How Stuxnet Spreads

Eric Byres, Joel Langill and I have just released a new whitepaper: How Stuxnet Spreads - A Study of Infection Paths in Best Practice Systems. The paper details how the worm moves through what appear to be well-protected enterprise, plant and control system networks and firewalls on the way to its objective - the PLCs controlling the physical process. Existing best-practice security measures are shown to be insufficient to the task of deflecting attacks as sophisticated as this one. A Well-Defended Network The paper describes a "high security" network protected as recommended by the Siemens whitepaper: Siemens Security Concept PCS 7 and WinCC - Basic Document. We chose this network architecture for a number of reasons: the Siemens whitepaper describes what most analysts would describe as a good, modern defense-in-depth architecture, most industrial sites are in fact defended less thoroughly than how Siemens recommends in this whitepaper, the Siemens PCS 7 architecture was the one targeted by the Stuxnet worm, and by staying close to the vendor's recommendations, we blunt the expected "your attack only worked because you failed to configure your system per the vendors' recommendations" criticism. The Siemens recommendations include: several layers of firewalls, several network segments, the use of VPN's for remote access, a strong patch program, a strong anti-virus program, hardening of control system hosts, central logging of security events, and more. This is better security than is in place at most sites, no matter what control system vendor they use. Note that our choice of the Siemens architecture is not meant to be critical of that architecture. The authors of the Stuxnet worm designed the worm to compromise Siemens systems only because their target site was running a Siemens system. If the target facility had run some other control system, some other vendor would be sweating in the spotlight these last few months. Siemens is not the story here - the agencies who are today's advanced threats can compromise any site protected by today's "best practice" systems. The Compromise The bulk of the paper details the different ways the worm bypasses these protections. Take the anti-virus protections for example: No signatures existed for the worm for the first three months that the worm circulated undetected, so no anti-virus product detected the worm. When the worm started on a machine, it checked to see which AV product was installed, if any. The worm then selected a set of attacks which would not trigger "behavioural" detection rules for that product. Digging a bit deeper, I think a big problems with today's "best practice" security programs is that they still permit connections between network segments at different security levels for "business-essential" communications. The problem is that most communications between control system networks and less trusted networks can be described as essential to the operation of the business. As a result, firewalls protecting control-system assets or plant-wide assets are full of rules allowing many kinds of communication between many sets of machines. With this large menu of possible communications to choose from, it is not surprising that Stuxnet, Night Dragon and other advanced threats find ways through these firewalls. Looking Forward Everyone looks for the quick fix, and unfortunately there doesn't seem to be one this time. Defending against advanced threats takes real determination. The whitepaper discusses at some length the kinds of cultural changes that need to take place at industrial sites. Some kinds of new technology do help. For example: new limited-connectivity, deep-packet inspection firewalls, unidirectional gateways to cut off entirely certain attack vectors, and HIPS/whitelisting technologies spring to mind. The paper mentions a host of others. The message to take from the paper is that today's best-practice defenses are not enough to stop today's advanced threats. Defending against advanced threats takes a new kind of awareness and determination that is only just starting to emerge in critical infrastructure sectors.