Sunday, February 26, 2012

Life after Stuxnet: the cyberattack on Iran's nuclear facilities has upped the ante for those in charge of critical infrastructure.(Critical infrastructure)

[ILLUSTRATION OMITTED]

Iran had a fallout problem at two nuclear facilities last July, but it wasn't radiation that leaked. Rather, after the plants' computer systems were infected with a worm, later dubbed Stuxnet, fallout took the form of a dramatic shift in what cyberattackers are capable of and how security professionals must respond.

This was clearly the opening salvo in what many suspect could be a new strategy in attacking an enemy. The worm, according to a Symantec report, exploited four zero-day vulnerabilities, compromised two digital certificates and injected code into the programmable logic controllers, or PLCs, of the facilities' industrial control systems, components used specifically to manage power plants, oil refineries and gas pipelines. The malware relayed instructions to the physical machinery that literally made the equipment blow a gasket.

Iranian scientists at a uranium processing center in Natanz and a nuclear reactor in Bushehr quickly replaced centrifuge machines that were affected by the worm, so actual disruption of their forging of low-enriched uranium was contained, but the cyberattack has put the global security community on notice that their enterprise or government infrastructure is susceptible to a similar infection that could cripple computer systems that control physical facilities.

"Stuxnet has changed our jobs entirely," says Kevin Rowney, founder of the data leakage prevention division at Symantec. Panic is not necessary at this time, but security does need to be re-evaluated, he says.

Certainly with the arrival of Aurora, Stuxnet and WikiLeaks, it has been an "off-the-hook" year, says Rowney, who is also director of the breach response team at Symantec. "How fast things have progressed."

Others agree. Stuxnet was definitely a game-changer in terms of what it could do, says David Kennedy, director of information security at Diebold, a security integrator that provides protection and detection solutions. "What it showed was that our current ways of thinking about security are flawed."

The fact that the intrusion happened from the inside points out that hackers are bypassing traditional defenses, he says. "Stuxnet should have been detected."

He says that the anamolous traffic on the system should have alerted somebody. "We can't treat the internal environment as a safe haven anymore," Kennedy says. "Internal users are untrusted now. We need to look at critical infrastructure and put controls around it."

But others say it will take more than technology to safeguard systems. Following Stuxnet, executives should place emphasis on policies and procedures, says Amichai Shulman, CTO at Imperva, a Redwood Shores, Calif.-based data security vendor. Stuxnet was successful because the code was distributed using USB sticks or key fobs, probably giveaways at some event, he says. These were then inserted carelessly in protected networks which unleashed the bug.

Shulman advises that rather than focusing efforts on protecting the control systems in SCADA networks, as he has seen in some government entities, it would be better to beef up security around management systems, using the same tools and techniques used to protect web-facing applications. IT professionals should consider everything outside of the SCADA network to be hostile. To protect the power grid, he says it is essential to isolate the SCADA management network away from other functions, such as HR, finance and transportation.

But, this might not be enough as the SCADA systems in Iran were protected well by most standards, says Charlie Miller, principal analyst of software security at Independent Security Evaluators, a security consulting firm. They ran on an isolated [non-internet-connected] network that consisted of fully patched Windows computers running up-to-date anti-virus. "This is really all you could hope for in these critical infrastructures," Miller says.

Ahead of the curve

Still, the complexity of infrastructure systems invites any number of exploits that, experts say, can only be thwarted by staying on top of the latest threat intelligence. Attackers are constantly changing and adapting, so the best defense is one that is dynamic and flexible, says Don Jackson, director of threat intelligence at Dell SecureWorks. His recommendation is that those responsible for building and managing critical infrastructure systems employ the services of objective security professionals to continuously refine threat models by incorporating data from the latest incidents and intelligence on emerging threats.

"Assessments need to take into account new information learned about the financial resourcefulness, technical sophistication, determination and the impact of threat agents, such as those behind Stuxnet," Jackson says. "Those assessments inform funding and policy regarding critical infrastructure protection."

He believes there should be a shift to whitelist approaches for code packages, integrity controls and anomaly detection features that operate at supervisory layers, operating systems that have smaller attack surfaces, and security models that are more strict about access to process memory and the kernel.

Eric Knapp, director of critical infrastructure markets at NitroSecurity, agrees that whitelisting is essential to fight zero-days, as well as strong edge policies to make it harder to access target networks.

"We've always hardened the entry points into SCADA and internet connection sharing (ICS) networks by securing the enterprise network that contains them, while leaving those critical networks relatively unprotected from the inside," Knapp says. "The control systems have to be as hard if not harder to breach--a defense-in-depth strategy comprising elements including specialized ICS firewalls, and compatible network and application whitelisters."

[ILLUSTRATION OMITTED]

Lessons from Stuxnet

Few would argue that traditional security strategies are sufficient in a post-Stuxnet world. The attack in Iran should have taught security professionals many things, says Michael Assante, president and CEO of the National Board of Information Security Examiners (NBISE), a nonprofit that develops examinations and certification requirements. "One realization is that the perimeter protection model used to protect critical systems is more aligned with cyberthreats of yesterday and is most effective against less directed and intelligent types of cyberattacks."

Stuxnet also demonstrates the need to address security and resilience at the design and building stage, says Assante, former CSO at the North American Electric Reliability Corp. (NERC). "We can't continue to look solely toward owners and operators and expect to bolt on security to manage risk around difficult-to-secure technology."

Meanwhile, legislation may help change the regulatory structure around critical infrastructure protection, he says. "The key will be balance. Incentives are not the entire answer, neither is prescriptive regulation."

Copycat attacks to follow

But perhaps the biggest impact is yet to come. It is the descendents of the worm that are causing concern for a lot of security personnel. "Even if they can't get hold of sample code from Stuxnet, it helps ill-intentioned people understand which threat vectors are vulnerable," says Symantec's Rowney.

A version of the base code was among a cache of emails that the activist hacking group Anonymous stole from HBGary, a security company that was studying the threat. Though this easier-to-read "study" version is a reduction of the original binary code, experts contend there is enough there to supply miscreants with a foundation on which to build copycat attacks. Some expect these to occur within weeks.

And just where the next attack may come from or who it may target is anyone's guess. Rowney points to the fact that Stuxnet was clearly written with a disciplined approach that likely took six to 10 coders working for six months to produce. "It doesn't sound like hackers in a basement or an Eastern European cyber gang," he says. "This sounds like nation-state."

Rowney hopes nothing like Stuxnet is seen again. But, he admits, it is hard to rule out. "The stakes are entirely raised," he says.

STUXNET: Up close

* Stuxnet was a targeted attack on five different organizations.

* 12,000 infections can be traced back to these five organizations.

* Three organizations were targeted once, one was targeted twice, and another was targeted three times.

* All targeted organizations have a presence in Iran.

* Three variants of the worm exist and a fourth variant likely exists but has never been recovered.

Source: Symantec

Geographicaldistributionof StuxnetinfectionsUSA               0.89%Great Britain     0.57%Russia            0.61%Iran             58.31%Uzbekistan        0.71%Azerbaijan        3.40%India             9.96%Pakistan          1.40%Malaysia          1.16%Indonesia        17.83%

No comments:

Post a Comment