Stuxnet analysis finds more holes in critical software
18:27 25 March 2011 by Paul Marks
Stuxnet may have done us all a favour. Although the computer worm seems to have targeted nothing beyond Iran's nuclear programme, the obscure breed of industrial control software it so easily attacked runs factories and major utilities worldwide – and its apparent ease of success has prompted security researchers to seek out weaknesses in these critical systems. Now they have revealed dozens of vulnerabilities in the supervisory, control and data acquisition (SCADA) software that much national infrastructure and manufacturing industry depends upon.
Over the past week, computer experts in Italy, Russia and the US have posted details online on a clutch of vulnerabilities they have found in various SCADA packages used to automate installations as diverse as power stations, water purification plants, oil refineries, food factories, breweries and steel plants. None of the weaknesses have yet been exploited by worms, but sample "exploit code" has proved the vulnerabilities are real.
If harnessed by an attacker, the security holes could cause SCADAs to crash or deny operators access to critical data – or allow saboteurs access to the industrial process itself. The vulnerabilities were serious enough to prompt a series of alerts from the US Department of Homeland Security's Computer Emergency Readiness Team (US-CERT), urging the authors of the SCADA software to plug the holes.
Holes around the world
The SCADA weaknesses began to be revealed on 17 March by security firm Gleg in Moscow, Russia, which released 11 examples. Gleg was followed quickly by freelance analyst Luigi Auriemma, a threat analyst based in Milan, Italy, who released a list of a further 34 vulnerabilities, alleging that industrial software authored by Siemens of Erlangen, Germany, Iconics of Foxborough, Massachusetts, 7-Technologies of Birkerød, Denmark and Datac of Dublin, Ireland, is susceptible to various attacks. Then US-CERT itself discovered holes in a system made by Ecava of Kuala Lumpur, Malaysia.
The SCADA problems found include software designs that allow, for instance, overlong data strings to be accepted as valid inputs. The "buffer overflow" this causes can corrupt memory and allow the running of commands that might give an attacker remote control by promoting their access privileges, says Rik Ferguson, a security researcher at Trend Micro in Marlow, UK.
Although some cybercriminals sell such vulnerability information in underground forums, honest security researchers often reveal them to the software author in the hope that they will plug the holes – but others, like Gleg and Auriemma, post the information online to prompt action.
"There is a long-standing argument between which is best: responsible disclosure or full disclosure," says Ferguson.
Until the holes are plugged, their utility is clear, though. Sakir Sezer, a network security engineer at Queen's University in Belfast, UK, says they could be used by a firm's rivals for industrial espionage, sabotage or blackmail. "Or they could pay a team to attack their competitors, delaying their product reaching the market," he says.
Doors to the factory floor
SCADAs are mostly Windows-based programs that act as the front ends to robust, keyboardless computers called programmable logic controllers. These PLCs reside on the factory floor and choreograph the activities of equipment like robot arms, conveyor belts, bottling machines, steel presses, sensors and valves. They do what they are told by programs that the SCADA injects – so access to the SCADA has to be defended.
Stuxnet – delivered via USB sticks left around the Iranian site in a classic "social engineering" attack – used unpatched Windows vulnerabilities to get inside the SCADA at Iran's Natanz enrichment plant. It then injected code to make a PLC speed up and slow down centrifuge motors – wrecking more than 400 machines. Siemens made both the SCADA (WinCC) and the PLC (S7-300) attacked by Stuxnet.
The firm has moved fast after being named in Auriemma's list this week. "This time the publicised information has been analysed very quickly," says Siemens spokesman Alexander Machowetz. "Five of the six issues are being patched immediately and the sixth can be dealt with via a configuration change."
Informed of Siemens' patching by New Scientist, Auriemma says, "That's a great news. I wouldn't have bet on such prompt action from them."
But unlike government agencies, companies making (or using) SCADAs are not obliged to react to alerts and US-CERT advisories.
What is needed is a way for the systems to sense and avoid attack, says Sezer. So this week, the European Commission has agreed to fund a €4 million research project to develop SCADA defences – and with a knack for tortured acronyms, it's been dubbed PRECYSE.
"The measures to be developed may involve restricting internet access by the SCADA to its absolute minimum needs," says Sezer, whose team at Queens is part of the project. "You know what type of internet traffic the SCADA needs – so you should be able to inspect data packets using protocols that sense attack code and where it is coming from: one trusted source or 100,000 bots?"
Queens University will work alongside the Fraunhofer Institute's Competence Center for Industrial Automation in Karlsruhe, Germany, and Spanish and Norwegian teams. Collaboration with US and Asian teams doing similar work is likely, Sezer says.
Source and/or read more: http://goo.gl/Y3HcK
Publisher and/or Author and/or Managing Editor:__Andres Agostini ─ @Futuretronium at Twitter! Futuretronium Book at http://3.ly/rECc