Stuxnet, are we really safe now? No, of course!

Once again I draw inspiration from the argument “Stuxnet” on which much is being read on the web at this time, and a lot of which will be discussed in the years to come. From all the scientists Stuxnet was defined a deadly weapon, but why  if any direct damages recorded are comparable to those of other malware?
The answer to the question is in the nature of the malware that has been designed with a detailed analysis of final target environment. Behind Stuxnet is apparent that a meticulous intelligence work that for the first time in history has embraced the world of information technology in the design of what is considered the first real cyber weapon.

No one dares to speculate on the paternity of the agent but it is clear that it was designed with the intent to strike the Iranian nuclear program and even more clear is who has always opposed such a program, U.S. and Israel first, and consider also the the tecnology skill necessary to develope a weapon with the observed architecture is really high.

Personaly I find extremely important two factors af the event:

• the choose of control systems as target of the malware.
• the conception of the virus as an open project, a modular system for which it was designed a development platform used to assemble the deadly cyber weapons in relation to the final targets.

The first factor leads to an important consideration, those who developed Stuxnet have long known of the vulnerabilities of industrial control systems, aspect which the whole world has become aware only after the event. Today we count how many SCADA systems are exposed in internet, an infinity vulnerable because many of them badly configured or due design flaws. The control systems are the Achilles heel of the strategic plants with invulnerable perimeter security, they rapresent an open a door that only the insiders know. Not only that, with Stuxnet has been provided evidence of deep knowledge of the systems present in the target nuclear plant as a demonstration of a meticulous intelligence action that has left no stone unturned, even the photos published on the occasion of the visit of President Achmainejad some nuclear sites.

Regarding the second point, it has been discovered a platform behind Stuxnet called “Tilded Platform“, used also for the development of Duqu malware, and that make possible the development of a set of reusable tools, a true innovation that make possible the composition of ever new and enhanced agents with modules developed to fulfill specific functions against clearly defined targets.

Other aspects are not negligible are the public autopsy made of the Stuxnet by researches all over the word that have opened the mind on a new topic, development of a cyber weapon with those specific features. Security professionals now have a much clearer idea of how this kind of cyber weapon works and this open to dangerous future scenarios. The victims it selfs for sure will work in the same way to attacks western facilities, are we ready to prevent this kind of offensive? Let me say not yet, I speak from Italy a nation that is facing with serious economic problems like other European Countries.
The Enisa Organizzation have proposed several guidelines but we are far from implement them, we are exposed to a big threat.

According to several interviews an intervents of the security specialist Ralph Lagner, considered the father of the Stuxnet experts, we are under attack, we have no idea of the potentiality of those agent that teorically could remain in stealt mode inside the target avoiding security systems for several years, gathering information and preparing the final attack.

This type of attacks is usually moved over a long period of months under coverage to avoid that the malware’s activity is noticed. We need to improve forensics techiniques to identify the threats and eradicate it, today major installations and critical infrastructure really are not prepared, that it the thought of Lagner. Lagner is convinced that we presently don’t have Intrusion detection system (IDS) that are able to detect the malware. We are fighting with an invisible enemy and we are so from a technology point of view to have a final solution to the problem, a product that would be capable of doing this. Another aspect not to overlook is the belief that the control systems of the major manufacturers, common in every industry sector,are absolutely secure. This belief, and the lack of information about risks associated with their use, is the basis of lack of awareness of the threat. Lagner argues that a more humble and collaborative approach of companies like Siemens would no doubt help to combat the threat more effectively.  Contrary to much of the public reporting on Stuxnet, however, Langner said that the worm was not designed to destroy the Natanz facility, but rather to secretly and stealthily control the process and steer it into a virtual ditch.

The analysis conducted the exper Lagner have revealed that we are facing with an incredible deep understanding of the functioning of the Siemens Simatic software and the centrifuges that the Iranians relied on.  The fampus expert said :

<<These guys know the centrifuges better than the Iranians,” Langner said of the Stuxnet authors. “The know everything. They know the timing, they known the inputs, and they know it by heart.”>>

The Suxnet’s authors havent used a so sophisticated hack but they simply took advantage of a discutible design decision made by Siemens to make the controller input process image read-write instead of read only allowing to store record process input and execute them using PLC controller interface. This opportunity must alert the entire industry community on the vulnerability because those control systems are vulnerable due design flaws.

In conclusion we can raise serious doubts on the immediate effectiveness of preventive measures against this new generation of cyber weapons because the industry in general is still too vulnerable. Possible evolutions of malware could cause serious damage to infrastructures that use the systems in question.

The only way to emerge unscathed from this awkward situation is a close collaboration between industry, leading manufacturers of control systems and governments, hoping that security will become a requirement in the design phase.

Pierluigi Paganini

References

https://threatpost.com/en_us/blogs/why-stuxnet-attacks-arent-going-away-012712

http://threatpost.com/en_us/blogs/stuxnet-expert-langner-analysis-shows-design-flaw-not-vulnerability-sunk-siemens-011912