The cyberattack last summer on Iran's nuclear facilities has upped the ante for decision-makers in charge of critical infrastructure and enterprise networks, reports Greg Masters.
Iran had a fallout problem at two nuclear facilities last July, but it wasn't radiation that leaked. Rather, after the plants' computer systems were infected with a worm, later dubbed Stuxnet, fallout took the form of a dramatic shift in what cyberattackers are capable of and how they must respond.This was clearly the opening salvo in what many suspect could be a new strategy in attacking an enemy. The worm, according to a Symantec report, exploited four zero-day vulnerabilities, compromised two digital certificates and injected code into the programmable logic controllers, or PLCs, of industrial control systems used to manage industrial environments – such as power plants, oil refineries and gas pipelines. The malware relayed instructions to the physical machinery that literally made the equipment blow a gasket.Iranian scientists at a uranium processing center in Natanz and a nuclear reactor in Bushehr quickly replaced centrifuge machines that were affected by the worm – so actual disruption of their forging of low-enriched uranium was limited – but the cyberattack has put the global security community on notice that their enterprise or government infrastructure is susceptible to a similar infection that could cripple computer systems that control physical facilities."Stuxnet has changed our jobs entirely," says Kevin Rowney, founder of the data leakage prevention division at Symantec. "How could it be more clear?" Panic is not necessary at this time, but security does need to be re-evaluated, he says.Certainly with the arrival of Aurora, a cyberattack that reached into the networks of Google and 30 other large corporations, Stuxnet and disclosures by WikiLeaks, it has been an "off-the-hook" year, says Rowney, who is also director of the breach response team at Symantec. "How fast things have progressed."One finite result is that executives are more in sync with reality, he says. Board members are asking questions of security teams and executives are paying attention. Further, these major events have been covered in the business press in a way that makes an impact on people who don't necessarily have a technology background, he says."The urgency around this was quite clear," Rowney says. "A lot of parties were infected. It is on everybody's mind."
Stuxnet pointed out that it is not technology that is required to safeguard systems, but placing emphasis on policies and procedures, says Amichai Shulman (left), CTO at Imperva, a Redwood Shores, Calif.-based data security vendor. Stuxnet was successful because the code was distributed using USB sticks or key fobs, probably giveaways at some event, he says. These were then inserted carelessly in protected networks which unleashed the bug."So, Stuxnet was distributed from inside," he says. The single most important lesson we can take from this experience and its consequences, he adds, is that we cannot completely obliterate this behavior."What I see is organizations trying to forbid access to keys and USB sticks across the entire network," Shulman says. "This is bound to fail because there are some areas where employees need to use USB sticks and other external devices."Organizations must create safe environments for a few workstations that involve SCADA and deploy solutions, he advises. The general rule is that the easiest way to attack SCADA systems is not through control systems, as occurred with the Stuxnet attack, but through a management system, which is built on standard technologies, like Java, and is likely connected with the internet. These are usually more complex and powerful than the controllers behind them, but since they are connected to the internet are susceptible to malware attack, particularly of a moibile nature, he says.And this bodes ill for the future, he warns, as more and more mobile devices, such as iPhones, are brought into the enterprise environment. In the near future, he expects some sort of iPhone app infected with malware to attack management systems. "This backdoor can allow an attacker to take down or tamper with a management system," he says.This is likely to happen because these management platforms are often not custom made, but commercially available products, so attackers can prepare in advance.Shulman says that rather than focusing efforts on protecting the control systems in SCADA networks, as he has seen in some government entities, it would be better to beef up security around management systems, using the same tools and techniques used to protect web-facing applications. IT professionals should consider everything outside of the SCADA network to be hostile. To protect the power grid, isolate the SCADA management network away from other functions, such as HR, finance and transportation, he says
But, this might not be enough as the SCADA systems in Iran were protected well by most standards, says Charlie Miller (right), principal analyst of software security at Independent Security Evaluators, a security consulting firm. They ran on an isolated (non-internet-connected) network that consisted of fully patched Windows computers running up-to-date anti-virus."This is really all you could hope for for in these critical infrastructures," he says. But, he agrees that someone can always walk in with a USB stick with a worm packed with zero-day exploits.This is how computer security has been since the beginning, he adds, although people tended to ignore it since most networks were susceptible to old, easily detectable attacks. "We are only now trying to think of ways to defend against zero-day attacks, such as the one here or the one used in Aurora."And, he says, there aren't great solutions available to defenders at this moment. It is hard to defend against the unknown, he says, as most networks cannot even defend against known attacks, much less unknown ones.
Others agree. Stuxnet was definitely a game-changer in terms of what it could do, says David Kennedy (left), director of information security at Diebold, a security integrator that provides protection and detection solutions. "What it showed was that our current ways of thinking about security are flawed."The fact that the intrusion happened from the inside points out that hackers are bypassing traditional defenses, he says. "Stuxnet should have been detected."He says enough anamolous traffic on the system should have alerted somebody. "We can't treat the internal environment as a safe haven anymore," Kennedy says. "Internal users are untrusted now."One problem he points to is the fact that employees are not up to speed on security concerns, singling out the USB stick situation. "We've built a world where everyone has access to everything," he says. "Currently, there is a ton of communication between the corporate network and internal SCADA systems. This has to stop," he says.The way to prevent infection is to first identify what is considered absolutely critical and then to isolate that system. "We need to look at critical infrastructure and put controls around it," Kennedy says.Education is a critical component as well, as is being able to detect anomalies. "We need a comprehensive security program with access management to minimize the impact of attacks," he says. "Network access control is essential in a full defense-in-depth approach, so there are layers in place."Attackers are using common techniques for exploiting weaknesses, he adds. "We need to harden systems to stop intrusions or at the least alert us."
