Tuesday, July 27, 2010

Stuxnet marks the Emergence of Real-World SCADA Security Challenges

What kind of Smart Grid security blog would this blog be if it didn't comment on the Stuxnet worm? The short story includes a couple of key players:
  • Buried (previously undisclosed, aka "Zero Day") vulnerabilities in Windows. And Windows' security weaknesses used as a starting point for a SCADA attack
  • Using USB drives to cross the air gaps and transport the worm from the networked world to the SCADA world
  • Attackers acquiring (via $$$ or theft) trusted digital certificates and building them into the attack
  • Hard-coded passwords in a Siemens-built SCADA system
If you want a thorough account of how Stuxnet works, Symantec did a bang up job here. But be forewarned, unless you've got some solid development chops, it may be more detail than you can handle!

A treatment better for business folks and arm chair grid security generalists comes McAfee here, or from ComputerWorld, with an initial article here, then this follow-up one week later, here, with input from SCADA security guru Joe Weiss. For the moment, the storm seems to have passed, with Siemens and security product co's offering solutions to clean up Stuxnet code from infected machines, and block it from others. But this story is far from over.

Weiss calls out 170 cyber related outages in the US to date, with 3 of them serious enough to have caused significant (read: expensive) regional outages. He also notes that it's currently impossible to discern cyber attacks from accidental glitches because of the weak state of digital forensics in the power industry to date.

By the way, the 2-way power and data flow Smart Grid, great enabler hacking and attacking, will also improve our ability to do post mortems on cyber incidents, though as with many other types of cyber crime across the Web, it will often be super difficult to pin down the originator.

For me, the big take away comes from the praise security analysts are bestowing on the Stuxnet architects. I don't mean to suggest they support this type of work, not at all. But rather, that this was no casual side-project of some mis-directed youth. Stuxnet is heavy, heavy duty malware. Which means, to me anyway, that there's much more to come, and that the USG and FERC in particular, need to get way more serious about energy control system security, and issue mandatory policy that gets it done throughout the bulk power system and across the distribution network.

We may get some more insight from the cyber security conferences Black Hat and Defcon starting this week in Vegas, where Jonathan Pollet of Red Tiger Security, will discuss (and potentially reveal) SCADA vulnerabilities in utility control systems. Stay tuned ... this is exactly what Joe has been warning us about all along.

No comments: