 |
The "No Network is 100% Secure" series
- The Aurora Power Grid Vulnerability -
Including Stuxnet
A White Paper
|
|
All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants
Contact Us
Visit the
Easyrider LAN Pro Security Blog.
The generator room at the Idaho National Laboratory was remote accessed by a hacker and
a $1 Million diesel-electric generator was destroyed.
(U.S. Homeland Security photo)
VIEW THE VIDEO
What is the Aurora vulnerability?: Aurora is a vulnerablity to cyber attacks
that could sabotage critical systems that provide electricity including the nationwide
power grid. This vulnerability effects control systems that operate rotating
machinery such as pumps, turbines and so on. The vulnerability of the nation's
electrical grid to computer attack is due in part to steps taken by power companies
to transfer control of generation and distribution equipment from internal networks
to supervisory control and data acquisition, or SCADA, systems that can be accessed
through the Internet or by phone lines.
The move to SCADA systems boosts efficiency at utilities because it allows workers to
operate equipment remotely. But this access to the Internet exposes these once-closed
systems to cyber attacks. So far, incidents of hackers breaking into control systems
to cause damage or outages have been scarce although there have been a few. However,
the threat of such damage makes
control systems an alluring target for extortionists, terrorists, unfriendly
governments and others.
Electric utilities, pipelines, railroads and oil companies use remotely controlled
and monitored valves, switches and other mechanisms that are vulnerable to attack.
In a dramatic video-taped demonstration of the Aurora vulnerability recorded in 2006,
engineers at Idaho National Labs showed how the weakness could be exploited to cause
any spinning machine connected to the power grid -- such as a generator, pump or
turbine -- to self-destruct. These attacks could easily be carried out on
vulnerable equipment using the Internet.
Costs and time are frequently given as the reasons for not locking down these complex
networks. Many plant operators consider it unlikely that an attacker would be able
manipulate or damage control systems, as most of these systems run on obscure hardware
powered by highly specialized communications standards. However, this
"security-by-obscurity" defense is gradually eroding, as a number of utilities are
upgrading from older, legacy systems to operating systems more familiar to the
average hacker, such as Microsoft Windows and Linux.
The GAO issued a vulnerability report on May 21, 2008 regarding the Tennessee Valley
Authority, the nation's largest public utility company. The GAO found that TVA's
Internet-connected corporate network was linked with systems used to control power
production, and that security weaknesses pervasive in the corporate side could be
used by attackers to manipulate or destroy vital control systems. As a wholly owned
federal corporation, TVA must meet the same computer security standards that govern
computer practices and safeguards at federal agencies. As of 5/21/2008 it apparently
did not. The GAO also warned that computers on TVA's corporate network lacked
security software updates and anti-virus protection, and that firewalls and intrusion
detection systems on the network were easily bypassed and failed to record suspicious
activity.
The task of gauging the electric sector's true progress in mitigating the Aurora
vulnerability has fallen to the Federal Energy Regulatory Commission. In January 2008,
FERC approved eight mandatory reliability standards to protect bulk power systems
against disruptions from cyber-security breaches. The agency has the authority to fine
plants up to $1 million a day for violations of those standards, but the industry has
until 2010 to demonstrate compliance with the new rules.
Security experts contend that existing standards contain loopholes and don't
adequately protect critical power systems. For example, telecommunications equipment
is excluded, even though there are documented cases of computer worms shutting off
service from control systems to substations. There are security experts in the power
industry who recognize the threat from cyber vulnerabilities like Aurora, but who
claim they don't have the funding or the authority to do much about it.
FAA Air Traffic Control system vulnerability: While not an aurora vulnerability
per se, a recent USDOT report stated that the nation's air traffic
control systems are vulnerable to cyber attacks. Support systems have been breached
in recent months allowing hackers access to personnel records and network servers,
according to a government audit.
The Transportation Department's inspector general concluded that although most of the
attacks disrupted only support systems, they could spread to the operational systems
that control communications, surveillance and flight information used to separate
aircraft. The report noted several recent cyber attacks, including a February
incident when hackers gained access to personal information on about 48,000 current
and former Federal Aviation Administration employees, and an attack in 2008 when
hackers took control of some FAA network servers.
