Stuxnet Worm, Research and Recommendations

As you may be aware, a worm (originally appearing in 2009) and named Stuxnet has recently resurfaced as a focused attack at Industrial and Energy control systems, namely but not exclusively targeting those systems built by Siemens, AG. This worm has the capability to take control of and/or alter settings within SCADA systems and PLC/RTU sub-components.

Below are some good articles related to recent research into the worm.

• Why Stuxnet spread
• Stuxnet, a wakeup call

Some FAQ points about Stuxnet (Stakes)

• Government experts, nor outside experts, have a clue who is behind the creation of the code or what it’s purpose is
• The code is allegedly designed to go after “high value” targets
• Recent investigations cite that Stuxnet was designed to exploit an unprecedented count of four (4) zero-day vulnerabilities within Siemens SCADA systems and Windows Operating Systems.
• There is suspicion, but no proof, that it was developed to target Iranian nuclear plants.
• It is estimated that it took a team of as many as five to ten malicious code developers to create the malware.
• Deep inside the computer worm lies what could be a fleeting reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them. The use of the word Myrtus, which can be read as an allusion to Esther, to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of Stuxnet.
• China, Russia, Israel, Britain, Germany and the United States have the brain power and funds to develop the code.
• Some suspect the code is privately funded with a select group of sophisticated hackers.
• Over 45,000 world-wide computers have been infected.
• Analysis indicates over 60% of infected computers are in Iran, including their nuclear plant. Iran’s news sources claim no damage to computer systems, but is seeking ways to eradicate the worm.

“Stuxnet is a directed attack. It’s the type of threat we’ve been worried about for a long time. It means we have to move more quickly with our defenses–much more quickly.

At a private SCADA conference last week, German security researcher Ralph Langner, who has analyzed Stuxnet, said the complexity of the attack and the use of four zero-day flaws indicates it was the work of a well-resourced team with control system expertise.

Obviously, this news has generated increased concern within many Energy clients. As a precaution, PathMaker Group is providing this email and we recommending that our clients increase their vigilance with respect to the following key areas of concern based on currently known attack-vectors:

• System patch maintenance. Two of the four key vulnerabilities now have patches to reduce the potential for infection. We recommend that clients, ensure their system patching exercises are stepped up to include checking for new patches multiple times per day.
• Disable (or change) all system default accounts and passwords, employ a complex password for system and user accounts. We’ve always recommended changing default system accounts and passwords, but now we would consider this a matter of urgency.
• Restrict access to USB devices. Since the recent news about Iran’s Nuclear facility infection indicates that the initial infection was accomplished through the insertion of a USB device into one of the key control systems, we recommend that clients not take for granted the potential that this fundamental attack-vector be considered a high-risk. Windows systems can and should be configured to restrict all access to USB device ports. At a bare minimum, USB ports should under no circumstances allow automatic program execution from an insertion of a USB device (thumb drive, portable disk drive, etc).
• Maintain close contact with Siemens Support regarding any developing news about their research and recommendations for infection prevention. Siemens, AG has urged its customers to contact them immediately in the event that an infection is suspected.