Eric Byres, CTO of Byres Security Inc., Andrew Ginter, CTO of Abterra Technologies and Joel Langill, CSO of SCADAhacker.com announced today the release of their joint White Paper “How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems.” Byres says it is the first paper to detail how Stuxnet could infect a control system site protected by a high security architecture using modern, vendor-recommended best practices. The paper shows that current best practices are insufficient to block advanced threats. It then discusses what operators of control and SCADA systems need to do to protect their critical systems from future threats of this type.
Stuxnet is the first known malware to have been designed specifically to compromise a control system and sabotage an industrial process. It has been described by Symantec’s forensic experts as the “most sophisticated” piece of malware they have ever seen.
The paper follows the progress of the worm as it moves through a hypothetical control system, configured according to vendor-recommended security best practices. In spite of strong security measures, the worm is able to compromise a sequence of machines, culminating in the compromise of the PLC devices which directly control the physical process.
While Stuxnet is presumed to have targeted the Siemens WinCC and PCS7 systems used at Iran’s uranium enrichment plants, its existence creates a new cyber security standard for all automation and critical infrastructure sites around the world.
Andrew Ginter remarked “The Stuxnet worm is the best-documented example of an advanced threat designed to sabotage an industrial control system. Other recent attacks have targeted control systems for industrial espionage. Control systems are now targets of advanced threats and today’s best-practice defenses must be improved before they can stand against these kinds of adversaries.”
“By explaining how Stuxnet works, our paper helps security professionals understand what it takes to properly secure a state-of-the art industrial control system,” said Joel Langill. “The reality is that the majority of critical facilities are protected much less thoroughly than the hypothetical site described in our paper, and now they need to step up and protect against Stuxnet-like malware.”
“Our paper goes into great detail on Stuxnet infection pathways and highlights the difficulty of preventing infection from an advanced threat. While best practices for prevention should be implemented, control system operators should also put into practice early detection, mitigation, and containment strategies,” remarked Eric Byres. “Such strategies include putting into practice zone-based security as described in ANSI/ISA-99 Standards, paying particular attention on securing last line of defense critical systems, and understanding the unique security challenges of control systems versus IT systems.”
The paper concludes that changes to improve the cyber security of industrial control systems are urgently needed. You can download the paper here, but you must register with the Website.
