Lessons from Stuxnet Matthew McNeill
Quick Overview Discovered in July 2011 Sophisticated worm - many zero-day exploits, Siemens programmable logic controller rootkit, network and removable drive infection, peer-to-peer updates, and a command and control interface Injects custom code into Siemens PLC Forces PLC to report false values for frequency converter drives and run them at speeds exceeding their capacity Most infections in Iran
Some Quotes from Symantec "...design documents may have been stolen by an insider..." "Attackers would need to setup a mirrored environment..." "...six months and five to ten core developers..." "...obtain the digital certificates from someone who may have physically entered the premises of the two companies and stole them..." "Updates to [the Stuxnet executable] would be propagated throughout the facility through a peer-to-peer network..."
Unanswered Questions Who wrote it? What was its target? Was there an insider? How did it enter the network?
Why Stuxnet is important Hype aside, Stuxnet is a game changer Infrastructure attacks - speculation vs. reality Attacks high-value targets via conventional computer attack vectors "What it showed was that our current ways of thinking about security are flawed." - David Kennedy, Diebold
Lessons Vital systems not protected by a lack of Internet connection Vital systems not protected by complexity, expense, and proprietary code Vital systems not protected by difficulty of attack Infiltration does not have to happen over a network Management vs. network security Destroy Iran's nuclear program - speculation, but worth considering
Closing Thought Duqu Parts nearly identical to Stuxnet Information gathering, not sabotage - remote access Communicated with command and control server in India Who and why?