Preparing for the next super virus

The legacy of Stuxnet is alive and well and the thought of facing another super virus that targets industrial rather than IT systems is still keeping plenty of industrial control engineers and security professionals up at night.

Among the software and hardware vendors, security and law enforcement professionals at last week’s annual AusCERT conference on the Gold Coast, there was a small contingent distinct from the IT crowd.

A growing number of industrial control engineers are attending such conferences, as the fall-out from the Stuxnet virus puts the security of supervisory control and data acquisition (SCADA) systems, used in areas such as manufacturing, power generation and other utilities, at the top of the agenda.

Stuxnet propagated widely across personal and enterprise computers worldwide from mid 2010, using a number of zero-day exploits. Its payload, however, would only deliver into particular Siemens hardware connected to a particular type of industrial motor, which it would then disrupt. These are the facts based on code analysis by antivirus experts.

Though nothing has been proven beyond a doubt, industry consensus has since emerged that the malware was state-developed, possibly by the US and Israel, and it was aimed at disrupting Iran’s nuclear programme by targeting gas centrifuges used for uranium enrichment.

Speaking at AusCERT, chairman and CEO of Kaspersky labs Eugene Kaspersky called for all SCADA systems to be redesigned around a secure operating system, to protect critical infrastructure from cyber-attack.

“Is it possible to design a secure operating system?,” he asked. “Yes it is. There has been in the past, and there are prototypes for this now. The problem is replacing ALL of them. Software engineers could be paid like football stars if we need to do it quickly.”

Eric Byres, CTO and co-founder of Tofino Industrial Security, takes a more measured approach, pointing to the current development of ANSI/ISA-99 standards to improve control system security. These standards aim to introduce the concepts of “zones” and “conduits” as a way to segment and isolate the various sub-systems in a control system and provide “Defense in depth” through multiple layers of defense distributed throughout the control network.

Byres cautions that the notion of completely separating SCADA and industrial control systems from enterprise IT systems and the outside world via an ‘air gap’ is a myth that promotes a false sense of security.

“What can Stuxnet teach us in terms of defence? It picked many, many pathways. There was no single point to cut it off. It can jump data air gaps in a number of ways,” he says.

A report from the US Department of Homeland Security says they have never seen truly isolated control systems. On average they see 11 connections. These connections range from SCADA OS upgrades, process and recipe upgrades, remote support requirements, external devices brought by consultants through to network links to ERP and supplier systems.

“For example, all control systems have Adobe Acrobat reader installed so manuals can be read. Adobe has released 29 patches for Acrobat in the past three years,” says Byres.

But taking traditional IT approaches to controlling these channels can be dangerous.

Mark Fabro, president and chief security scientist of Lofty Perch, told AusCERT delegates of several instances of catastrophic SCADA failures and close calls at major US utilities. In one example, antivirus team attempts to remove malware that has come into the network via external devices hooked up to Windows terminals nearly resulted in the deletion of core SCADA system files that bore the same name as the malicious files. And this example was regular botnet malware, not specifically targeting the SCADA system.

“To protect SCADA and industrial control systems we need to adopt principles similar to IT world, but they need to be tuned and used appropriately,” says Byres. ”If we develop approaches focused on how SCADA systems work, we can take advantage of things like their steady state, which should make monitoring changes via intrusion detection systems much easier.”