![Page 1: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/1.jpg)
1 www.limessecurity.com
Industrial Security
5 years post-Stuxnet
Industrial Security
5 years post-Stuxnet
![Page 2: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/2.jpg)
2
Company Introduction
Vendor-independent security consulting
Founded in 2012, part of Softwarepark Hagenberg
Operating in DACH, Northern Europe
2 Major Business fields
Secure Software
Development
Industrial Security
Consulting
![Page 3: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/3.jpg)
3
“Everything changed with Stuxnet”
![Page 4: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/4.jpg)
4
A quick recap. In 2010…
The automation world considered itself to be peaceful, due to
The success of automation engineers shielding their systems from
enterprise IT
The belief that the automation systems were closely isolated or even
air-gapped
Nobody outside automation would understand its proprietary workings
The usage of OEM software components
was not seen as a security issue
Security practices/technologies were
commonly not applied in industrial control
systems (ICS)
Safety
![Page 5: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/5.jpg)
5
What was Stuxnet about?
A major, professionally developed cyber security threat
Targeted automation systems with a very specific
configuration on the automation side
Received large public attention due to
the usage of 4 0-day vulnerabilities
multiple infection/persistence vectors
its abilities to inflict physical damage through cyber operation
manipulations of an industrial process
its political “cyber-warfare” connotation
![Page 6: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/6.jpg)
6
The day when I “met” Stuxnet: July
15th, 2010:
Small group of Eastern AV experts had found malware
containing references to Siemens WinCC and Step7:
…
SOFTWARE\Microsoft\MSSQLServer
pdl
GracS\
2WSXcder
WinCCConnect
master
.\WinCC
sqloledb
GracS\cc_tlg7.sav
Step7\Example
…
![Page 7: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/7.jpg)
7
July 13th: First details of preliminary analysis
were published
![Page 8: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/8.jpg)
8
On July 14th, a German AV researcher took a
deeper look and noticed the SCADA part
![Page 9: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/9.jpg)
9
Coming back to when Stuxnet began
for me: July 15th, 2010
Initial question: Why might malware carry names of an
industrial vendor’s product inside?
What’s the purpose and application fields of these products:
WinCC, STEP7?
Who would be able to explain?
Most importantly: How do I find this guy within 350k+
employees?
My secret weapon: Office phone & org chart
![Page 10: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/10.jpg)
10
Most important task: Finding out what
this was all about
More light was shed on the general purpose of the software
by specialists, leading to different security speculations
Next step: Getting our hands on the relevant software
(without a P.O.!)
Setting the software up in a contained environment including
system monitoring capabilities
Offline analysis of the malware (reverse engineering)
Runtime analysis of the malware (behavioural monitoring)
Goal: Come up with indications of the malware’s functions
and what exactly it is after
![Page 11: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/11.jpg)
11
Some early learnings
I learned the necessary difference between incident
coordination & incident handling the hard way from the first
day
Having CERT-like capabilities at hand including deep
malware reverse engineering know-how really was more
than helpful
Splitting analysis of a threat into offline & online analysis in
parallel is more than helpful – each approach sees different
aspects
During crisis, even large organizations can react fast – on
the second day a diverse, professional crisis team was
established
![Page 12: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/12.jpg)
12
Already on the 3rd day,
a website on how to
detect and remove
Stuxnet, was
established and
improved over time,
reflecting the state of
analysis and research
Scaling status information distribution: The
famous support website on Stuxnet
Source: http://support.automation.siemens.com/
WW/llisapi.dll?func=ll&objid=43876783&nodeid0=10805583
![Page 13: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/13.jpg)
13
Challenges and personal learnings when
handling Stuxnet
Incident handling is really difficult if you have to start from
scratch with security basics in the ICS world
Cyber security crash course for ICS engineers would
have helped
Authorities were also still learning back then
Judging the extent of a problem
Takes time – ~700 kB of code (doesn’t help if all
good malware reversers hang out at Blackhat in
Vegas)
Is difficult when you’re the victim – or even if you’re
not sure if you are the victim – information release
