Tuesday, September 21, 2010

Stuxnet thoughts and process reactions

There has been a lot of discussion of the Stuxnet malware in the control systems sphere the last couple of weeks. As details emerge it becomes ever more apparent that this malware was the equivalent of a scalpel. By that I mean it targets a specific plant floor, not even a specific product line, but a specific plant floor and then monkeys with code blocks on the PLCs. The end goal is not clear yet but it does not require a huge bit of stretching to say that the target is the Bushehr Nuclear plant in Iran and that it (Stuxnet) most likely has it's origin in either the good ole US of A or Israel.

This package was too surgical to elicit much of a response by our industry. Too few felt the pain.

My biggest take away has been the reaction of the industry, which appears minimal. As this package is a scalpel it does: no, to minimal damage on the non-target systems that it infects. And so, the asset owners are not screaming bloody murder.

Now if the payload had been a hammer instead of a scalpel would the asset owners be as quiet? What I mean by this, is that as it has little adverse impact no one is screaming for heads. But, instead of doing little damage had this package turned a couple of 10,000 PLCs into expensive paperweights across multiple brands(which is demonstrably possible) how would the industry have responded?

I think that the asset owners would be screaming for blood and that the vendors would be forced into change, by pure market force if not legislative fiat. As it is, nothing is going to change. This malware has shown that a smart worm could quite possibly kill thousands of PLCs and yet little is being said in these regards. So business as usual will continue and systems with no inherent security will continue to be the norm, even in forthcoming product lines.

Something has got to change.

My second take away is that the system is broken. This is a direct reference to my previous "Moot" blog post from a couple of months ago, deriding the mootness of most security research in this field.

Siemens is by the INL's own website's admission a research partner with INL. And yet if the exploit paths employed by stuxnet were detected by the INL's assessment(s) of the Siemens products, then either: Siemens failed to act on the finding; or the vector was not found. Either way shows that spending a chunk of tax dollars to produce assessments to which the vendor has sole dissemination discretion seems to serve no one but the vendor. The vendor can choose to squash, ignore or act upon the findings and the lab, for all its work, bound by NDAs and CRADAs, has to remain mum. This in no way serves the interests of the asset owners or the tax payers at large who contribute a significant portion of the funding for these assessments. But this appears to be the mode in which these assessments are handled. Perform the work on the taxpayer's nickel and trust in the good will of the asset owner to do something about the findings.

Continuing on mootness, ICS-CERT failed. They neither have led in the analysis of the malware package, nor have provided any real mitigation. Instead Symantec, Kaspersky, and Ralph Langer's team have produced the most usable results. Again this may be due to ICS-CERT being some what bound in what they can disclose..... but if this is the case then why do they exist? What value is the tax payer getting from their efforts?

Why do we fund ICS-CERT, and research at the national labs if the results can not be shared, and if they provide no real leadership?

Siemens has also failed. Failed to say much of anything or provide their users with any real guidance on check for the presence of or mitigating the exploit paths. This failure is so bad that changing the default DB passwords, said passwords were one of the exploit vectors, will break the system.

So my take aways from this incident are:

*There are some damn crafty control systems hackers out there with access to real resources.

*The labs and ICS-CERT are providing little true leadership.

*The vendors are continuing like it is 1995. (Ok I will cut them a little slack on this as they have only been invited to the table in many ways since ICSJWG fall 09).

*The impact of the malware could have been potentially huge. In most ways this is good, in terms of driving a real reaction and security it is too bad.

No comments:

Post a Comment