Auditors said the FAA is not able to adequately detect potential cyber security
attacks, and it must better secure its systems against hackers and other intruders.
"In our opinion, unless effective action is taken quickly, it is likely to be a matter
of when, not if, ATC (air traffic control) systems encounter attacks that do serious
harm to ATC operations," the auditors said.
According to the report, the FAA received 800 cyber incident alerts during the fiscal
year that ended Sept. 30, 2008, and more than 150 were not resolved before the year
finished. Fifty of those, the auditors said, had been open for more than three months,
"including critical incidents in which hackers may have taken over control" of some
computers. Officials tested Internet-based systems that are used to provide
information to the public. The tests found nearly 4,000 "vulnerabilities,"
including 763 viewed as "high risk." The vulnerabilities including weak passwords,
unprotected file folders, and other software problems.
These weaknesses could allow hackers or internal FAA workers to gain access to air
traffic systems, and possibly compromise computers there or infect them with malicious
codes or viruses.
BIOS is also vulnerable to modern malware attacks:
Basic Input/Output System (BIOS), a firmware run by a computer at the time of boot-up, is
increasingly targeted by malware attacks as modern hackers having administrative OS
rights are effectively conducting BIOS updates or BIOS on the Internet to load
customized low-level firmware. Recently, experts have shown how BIOS malware could be
used to attack multiple operating systems and infect different kinds of motherboards.
According to them, BIOS-based malicious software can disseminate not just on various
OSs, but also by a number of hardware. These attacks are hard to identify and block.
Earlier during March 2009 at the Vancouver CanSecWest security conference, researchers
Anibal Sacco and Alfredo Ortega of Core Security Technologies Inc. performed a general
BIOS attack that could push malware inside various BIOS types, as reported by search
security on June 18, 2009.
Terrorist attacks:
Terrorists groups could soon use the internet to help set off a devastating nuclear
attack, according to research done by the International Commission on Nuclear
Non-proliferation and Disarmament (ICNND). Their study suggests that under the right
circumstances, terrorists could break into computer systems and launch an attack on a
nuclear state triggering a catastrophic chain of events that would have a global
impact. Without better protection of computer and information systems, the paper
states, governments around the world are leaving open the possibility that a
well-coordinated cyberwar could quickly elevate to nuclear levels. In fact, this may
be an easier alternative for terrorist groups than building or acquiring a nuclear
weapon or dirty bomb themselves. Though the paper admits that the media and
entertainment industries often confuse and exaggerate the risk of cyberterrorism, it
also outlines a number of potential threats and situations in which dedicated hackers
could use information warfare techniques to make a nuclear attack more likely. While
the possibility of a radical group gaining access to actual launch systems is remote,
the study suggests that hackers could focus on feeding in false information further
down the chain or spreading fake information to officials in a carefully orchestrated
strike. "Despite claims that nuclear launch orders can only come from the highest
authorities, numerous examples point towards an ability to sidestep the chain of
command and insert orders at lower levels," said Jason Fritz, the author of the paper.
"Cyber-terrorists could also provoke a nuclear launch by spoofing early warning and
identification systems or by degrading communications networks." Since these systems
are not as well-protected as those used to launch an attack, they may prove more
vulnerable to attackers who wish to tempt another nation into a nuclear response.
Cyberspace is real, and so is the risk that comes with it. Online attacks are one of
the most serious economic and national security challenges we face. However, the study
suggests that although governments are increasingly aware of the threat of cyberwar
with other nations, action to bolster those defenses does not alleviate the threat of
a rogue group that circumvented the expected strategies for online warfare. "Just as
the 9/11 attacks were an unprecedented attack with unconventional weapons, so too could
a major cyber attack," it says.
Hacking the 'smart grid': The race to build a "smarter" electrical grid could
have a dark side. Security experts are starting to show the dangers of equipping homes
and businesses with new meters that enable two-way communication with utilities.
There are many benefits to upgrading the nation's electricity networks, which is why a
smart-grid movement was already revving up before the recent economic recovery package
included $4.5 billion for the technology. Smarter grids could help conserve energy by
giving utilities more control over and insight into how power flows. But there are
potential problems with moving too fast.