Finding reliable IOCs of determining the extent and how to
detect an attack may be challenging
![Page 14: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/14.jpg)
14
For critical incidents, resource-wise separation between
incident coordination and incident handling necessary
Informing customers is not as straightforward as it may
seem, only works if you know your customers, nearly
impossible in an OEM business
Industrial safety is priority number one, but necessary
compatibility tests delay release of any (security) software
updates
Informational duties vs. giving unwanted hints may be a
tightrope walk if a threat is still active
Targeted threats may require anti-virus-like actions from
industrial vendors
Challenges and personal learnings when
handling Stuxnet
![Page 15: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/15.jpg)
15
And to: „Stuxnet was so cool and James-Bond-like, it
brought cyber security finally to the real world“
Handling a crisis like Stuxnet is much less cool if you‘re
forced into the driving seat – vague assumptions &
decisions with large impact
No rogue female agents trying to seduce me
Still driving the same Audi – no Aston Martin
On the other hand: Best chance to learn in my entire
career
![Page 16: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/16.jpg)
16
Stuxnet consequences
![Page 17: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/17.jpg)
17
Industrial software vendors were under scrutiny of
researchers, as a direct consequence after 2010
Security researchers started to
analyze industrial software in
2011:
Billy Rios & Terry McCorkle
Luigi Auriemma
Dillon Beresford
…Beresford's Blackhat presentation on S7
industrial control system vulnerabilities.
(Credit: Seth Rosenblatt/CNET)
![Page 18: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/18.jpg)
18
Industrial vulnerability research and
disclosure jumped to high level
90 6 1 7 7
1731 28
43
172
240
176 182
0
50
100
150
200
250
300
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Dis
clo
sure
s
Year
ICS (SCADA/DCS) Disclosures by year
ICS (SCADA/DCS) Disclosures by year
Estimation,
final
numbers not
yet
publishedData obtained from the Open-Source Vulnerability Database (OSVDB)
![Page 19: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/19.jpg)
19
The motivation of ICS vulnerability researchers
changed over time
Do the right thing to make the world a
safer/more secure place (becoming less
important)
Publicity to gain reputation (always a
good reason)
Financial benefit due to exploit creation
(becoming more important)
![Page 20: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/20.jpg)
20
Industrial Security Weakness Presentations became
“Mainstream” at Hacker Conferences
Large number of SCADA security presentations
e.g. at Blackhat Conference
“How to own an industrial facility from 40 miles
away”
“Why Control System
Cyber-Security Sucks”
“How I Will PWN Your
ERP Through 4-20
mA Current Loop”
![Page 21: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/21.jpg)
21
New activities at industrial vendors resulted,
e.g. public vulnerability handling posture
Source: http://www.siemens.com/innovation/pool/innovations/technologiefokus/it-software/siemens_vulnerability_handling.pdf
![Page 22: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/22.jpg)
22
ICS Vendors rethought their security posture,
following initial SDL-programs 10 years later
Common protection technologies quickly adapted to ICS: Application-
Level Firewalls, AntiVirus, Application Whitelisting, IDS, SIEM, …
Existing security schemes (e.g. airgaps) get deprecated
![Page 23: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/23.jpg)
23
Researchers developed better tools to easily
find insecurely operated ICS systems
Security community shows strong interest in (ab)using
SHODANHQ, Google and other search engines for
finding insecure ICS systems connected to the internet
Source: SHODANHQ / IRAM
![Page 24: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/24.jpg)
24
The number of security breaches is increasing, 1/3rd
do happen in ICS industries
2012-2013: 42% increase in breaches, ~35% of targeted breaches
affect ICS-industries
Supply chain breaches increasingly attractive
Transparent market prices for cyber crime services have developed
ICS resource abuse likely, extortion attempts possible
Industries affected by security breaches / targetted breaches according to Symantec and Mandiant
![Page 25: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/25.jpg)
25
Baseline security assumptions slowly
changed, ICS stakeholders need to catch up
Assumption of being able to maintain a clean
system environment during operation is
deprecated
Since 2013 a large number of security vendors
offer “threat intelligence” services
Selling information on “indicators of compromise”
How shall industrial operators incorporate threat
intelligence?
