The game-changing malware that shocked the ICS/OT world is back in the news and still has lessons to share.

What did Stuxnet do?

First unleashed in 2009, the Stuxnet virus had multiple components including an aggressive malware tuned to find and corrupt processes run by Siemens STEP7-based PLCs. Its objective was to stealthily manipulate the speed of the sensitive enrichment centrifuges — causing attrition rather than blatant physical destruction. The Stuxnet worm reportedly infected more than 200,000 machines in 14 Iranian facilities and may have ruined up to 10% of the 9,000 centrifuges in Natanz.

How Stuxnet works: The air gap myth

Back in 2010, Iran’s Natanz nuclear facility, like many others before and since, relied on the concept of non-connected and isolated networks as a form of cyber security. Proponents of this approach — dubbed an air gap because it implies physical space between the organization’s networked assets and the outside world — believe it provides sufficient protection for facilities that don’t require Internet access or ubiquitous IT/enterprise services.

  • Cyber security is important mostly for IT and enterprise systems.
  • Proven security strategies don’t apply to the majority of operational technology systems because the risk of disruption is too high in OT.

How did Stuxnet spread?

Stuxnet came in two waves. Less is known about the first wave, which was more of a slow burn and less noisy, making it less likely to be discovered. The second wave was the one that made international headlines with its more demonstrative and decidedly less surgical approach.

  • Leveraged a Windows Shortcut (.lnk) zero-day vulnerability that thwarted the disabling USB and removable media auto-play.
  • Used stolen code signing certificates to make its malicious payloads appear as legitimate drivers that were recognized by the operating system and ignored by anti-virus and policy enforcement controls.
  • Leveraged vulnerabilities in Windows print spooling network services (usually on by default) hosts where infection was not possible through RPC/SMB/SQL and USB insertion. This included privilege escalation.
  • Possessed the ability to leverage the OPC protocol to traverse segments.
  • Infected Siemens STEP7 project files, replacing legitimate STEP7 DLLs with modified malicious ones, and using hard-coded credentials to log in to the Siemens WinCC SCADA database to identify specific targets.
  • Rendered itself dormant if appropriate criteria were not met.

How to prevent Stuxnet

It’s unlikely Stuxnet could have been entirely averted given the skill and motivation of the parties responsible. Let’s face it, if you attract the ire of highly skilled and well-funded nation-state attackers, not much can be done to avoid compromise. Still, there are some lessons to be learned from the Stuxnet scenario. ICS/OT defenders today can glean prescriptive insights on what didn’t work including:

  • Traditional anti-virus would not have found this type of malware.
  • Updated host OS may have helped with some of the exploits, but again, unlikely given the attackers’ skill level.
  • Strict removable media policies and enforcement (potentially even hot glue) could have prevented an initial infection or, at least, made it much harder.
  • Sufficient host hardening to include disabling unnecessary services like the Windows printer spooling service would have made lateral movement more difficult.
  • Sufficient network segmentation might have stopped the attackers from pivoting across the environment while better monitoring might have alerted defenders to anomalous traffic.
  • Diligent application of security policy could have isolated and contained the malware as it beaconed across network zones and layers where it did not belong.
  • Most importantly, better-trained resources and appropriate out-of-band (OOB) monitoring for anomalies within the centrifuge halls could have contained the damage early on in the attack.

Verve's mission is to protect the world's critical infrastructure. Learn more at verveindustrial.com