The risks are similar to what happens when computers are linked over the Internet. By
exploiting weaknesses in the way computers talk to each other, hackers can seize control
of innocent people's machines. In the case of the power grid, better communication
between utilities and the meters at individual homes and businesses raises the
possibility that someone could control the power supply for a single building, an entire
neighborhood, or worse. For example, a computer worm could give miscreants remote
control of the meters, which would let them take advantage of a utility's ability to,
for example, disconnect someone's power for not paying his bill. A key vulnerability
has been found in devices made by an unnamed manufacturer. But once infected, a worm
could spread to other manufacturers' products that use the same communications
technologies and can be used to remotely disconnect people's power.
To get the computer worm going, a hacker might have to get physical access to one of
the meters in order to program it with malicious code. That could start a chain reaction
in which the worm spreads meter to meter over the grid's communication network. This
hack might also be done remotely, if the traffic on the network isn't encrypted.
More than 50 million smart meters are expected to be deployed by U.S. electric utilities
by 2015, according to a list of publicly announced projects kept by The Edison
Foundation. More than 8 million have already been deployed.
How a Phishing Attack Exposed an Energy Company to Hackers: The following is an
unsubstantiated report that was published on the Internet. The report declines to
identify the energy company involved so I will take these "facts" with a grain of salt.
However, the described attack and it's aftermath is certainly plausible so I will
include it here as a potential attack vector that needs to be defended against.
Using a Microsoft zero-day vulnerability and a bit of social engineering, hackers
compromised a workstation and threatened critical SCADA systems. It began with an
e-mail sent to an employee at an energy company, and ended with a security breach that
exposed critical systems to outside control. The attack began to unravel April 3, 2007.
That's when a fraudulent user account, complete with administrative privileges, was
detected by the energy company. Tracing backwards, it turned out that random
administrative accounts were being added in the internal network because another machine
inside their corporate network had been compromised due to a successful phishing attack.
The reason why I am repeating this story is to underscore that fact that the number one
security risk to networks is people.... in some cases, employees can be fooled into
going to a web site that has been infected with malware and once that happens, it's all
over but the crying. But in this example, the attack was even less sophisticated than
that.
The employee machine sat on the same segment where the SCADA (Supervisory Control And
Data Acquisition) controllers were. This, of course, was a fundamental network
security gaffe. Soon, evidence appeared that the attackers had
leapfrogged off this network and broken into the domain controller. The source of the
breach? A relatively simple phishing attack. The phishing e-mail contained a pitch for
a new health care plan, something that caught an employee's eye. The e-mail claimed to
be about benefits for a family with two or more children, and the employee had three.
The message also contained a malicious .chm file attachment. When the employee opened
the attachment, it reached out to a server in the Asia-Pacific region and pulled out a
malicious executable that gave the attackers a foothold on the employee's machine.
This particular attack took advantage of MS07-029, a Windows DNS (Domain Name System)
vulnerability that at the time was unpatched. This, of course, is also a fundamental
network security gaffe. Strike three! You're out... Using the vulnerability as an entry
point, the attackers ended up with control of the employee's account. With the level of
access they gained, the attackers could potentially control, view and modify everything
related to the business.
Our advice? Put a proxy in place for Web browsing, obviously. But more critical is the
subject of segregation. No workstation sharing a critical network segment such as
SCADA should be connected to the Internet. Patch management, employee security training
and the other preventative measures described in this series of white papers are also
vital to protecting your network. HTH....
August, 2010 UPDATE: From the first smart grid security summit, San Jose,
California - The smart grid is still vulnerable to cyber attack!
The current grid, with its hodgepodge industrial control system (ICS) technologies,
is highly vulnerable to a cyber attack that could destroy critical generation and T&D
assets. Resulting outages could last for weeks, causing economic devastation. Smart
grid integration could make it worse. Utility IT staffs with some security knowledge
don't understand ICS, and operations groups that do don't trust, or even like, the
IT groups.
Nationally, very few experts (perhaps tens to low hundreds) understand enough ICS and
IT to be useful. Most industry executives have their heads in the sand. The few that
don't are thwarted by clueless regulators that deny rate cases for even modest
security improvements. The recently discovered Stuxnet infestation targeting Siemens
SCADA systems
(see: http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices) provides the first hard evidence that the power grid is still seriously
vulnerable.