Still, the complexity of infrastructure systems invites any number of exploits that, experts say, can only be thwarted by staying on top of the latest threat intelligence. Attackers are constantly changing and adapting, so the best defense is one that is dynamic and flexible, says Don Jackson (right), director of threat intelligence at Dell SecureWorks. His recommendation is that those responsible for building and managing critical infrastructure systems employ the services of objective security professionals to continuously refine threat models by incorporating data from the latest incidents and intelligence on emerging threats."These threat models are used to assess the effectiveness of security in the context of modern threats," says Jackson. "That is, assessments need to take into account new information learned about the financial resourcefulness, technical sophistication, determination and the impact of threat agents such as those behind Stuxnet." Those assessments inform funding and policy regarding critical infrastructure protection, and the success of Stuxnet indicates that current approaches are inadequate, Jackson says.New approaches need to account for well-funded international groups with expert-level domain knowledge and access to zero-day exploits, he says. "Findings may dictate shifting focus away from patching known vulnerabilities and reliance on system isolation and toward developing whitelist approaches for code packages, integrity controls and anomaly detection features that operate at supervisory layers, operating systems that have smaller attack surfaces, and security models that are more strict about access to process memory and the kernel." These are some of the measures that could be requirements in the secure system development lifecycle (SDLC) approaches to next-generation systems like those used to build the smart grid, Jackson says.However, he warns, issues found in existing systems will require that systems be reconfigured or new controls be bolted on. Obviously, even simple issues – such as allowing USB devices to be connected – need to be revisited, he says."The public hears that critical systems are safe in large part because they are 'air-gapped,' or not connected to other systems or networks like the internet," Jackson says. "However, U.S. Office of Management and Budget (OMB) reports and analysis of the Stuxnet worm tell us otherwise. We need to recognize that these systems are not air-gapped in practice and deploy controls accordingly. USB drives and CD-ROMs are often used to update systems that are supposed to be air-gapped. Using USB drives and CDs is how Stuxnet spreads."It is important to keep these SCADA systems updated, and there are advantages in linking them with some other systems for monitoring and centralized control, but these require deploying security measures accordingly, Jackson says. "We can't afford to justify lack of investment in state-of-the-art controls under the myth that these systems are sufficiently isolated from threat agents like those behind Stuxnet."To fight against zero-days, strong edge policies are needed to make it harder to access the target networks, and strict whitelisting is required inside those target networks, says Eric Knapp, director of critical infrastructure markets at NitroSecurity. "Most importantly, because no single defense is good enough, situational awareness is required from start to finish."The problem, he explains, is that most information security products aren't suitable to protect or to monitor the target network, which in this case is an industrial automation network using specialized protocols and applications."We've always hardened the entry points into SCADA and internet connection sharing (ICS) networks by securing the enterprise network that contains them, while leaving those critical networks relatively unprotected from the inside," he says, adding that this approach isn't good enough anymore. "The control systems have to be as hard if not harder to breach – a defense-in-depth strategy comprising elements including specialized ICS firewalls, and compatible network and application whitelisters."But it's not just technology that will thwart intrusions, it will also take new approaches. More questions should be asked about the critical systems and their networks, says Michael Sconzo, principal security consultant at NetWitness. He believes that through the exercise of asking more questions the capability to analyze system behavior, baseline and anomalies will be developed."By gaining a better understanding of the critical systems and the networks and systems surrounding them is crucial for detecting new and unknown threats, as well as the impact that these threats can have," Sconzo says. "Having continued conversations between process control experts and security experts is also a necessary step. Vendors should also be engaged to develop in-house security programs to ensure that their devices are resilient to attack." Lessons from Stuxnet
Few would argue that traditional security strategies are sufficient in a post-Stuxnet world. Stuxnet should have taught security professionals many things, says Michael Assante (left), president and CEO of the National Board of Information Security Examiners (NBISE), a nonprofit that develops examinations and certification requirements. "One important realization is that the perimeter protection model used to protect critical systems is more aligned with cyberthreats of yesterday and is most effective against less directed and intelligent types of cyberattacks. There are significant issues – such as how easy it is to inject code on controllers – that are not be directly addressed." Another important lesson, he says, is that any attempt to regulate or manage these types of risks through standards needs to think through not only what to require, but the implications of how they are to be implemented and enforced. "Stuxnet shows us that we must value learning, and find ways to allow critical system owners to maintain flexibility and be innovative if we hope to best manage the risk represented by an intelligent and adaptive set of cyber actors," Assante says.Stuxnet also demonstrates the need to address security and resilience at the design and building stage, says Assante, former CSO at the North American Electric Reliability Corp. (NERC), which works to ensure the reliability of the bulk power system in North America. "We can't continue to look solely toward owners and operators and expect to bolt on security to manage risk around difficult-to-secure technology."| “The key will be balance." – – Michael Assante, president and CEO of the National Board of Information Security Examiners |
Stuxnet: Up close
• Stuxnet was a targeted attack on five different organizations.• 12,000 infections can be traced back to these five organizations.
• Three organizations were targeted once, one was targeted twice, and another was targeted three times.
• Organizations were targeted in June 2009, July 2009, March 2010, April 2010, and May 2010.
• All targeted organizations have a presence in Iran.
• Three variants exist (June 2009, April 2010, March 2010) and a fourth variant likely exists but has never been recovered.Source: Symantec[sidebar 2]



