The future threat that the Stuxnet worm poses is a blueprint for attacks on real-world infrastructure, but what is being done to protect industrial control systems and who cares, asks E&T.
Online security is a growing concern for governments around the world. The US government has admitted the nation's power grid is vulnerable to cyber-attack and President Obama has likened the risks to the threat of nuclear or biological attack, something that prompted a cyber security review in early 2009. It is the security of the SCADA technology [technology used to manage critical infrastructure] that is in question, with many claiming that it has not managed to keep pace with desktop or Internet security. The US Department of Homeland Security has admitted they it had known about the vulnerability for years and have been criticised for doing little about it.
More recently, the first public speech given by the GCHQ's director Ian Lobban highlighted the 'real and credible' threat facing the UK's critical infrastructure from terrorists, organised criminals and hostile foreign governments. He demanded a swifter response to match the speed with which 'cyber events' occurred, and stated that the country's future economic prosperity rested on ensuring a defence against such assaults. Shortly after these comments, the government published the National Security Strategy. Cyber space threats posed, it concluded, the highest risks alongside terrorism, an international military crisis, or a natural emergency, ahead of the second-tier threats that include nuclear attack.
In the Strategic Defence Review and Security Review, the government announced the introduction of a ‘transformative' National Cyber Security Programme supported by £650m of new investment over the next four years. This programme will create a single point of contact for cyber crime, create the military Defence Cyber Operations Group to 'ensure the coherent integration of cyber activities across the spectrum of defence operations' and cyber security education for the public and business. In addition, the National Cyber Security programme will focus on ensuring that online public services are secure, and that additional support is given to key UK industries and those critical networks owned and operated by private companies - for example, within the energy and water sectors. The new Cyber Infrastructure Team within the Department for Business, Innovation and Skills will provide strategic leadership and regulatory oversight, while sponsoring cyber security research.
The Critical National Infrastructure comprises facilities, systems, sites and networks necessary for the delivery of the essential services upon which daily life in the UK depends. This covers nine sectors; communications, emergency services, energy, finance, food, government, health, transport and water. In the UK the Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides protective security advice to the national infrastructure.
Ever wondered how the London Eye spins? Or how Tower Bridge is raised, automotive robots dance, chemical processes are run, water is pumped and electricity reaches your home? Supervisory control and data acquisition (SCADA) systems and programmable logic controllers (PLCs) and programmable automation controllers (PACs) are used to operate such systems.
PLCs were originally developed for the automotive industry and are rugged industrial computers that were designed to replace hardwired relay logic. PLCs operate in real time and run on stable operating systems programmed in IEC 61131-3 languages. These include Ladder Logic (mimics relay logic), Instruction List (a low-level assembly language), Statement List (high-level language resembling Pascal) and Function Block (a diagram describes a function between input variables and output variables). PLCs are used to automate electromechanical processes, including motors, pumps, pneumatics, control gear, and so on. PACs combine the typical features of PLC with PCs in control systems. PACs are most often utilised for process control, data acquisition, remote equipment monitoring, machine vision and motion control.
A SCADA system is an Industrial Computer System (ICS) for monitoring and controlling a particular process. The processes controlled by SCADA are varied and include manufacturing, energy, utilities, refining, oil and gas pipelines and large communications infrastructure. Facilities are also controlled by SCADA, such as buildings, airports, ships, and even space stations. PLCs or PACs in turn would be used to directly control the process. With technology developments, functionality now overlaps between SCADA, PACs and PLCs.
Threats to industrial control systems
Industrial control systems have become more affordable and are in widespread use, particularly in the national infrastructure. However, the nature of food distribution and just-in-time logistics indicates that sectors might be affected by damage to reputation and consumer confidence. All are potentially vulnerable to targeted cyber attack or accidental cyber events, and the actions of disgruntled former employees.
Cyber threats to industrial control systems are growing, as attackers seek new targets and sources of revenue. The CIA confirmed a cyber attack caused power outages in multiple cities including New Orleans in 2008, and has provided information on intrusions into utilities that were followed by extortion demands.
The US government has taken the potential reconnaissance by Russia and China of the power grid seriously, combined with the opportunity for terrorist attack. This year it formed the United States Cyber Command, an armed forces command responsible for directing operations and the protection of Department of Defense networks and the conduct of military cyberspace operations.
According to The US National Institute of Standards and Technology (NIST) Guide to Industrial Control Systems (ICS) Security, potential incidents may include:
- blocked or delayed flow of information through ICS networks, which could disrupt ICS operation;
- unauthorised changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life;
- inaccurate information sent to system operators, either to disguise unauthorised changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects;
- ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects;
- interference with the operation of safety systems, which could endanger human life.