![Page 26: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/26.jpg)
26
Consumeration of IT endangers industrial
systems
Trend of interacting with ICS systems through
consumer IT devices
Trend of bring-your-own-device (BYOD) has not
reached its peak yet
BYOD leads to additional weak points in the
supply chain of critical infrastructures
Security solutions for BYOD-scenarios currently
not geared toward industrial sites
![Page 27: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/27.jpg)
27
Nation-state funded hacking has become
mainstream
Since 2013, many publications document
offensive operations in different regions of the
world
Russia (Since early September 2013)
China (e.g. APT1 through Mandiant report)
Middle-East (e.g. Syrian Electronic Army, Iran)
“Tailored access operations” by NSA & partners
Nation-state actors have strong interest in learning
about foreign ICS
![Page 28: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/28.jpg)
28
A recent attack example from the ICS world:
The Havex malware found in 2014
Havex is a Remote Access Tool (RAT) used in
targeted attacks, that was used in the
“Crouching Yeti” malware campaign
After infection of a host, it scans the system
and connected resources for information that
may be of use in later attacks.
The collected data is forwarded to remote
servers.
Why is it special?
Targeted attack
Uses ICS-specific attack techniques
![Page 29: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/29.jpg)
29
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
Spear phishing (emails with DF attachments)
Havex: a closer look (1)
• Timeline Havex Waterholing attacks
![Page 30: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/30.jpg)
30
Havex: a closer look (2)
Targets:
Identified targets of the Havex malware / campaign
were mainly US and UK organizations within the
energy sector
But spread across several other countries:
• Spain, France, Italy, Germany, Turkey, …
Further Malware activity:
Web browser recovery tool
Cleaning up of traces
Enumerates all connected network resources:
Computers, shared resources
Scan for ICS related software
![Page 31: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/31.jpg)
31
Havex: ICS related Activity
Havex uses the Open Platform
Communications (OPC) Standard to retrieve
information:
Class Identification (CLSID), server name, Program
ID, OPC version, vendor information, running state,
group count, server bandwidth
Enumerate OPC tags: tag name, type, access, and
id
Havex causes multiple common OPC platforms
to intermittently crash (unfortunately)
![Page 32: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/32.jpg)
32
Statistics on Infected Hosts
Infected host statistics provided by Securelist, see
http://securelist.com/blog/research/69293/yeti-still-crouching-in-the-forest/
![Page 33: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/33.jpg)
33
What was the goal?
A specific target:
A victim (industrial operator?) should download the
compromised/trojanized ICS software
Proof of concept / preparation:
How effective is such an attack? How many devices
that speak OPC can be found?
Preparation for other attacks that are OPC related
A/multiple customers of the three compromised
ICS vendors
![Page 34: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/34.jpg)
34
Security strongly relies on physical security & cell
concept
Strong Trust between systems
The „legacy“ technology & patching problem
Operators are process experts but usually not
security experts
Security state is often unknown at sites which are
operational since decades
Vendor vs. integrator vs. operator duties
Inability to see threats on the industrial the network
For most companies, Stuxnet is not the biggest
issue – a list from our field project experience
![Page 35: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/35.jpg)
35
So what did change with Stuxnet?
Some statements
True / false?
My friends and neighbors now understand what I do for a living as an
industrial cyber security guy
Industrial site operators no longer have to justify their annual budget for
ICS cybersecurity
Vendors no longer tell their clients its their own problem to secure the
system
Vendors no longer tell their clients their warranty is voided if they try to
secure their systems
There is only one global ICS cybersecurity standard that everyone
follows and certifies to
The industrial world has become more secure because Stuxnet was
discovered
Partly taken from Walter Sikora, ICSJWG 2010
![Page 36: Industrial Security 5 years post-Stuxnet · Industrial Security 5 years post-Stuxnet. 2 Company Introduction Vendor-independent security consulting ... air-gapped Nobody outside automation](https://reader034.vdocuments.site/reader034/viewer/2022042308/5ed46c01638f1c7113662a96/html5/thumbnails/36.jpg)
36
Thank you!
Questions?