One has to wonder why the message is apparently not getting through. One completely
unscientific (and probably unfair) observation is the security messengers appear to
be culturally worlds apart from their utility audiences. They are more likely to be
in tee shirts than ties, have longer hair and beards, have body piercings and tattoos,
and are proud to have been fired more than once for "telling the truth" to their
management. Many have chosen to live in rural locations, have backup generators, and
own more than one gun. It is hard to imagine a starker contrast to the
buttoned-down-white-shirt-and-tie utility executive. Could this be a major impediment
to grid security?
Stuxnet: The Stuxnet worm is included here because, like Aurora, it is used
to penetrate and infect SCADA PLC systems. However Aurora is an opportunistic,
"all purpose" worm which attacks motors, motor generators and Programmable Logic
Controllers generally. Stuxnet is far more specialized and was designed specifically
to attack Iran's nuclear capability. The creator(s) of Stuxnet are
currently unknown. But given how complicated, selective and sophisticated this worm
is, one can make some logical guesses. The short list would most likely include
any International Government with the technical wherewithall and desire to
shut down Iran's nuclear weapons program.
Stuxnet is the first [suspected] Government [sponsored] attack on
another Government that does not involve Military action, bombs, death, a
declaration of war and so on. I
suspect that Stuxnet is the first salvo in a Global trend towards Cyber Warfare
that will continue, grow and escalate for decades (at least) to come. IMHO, it's
just a question of when, not if, Terrorists deploy some sort of Aurora/Stuxnet
attack against the USA and other free Nations around the World. These attacks
can, and probably will eclipse the 9/11 World Trade Center attacks in terms of
disruption and destruction to infrastructures that we depend on for our daily
existence. The emergence of cyber warfare is more significant, in my opinion,
than the creation of the atomic bomb in 1945. The Planet is on the cusp of the
greatest "arms race" ever known.
The worm's target seems to be high value infrastructures in Iran that use Siemens
control systems and specific hardware components. Stuxnet has also infected other
SCADA systems (an estimated 6 million computers in China, for example) but seems to be
disinterested in anything that does not use the narrow band
of equipment found in Iran's nuclear facilities. According to news reports the
infestation by this worm might has significantly damaged Iran's nuclear facilities
in Natanz and has delayed the start up of Iran's Bushehr Nuclear Power Plant.
Although Siemens has stated that the worm has not caused any damage, on
November 29, 2010, Iran confirmed that its nuclear program had indeed been damaged
by Stuxnet.
The Stuxnet worm was first reported by the security company VirusBlokAda in mid-June
2010, and roots of it have been traced back to June 2009. Stuxnet contains a component
with a build time stamp from 3 February 2010. In the United Kingdom on 25 November
2010, Sky News reported that it had received information that the Stuxnet worm, or a
variation of the virus, had been traded on the black market. The name is derived from
some keywords discovered in the software.
The complexity of Stuxnet is very unusual for malware, and consists of attacks
against three different systems: The Windows operating system, an industrial software
application that runs on Windows, and a Siemens programmable logic controller (PLC).
This type of attack required in-depth knowledge of industrial processes and an
interest in attacking industrial infrastructure. Developing the capabilities
in Stuxnet would have required a team of people to program, as well as check that
the malware would not crash the PLCs.
Stuxnet attacked Windows systems using four zero-day attacks (plus the CPLINK
vulnerability and a vulnerability used by the Conficker worm. It initially spread
using infected removable drives such as USB flash drives, and then used other
exploits and techniques such as peer-to-peer RPC to infect and update other computers
inside private networks that are not directly connected to the Internet. The number
of zero-day Windows exploits used is unusual, as zero-day Windows exploits are valued,
and hackers do not normally waste the use of four different ones in the same worm.
Stuxnet is unusually large at half a megabyte in size, and written in different
programming languages (including C and C++) which is also irregular for malware.
The Windows component of the malware is promiscuous in that it spreads relatively
quickly and indiscriminately.
The malware has both user-mode and kernel-mode rootkit capability under Windows, and
its device drivers have been digitally signed with the private keys of two certificates
that were stolen from separate companies, JMicron and Realtek, that are both located
at Hsinchu Science Park in Taiwan. The driver signing helped it install kernel-mode
drivers successfully and remain undetected for a relatively long period of time. Both
compromised certificates have since been revoked by VeriSign.