There has been a mistaken belief in security through obscurity through the use of specialised systems, protocols and proprietary interfaces; however, information is widely available and some systems have already been targeted specifically. Examples include the Modbus protocol and, more recently, the Stuxnet trojan/virus, which affected Siemens WinCC SCADA, Step 7 Programming Software and Simatic PLCs.
Industrial control systems have long lifecycles, 10 to 20 years is not uncommon. Older systems were designed with little or no notion of cyber-security, and are interconnected and used in ways never originally envisaged. Combined with increasing complexity, proliferation of access points, wireless and wider use of common operating systems and the Internet, it is understandable why governments are keen to promote cyber security and why they have been active in producing general and sector-specific guidance.
Securing industrial control systems
Specific SCADA advice is offered by the CPNI in a series of Process Control and SCADA security good-practice guidelines, the foundation of which has three principles:
- protect, Detect and Respond It is important to be able to detect possible attacks and respond in an appropriate manner in order to minimise the effects;
- defence in Depth No single security measure itself is foolproof as vulnerabilities and weaknesses could be identified at any point in time. In order to reduce these risks, implementing multiple protection measures in series avoids single points of failure;
- technical, Procedural and Managerial protection measures Technology is insufficient on its own to provide robust protection.
Recommendations from NIST include:
- restricting physical access to the ICS network and devices;
- protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing; disabling all unused ports and services; restricting ICS user privileges to only those that are required; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where feasible to prevent, deter, detect, and mitigate malware;
- maintaining functionality during adverse conditions. This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event;
- restoring systems after an incident. Incidents are inevitable and an incident response plan is essential.
Further guidance is referenced by CPNI, much a result of the work sponsored by the US Homeland Security. These include a series of sector road maps to secure the water, electricity and chemical sectors. These follow a similar 10-year programme to assess risk, develop and implement risk mitigation measures. There is an emphasis on cost-effective security for legacy systems and new architecture designs and secure communications.
Standards in this area are blossoming, including work being done by the US International Society of Automation (ISA) who have published ISA-99 Parts 1 and 2 that deal with Industrial Automation and Control Systems Security. Part 1 serves as the foundation for all subsequent standards in the ISA99 series. Meanwhile IEC is also working on ICS standards and is considering work done in ISA.
The challenge is to develop a sustainable approach and continue a process of assessment, adjustment and review in light of emerging vulnerabilities, threats, consequences, while implementing appropriate measures.
Stuxnet was the first publicly known worm to target industrial control systems. Its goal was to sabotage real-world industrial plant - not disrupt abstract IT systems. The threat posed by Stuxnet has been portrayed as beyond anything seen before, and a once-in-a-decade event. Stuxnet was aimed at Industrial Control Systems with the intention to reprogram systems in a manner that would sabotage plant, hiding the changes from programmers or users.
Stuxnet has highlighted the potential to directly attack industrial control systems used in Critical National Infrastructure. Research by Symantec showed that nearly 60 per cent of the approximately 100,000 infect hosts were located in Iran, with relatively high infection rates also seen in India and Indonesia (September 2010). This has lead to speculation that Stuxnet's goal was disruption of Iran's delayed Bushehr nuclear power plant or the uranium enrichment plant at Natanz.
Since PCs used for control system programming are not normally connected to the Internet Stuxnet replicates via removable USB drives exploiting a vulnerability enabling auto-execution. It then spreads across the LAN via a Windows Print Spooler vulnerability and via a Windows Server Remote Procedure Calls vulnerability. It copies and executes on remote computers through network shares and Siemens WinCC database servers (SCADA software). It copies itself into Siemens Step 7 PLC program project and executes when a project is loaded. It updates versions via peer to peer communication across a LAN. Stuxnet communicates with two command and control servers originally located in Denmark and Malaysia to enable code download and execution, including updating versions and the ability to change command and control servers, although this has not been observed to date.
Stuxnet fingerprints specific PLC configurations that use the Profibus industrial network for distributed I/O. If the fingerprint does not match the target configuration Stuxnet remains benign. If the fingerprint matches, the code on the Siemens PLCs is modified with the infected Step 7 programming software and the changes are hidden. The modified code prevents the original code from running as intended and causing the plant equipment to operate incorrectly, potentially sabotaging the system under control. This is achieved by interrupting processing of code blocks, injecting network traffic on the Profibus network and modifying Output bits of the PLC and distributed network I/O.
The future threat Stuxnet poses is a blueprint for attacks on real-world infrastructure, providing generic methods to reprogram industrial control systems. However, the level of sophistication and complexity of Stuxnet, requiring significant resources, make it unlikely similar threats will develop over night.
Dr Richard Piggin is a UK Expert to IEC Network & System Security and Cyber Security Working Groups involved in developing IEC 62443 Security for Process Measurement and Control - Network and System Security.