How Stuxnet changed the How Stuxnet changed the landscape for plant landscape for plant

engineersengineers

Richard Trout, Richard Trout,

Director for Client Solutions, Trout I.T.Director for Client Solutions, Trout I.T.

richard.trout@troutit.com.aurichard.trout@troutit.com.au

IntroductionIntroduction

This presentation is not:This presentation is not:• A technical discoveryA technical discovery• A landmark engineering projectA landmark engineering project• About an innovative new processAbout an innovative new process• Engineers in SocietyEngineers in Society

It is about a mysteryIt is about a mystery

Natanz Uranium Enrichment PlantNatanz Uranium Enrichment Plant

January 2010 IAEA January 2010 IAEA inspection anomalyinspection anomaly• Centrifuge Centrifuge

replacementreplacement

VirusBlokAdaVirusBlokAda

June 17 2010June 17 2010• Computer reboot loop in IranComputer reboot loop in Iran• Rare Zero Day ExploitRare Zero Day Exploit• Microsoft labels as ‘Stuxnet’Microsoft labels as ‘Stuxnet’• Identified 3 versions dating from June Identified 3 versions dating from June

20092009• Targets Siemens Simatic systemsTargets Siemens Simatic systems

PerseverancePerseverance

July 2010July 2010• Liam O Murchu, SymantecLiam O Murchu, Symantec

Many unusual characteristicsMany unusual characteristics• 500kb of code > 10kb code500kb of code > 10kb code• Not an obvious class of malwareNot an obvious class of malware• First to hide Windows DLL in memoryFirst to hide Windows DLL in memory• Modular components for modificationModular components for modification

SinkholeSinkhole

More ZDE’sMore ZDE’s

Hard-coded password vulnerability in Hard-coded password vulnerability in Siemens Step7Siemens Step7

Local network and devicesLocal network and devices

TimelineTimeline June 2008 ISIS notes centrifuge susceptibilityJune 2008 ISIS notes centrifuge susceptibility June 2009June 2009

• oldest Stuxnet in wild oldest Stuxnet in wild • 12 centrifuges known operating at Natanz A2612 centrifuges known operating at Natanz A26

August 2009 only 10 cascades operatingAugust 2009 only 10 cascades operating Early 2010 IAEA finds high centrifuge Early 2010 IAEA finds high centrifuge

replacementreplacement February 2010 2 of 3 Natanz modules February 2010 2 of 3 Natanz modules

unproductiveunproductive June 2010 VirusBlokAdaJune 2010 VirusBlokAda July 2010 Symantec identifies Iran targetJuly 2010 Symantec identifies Iran target

Conspiracy TheoryConspiracy Theory

February 2003 Natanz enrichment facilityFebruary 2003 Natanz enrichment facility USA Iran tensionsUSA Iran tensions April 2007 3,000 centrifuges in defiance of April 2007 3,000 centrifuges in defiance of

UN orderUN order January 2009 NYT covert operationJanuary 2009 NYT covert operation September 2009 US ultimatum to IranSeptember 2009 US ultimatum to Iran November 2010 assassination attemptsNovember 2010 assassination attempts

Smoking GunSmoking Gun

Smoking GunSmoking Gun

Ralph LangerRalph Langer• Industrial control system securityIndustrial control system security

September 16 accusationsSeptember 16 accusations• Targeting a specific Siemens installationTargeting a specific Siemens installation• Bushehr nuclear power plantBushehr nuclear power plant• Stuxnet a product of government Stuxnet a product of government

agencyagency• Targeting enrichment centrifugesTargeting enrichment centrifuges

Whodunnit?Whodunnit?

Kim Zetter, Wired.com July 2011Kim Zetter, Wired.com July 2011

Key PointsKey Points

Stuxnet was the first publicly Stuxnet was the first publicly identified malware to target an identified malware to target an industrial control system industrial control system

Disclosure practises of Siemens for Disclosure practises of Siemens for computer security were criticisedcomputer security were criticised

Stuxnet Zero Day Exploits had been Stuxnet Zero Day Exploits had been previously identifiedpreviously identified

Stuxnet’s was not typical and Stuxnet’s was not typical and exploited local networks and devicesexploited local networks and devices

A New LandscapeA New Landscape

Typical plant networks (LAN and PLC) Typical plant networks (LAN and PLC) are vulnerable to the same exploits are vulnerable to the same exploits used by Stuxnetused by Stuxnet

Are vendors prepared? Are vendors prepared? Change control practises and Change control practises and

security maintenancesecurity maintenance Long history of virus evolutionLong history of virus evolution The black hats of computer securityThe black hats of computer security Agency involvementAgency involvement

Coming SoonComing Soon

To a plant near youTo a plant near you

Further ReadingFurther Reading

““How Digital Detectives Deciphered How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in Stuxnet, the Most Menacing Malware in History” History” • This presentation draws heavily from Kim This presentation draws heavily from Kim

Zetter’s story for Wired.com, and is used with Zetter’s story for Wired.com, and is used with permissionpermission

• Buy the book – coming soon!Buy the book – coming soon! Ralph Langner’s 16 September findingsRalph Langner’s 16 September findings

• http://www.langner.com/en/2010/09/16/stuxnet-logbook-sep-http://www.langner.com/en/2010/09/16/stuxnet-logbook-sep-16-2010-1200-hours-mesz/#more-21716-2010-1200-hours-mesz/#more-217

Symantec’s Stuxnet analysisSymantec’s Stuxnet analysis• http://www.symantec.com/connect/blogs/w32stuxnet-network-http://www.symantec.com/connect/blogs/w32stuxnet-network-

information information

About the PresenterAbout the Presenter

• Richard TroutRichard TroutDirector of Client Solutions, Trout I.T.Director of Client Solutions, Trout I.T.richard.trout@troutit.com.aurichard.trout@troutit.com.au

• Please email for copies of the Please email for copies of the presentation or information on Stuxnet presentation or information on Stuxnet and Duquand Duqu