Two websites were configured as command and control servers for the malware, allowing
it to be updated, and for industrial espionage to be conducted by uploading
information. Both of these websites have subsequently been taken down as part of a
global effort to disable the malware.
Once installed on a Windows system, Stuxnet infects project files belonging to
Siemens' WinCC/PCS 7 SCADA control software, and subverts a key communication library
of WinCC called s7otbxbx.dll. The purpose of this subversion is to intercept
communications between the WinCC software running under Windows and the target Siemens
PLC devices that the software is able to configure and program when the two are
connected via a data cable. In this way, the malware is able to install itself on
PLC devices unnoticed, and subsequently to mask its presence from WinCC if the
control software attempts to read an infected block of memory from the PLC system.
The malware furthermore used a zero-day exploit in the WinCC/SCADA database software
in the form of a hard-coded database password.
The complete Stuxnet code has not yet been decrypted, but among its peculiar
capabilities is a fingerprinting technology which allows it to precisely identify
the systems it infects. Stuxnet requires specific slave variable-frequency drives
(frequency converter drives) to be attached to the targeted Siemens S7-300 system
and its associated modules. It only attacks those PLC systems with variable-frequency
drives from two specific vendors: Vacon based in Finland and Fararo Paya based in
Iran. Furthermore, it monitors the frequency of the attached motors, and only attacks
systems that spin between 807Hz and 1210 Hz. The industrial applications of motors
with these parameters are diverse, and may include pumps or centrifuges. Stuxnet
installs malware into memory block DB890 of the PLC that monitors the Profibus
messaging bus of the system. When certain criteria are met, it periodically modifies
the frequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the
operation of the connected motors by changing their rotational speed. It also installs
a rootkit that hides the malware on the system - the first such documented case on
this platform.
Stuxnet removal: As stated earlier, you don't have to be running a nuclear
facility in Iran to become infected with Stuxnet! Siemens has released a detection
and removal tool for Stuxnet. Siemens recommends contacting customer support if an
infection is detected and advises installing Microsoft patches for security
vulnerabilities and prohibiting the use of third-party USB flash drives. Siemens
also advises immediately upgrading password access codes. The worm's ability to
reprogram external programmable logic controllers (PLCs) may complicate the removal
procedure. Fixing Windows systems may not completely solve the infection; a thorough
audit of PLCs is recommended. Despite speculation that incorrect removal of the worm
could cause further damage, Siemens reports that in the first four months since
discovery, the malware was successfully removed from the systems of twenty-two
customers without any adverse impact.
As predicted, Aurora and Stuxnet would eventally morph into an "all purpose" power
generating sytem virus. And so it has. Enter the "Duqu virus". More on this later
but suffice it to say that Duqu is designed to penetrate pretty much any SCADA system,
collecting passwords and probing for vulnerabilities that would allow it to shut
down power generation facilities, among other things. Prepare for blackouts and
Government excuses as to why this was allowed to happen.
About the Author
Frank Saxton is a computer network security engineer and
Easyrider LAN Pro principle.
Home-based in Portland, Oregon, Frank has been designing remote diagnostic and
network enterprise monitoring centers since the late 1970s. Prior to becoming a
professional systems engineering consultant in 1990, Frank had a 20 year career
in computer systems field engineering and field engineering management. Frank
has a BSEE from Northeastern University and holds several certifications including
Network General's Certified Network Expert (CNX). As a NOC design engineer and
architect, Frank works regularly with enterprise-class monitoring tools such as
HP Openview Operations, BMC Patrol and others. In his enterprise security
audit work, Frank uses sniffers and other professional grade monitoring tools on a
daily basis.
Next in the security white paper series:
How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
More 2009 hacks in the news
Still more 2009 hacks in the news
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Conficker White Paper
Phishing White Paper
DNS Poisoning White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Shelfware White Paper
Outsourced IT White Paper
Easyrider LAN Pro Consulting services:
Network Security Audit and PC Tune-up service
- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting
|
|
Last modified March 25, 2009
Copyright 1990-2010 Easyrider LAN Pro