stuxnet
DESCRIPTION
Stuxnet. Summary. What is Stuxnet ? Industial Control Systems The target/s of Stuxnet . How Stuxnet spreads. The impact of Stuxnet on PLC’s. Stuxnet: Overview. June 2010: A worm targeting Siemens WinCC industrial control system. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/1.jpg)
STUXNET
![Page 2: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/2.jpg)
Summary• What is Stuxnet?• Industial Control Systems• The target/s of Stuxnet.• How Stuxnet spreads.• The impact of Stuxnet on PLC’s
![Page 3: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/3.jpg)
3
Stuxnet: Overview• June 2010: A worm targeting Siemens WinCC industrial
control system.
• Targets high speed variable-frequency programmable logic motor controllers from just two vendors: Vacon (Finland) and Fararo Paya (Iran)
• Only when the controllers are running at 807Hz to 1210Hz. Makes the frequency of those controllers vary from 1410Hz to 2Hz to 1064Hz.
![Page 4: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/4.jpg)
Industrial Control Systems (ICS)• ICS are operated by a specialized assembly like code on programmable logic controllers (PLCs).
• The PLCs are programmed typically from Windows computers.
• The ICS are not connected to the Internet.
• ICS usually consider availability and ease of maintenance first and security last.
![Page 5: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/5.jpg)
Seimens SIMATIC PLCs
5
![Page 6: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/6.jpg)
How it works.• Transferred through USB sticks.
• Designed to be spread to non-online machines• Windows Explorer LNK file exploit• When scanned, it dropped a large .dll file containing the malicious
code onto the computer.
• Uses two stolen certificates to prevent unauthorized-access alarms.• Realtek Semiconductors• JMicron Technology Corp• Both in Taiwan, in close vicinity.
![Page 7: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/7.jpg)
How it works cont’d…• Each time Stuxnet infected a system, it “phoned home” to one of two
domains: • www.mypremierfutbol.com • www.todaysfutbol.com • hosted on servers in Malaysia and Denmark • Included internal & external IP addresses, OS, and if the machine was running step7
• Stuxnet would spread from system to system within a LAN until it found a PLC.
• The original s7otbxdx.dll is responsible for handling PLC block exchange between the programming device and the PLC. • By replacing this .dll file with its own, Stuxnet is able to perform the following actions:
• Monitor PLC blocks being written to and read from the PLC.• Infect a PLC by inserting its own blocks
![Page 8: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/8.jpg)
Stuxnet Overview• Components used
• Multiple Zero-day exploits• Windows rootkit• PLC rootkit (first ever)• Antivirus evasion• Peer-to-Peer updates• Signed driver with a valid certificate
• Command and control interface• Stuxnet consists of a large .dll file• Designed to sabotage industrial processes controlled by
Siemens SIMATIC WinCC and PCS 7 systems.
![Page 9: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/9.jpg)
• PLC Man-in-the-middle Attack
![Page 10: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/10.jpg)
Nuclear Centrifuge Technology• Uranium-235 separation efficiency is critically dependent
on the centrifuges’ speed of rotation
• Separation is theoretically proportional to the peripheral speed raised to the 4th power. So any increase in peripheral speed is helpful.
• That implies you need strong tubes, but brute strength isn’t enough: centrifuge designs also run into problems with “shaking” as they pass through naturally resonant frequencies• “shaking” at high speed can cause catastrophic failures to occur.
www.fas.org/programs/ssp/nukes/fuelcycle/centrifuges/engineering.html
![Page 12: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/12.jpg)
Stuxnet Infection Statistics
• Infected Hosts
29 September 2010, From Symantec
![Page 13: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/13.jpg)
Let’s watch it happen!
• http://www.youtube.com/watch?v=cf0jlzVCyOI
![Page 14: Stuxnet](https://reader035.vdocuments.site/reader035/viewer/2022070501/56816938550346895de09be8/html5/thumbnails/14.jpg)
The Targets