks that were randomly seeded around target locations. Unwary employees picked them up and plugged them in, and that was all that was needed to introduce this worm into the system.
It wasn't an over-the-wire attack.This was social engineering that introduced the worm.
Poremba: That's disturbing when you think of how easy it was to do this, just leaving random USB sticks.
DiBello: It's not the first time that tactic's been used, but it is certainly the first time it's been used in conjunction with an attack on industrial control system. Part of the social engineering is people will see a USB stick or DVD lying around and wonder what is on it.
Poremba: Does something have to be activated?
DiBello: I don't know what exactly was on those USBs, but generally, the author will put a folder on the USB that says something like "my pictures." Who wouldn't click on something benign sounding? And that spreads the malware.
Poremba: What are the risks of a similar attack here in the States?
DiBello: The risks are high. This should be a wakeup call for the control engineering community. Traditionally, it has been an unsecured area. There's never been a reason for security in control systems before because they've never been a target. They use old hardware and logic that pre-dates Windows. This attack proves it is possible, it can happen, and we need to up our defenses in that area.
Poremba: What are some of the problems facing our infrastructure and utilities?
DiBello: This infrastructure has been designed, not around security, but availability and accessibility. Far more important, when talking about utilities and transportation, these are things that can't go down. The services always have to be available, unlike a corporate network where, sure it costs a lot when it goes down, but it can go down for a few minutes. If the power grid goes down for even a few minutes, that could have a lot of consequences. They weren't designed for security. Now we have to take a good look at these control systems and figure out the best way to approach this challenge. You can't just dump something similar to corporate network security onto it all at once and expect the problem to be fixed.
One key capability that might be a high security priority right now is to figure out a way to tell if a hiccup in the system is a simple glitch or an attack. Right now, a hiccup is a hiccup and there is no way to tell if it is caused by an external influence. Without the means to do that, it is difficult to get the systems needed to detect attacks.
Poremba: How do you use cyberforensics as a defense mechanism?
DiBello: One of the nice things about the industrial control systems is that they are relatively static. They have a job to do, and that's what the program will do. It won't be playing solitaire or writing Word documents. It's just code necessary for the machine to do its job.
In cyberforensics, there is a way to audit, if you will, or detect any changes in that known state, and we'll be able to act on those changes and see why there are there. There should be no changes. Cyberforensics would be a method to detect and respond to change and would be a huge leap in what's available today. It would also allow us to determine the difference between a hiccup and an attack.
Poremba: What do you think should be done to create better security for infrastructure?
DiBello: It's an issue of awareness. Up until recently, when Guidance Software stood up and said we could offer security to the industrial control industry, no other vendors jumped up to say they had solutions for the problems. Folks need to make that community understand that the solutions are out there and are able to work in the environment. The brains of the machines are really just Windows networks, so it really is just a matter of determining the path of approach. It's kind of overwhelming right now.
The scope of the problem is huge. It's a matter of doing things in baby steps and ensuring we do the right thing to secure those devices.
Poremba: In your opinion, what is the first step?
DiBello: To provide the capability to understand the difference between an anomaly and an attack. Once they can distinguish between those things, they can put the right type of security on the right type of systems.
Poremba: How likely do you think it is that some utility, say, will see an attack in the next year?
DiBello: It would be an act of negligence to think we shouldn't expect it. We should prepare. There are plenty of folks that want to see harm done to our country, and we should be vigilant, whether the attack is physical or through infrastructure. We saw what happened a couple of years ago between Estonia and Georgia. There was a small-scale cyberwar going on.
Poremba: Any final thoughts?
DiBello: Stuxnet should be viewed as the wakeup call, the shot fired around the world for our governments and companies who are tasked with protecting and owning critical infrastructure. We should take it seriously and prepare for any kind of attack.