Stuxnet: A Breakthrough
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.
Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.
However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.
The target system would potentially look something like the diagram below:
A frequency converter drive is a power supply that can change the frequency of the output, which controls the speed of a motor. The higher the frequency, the higher the speed of the motor.
The new key findings are:
Once operation at those frequencies occurs for a period of time, Stuxnet then hijacks the PLC code and begins modifying the behavior of the frequency converter drives. In addition to other parameters, over a period of months, Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz. Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.
With this discovery, we now understand the purpose of all of Stuxnet’s code. We’ve modified our paper, in particular multiple subsections of the Modifying PLCs section, to include the finer details. Since we are far from experts in industrial control systems, we appreciate any feedback or further tips or explanation of some of the data. You can click on my name at the top of the blog post to get in touch.
We’d like to sincerely thank the Dutch Profibus expert who got in touch, serving as the catalyst to this breakthrough in understanding the purpose and potential targets of Stuxnet.
Here is the link to the updated paper.
Also, last month we presented how Stuxnet hijacks PLCs at the Virus Bulletin conference. As part of that presentation, we performed a live demonstration. Because we couldn’t afford to purchase a gas refinery or waste management system, we had to settle for balloons. We’ve created a video of the demonstration, which you can watch below.
Check out http://www.symantec.com/tv/products/details.jsp?vid=673432595001
-
http://epic.org/privacy/cybersecurity/EPIC-Senate-FOIA-Cybersecurity-Stmt-3-11.pdf
Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.
However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.
The target system would potentially look something like the diagram below:
A frequency converter drive is a power supply that can change the frequency of the output, which controls the speed of a motor. The higher the frequency, the higher the speed of the motor.
The new key findings are:
- We are now able to describe the purpose of all of Stuxnet’s code.
- Stuxnet requires particular frequency converter drives from specific vendors, some of which may not be procurable in certain countries.
- Stuxnet requires the frequency converter drives to be operating at very high speeds, between 807 Hz and 1210 Hz. While frequency converter drives are used in many industrial control applications, these speeds are used only in a limited number of applications.
- Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process.
- Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities.
Once operation at those frequencies occurs for a period of time, Stuxnet then hijacks the PLC code and begins modifying the behavior of the frequency converter drives. In addition to other parameters, over a period of months, Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz. Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.
With this discovery, we now understand the purpose of all of Stuxnet’s code. We’ve modified our paper, in particular multiple subsections of the Modifying PLCs section, to include the finer details. Since we are far from experts in industrial control systems, we appreciate any feedback or further tips or explanation of some of the data. You can click on my name at the top of the blog post to get in touch.
We’d like to sincerely thank the Dutch Profibus expert who got in touch, serving as the catalyst to this breakthrough in understanding the purpose and potential targets of Stuxnet.
Here is the link to the updated paper.
Also, last month we presented how Stuxnet hijacks PLCs at the Virus Bulletin conference. As part of that presentation, we performed a live demonstration. Because we couldn’t afford to purchase a gas refinery or waste management system, we had to settle for balloons. We’ve created a video of the demonstration, which you can watch below.
Check out http://www.symantec.com/tv/products/details.jsp?vid=673432595001
-
http://epic.org/privacy/cybersecurity/EPIC-Senate-FOIA-Cybersecurity-Stmt-3-11.pdf
Last-minute paper: An indepth look into Stuxnet
Stuxnet is the first publicly known worm to target industrial control systems, often generically referred to as SCADA
systems. Not only did Stuxnet include malicious STL (Statement List) code, an assembly-like programming language, which
is used to control industrial control systems, it included the first ever PLC (programmable logic controller) rootkit
hiding the STL code. It also included a zero-day vulnerability to spread via USB drives, a Windows rootkit to hide its
Windows binary components, and it signed its files with certificates stolen from other unrelated third-party companies.
All of these characteristics are noteworthy in their own right, however when they all converge within one threat it is
clear that there is a special force at work. Any threat that is capable of taking control of a real-life physical system
is worthy of a closer look, and here we present our analysis of such a threat.
We will report on the conclusions from our extensive analysis of the Stuxnet threat including outlining the functionality
of the vast array of components used by the threat and illuminating how each component is used. The analysis exposes the
true intention of the creators to takeover industrial control systems (ICS) and details exactly how this is performed. The
threat's ability to control physical machinery is what sets it apart from any other threat we have seen to date and is the
aspect of the threat that we find most concerning.
In addition to analysis of the code we also examine the data we received from compromised systems via the command and
control servers. Using this data allows us to draw conclusions about who was the target of this threat and who may have
been responsible for creating the threat.
During the presentation we will also show the code used and give demonstrations on the more malevolent and intriguing
parts of the threat, namely the PLC/STL rootkit and the ability to control real-life physical systems. With this threat,
the attackers are capable of injecting code into industrial control systems and hiding that code from the designers and
operators of the ICS giving the attackers full control over the day-to-day functionality of the physical system under
attack.
Many aspects of the threat have not been reported widely in public, but we believe they have significant repercussions
within the security industry and they will no doubt become more commonplace in the future threat landscape.
No comments:
Post a Comment