Introduction
Cyber security has been a primary concern for all individuals and organizations regardless of their size over the years. Security concerns are on the rise as attacks become more sophisticated and requiring complex ways of mitigating them. Although the security risks are on the rise, accomplishing daily business operations is nearly impossible without heavy reliance on information technology devices and networks. In the previous year’s security has not been a priority for factory controls and industrial systems. The key focus on security has been on personal computers and business networks. Recent attacks such as the Stuxnet has proven that the threats to industrial systems are real and can result in serious repercussions. Increasing the level of security in industrial systems is the only way of securing them and mitigating against potential attacks.
Question 1.
Security requirements for industrial systems should be different from the requirements for consumer devices. Industrial systems and their devices have a longer life cycle compared to consumer devices, for example, PCs can be replaced as often as every year while industrial devices can easily last longer than ten years. The security requirements for the industrial devices should be able to stand up to the evolving security threats. Security requirements for industrial systems should also be different because they are not easily patched compared to consumer devices. Frequent updates may be limited by lack of automated capabilities or limited storage. Also, industry specific protocols are often specialized and may fail to be recognized and protected by enterprise security tools. Security requirements must protect against both industrial protocols and enterprise specific threats which are not the case for consumer devices.
Question 2.
Stuxnet was identified in 2010 as a malicious worm designed to target industrial systems and take over their Programmable Logic Controllers (Farwell & Rohozinski, 2011). The worm was used to cause significant damage to Iran’s nuclear program. The anatomy of the Stuxnet worm includes the main dropper, which is dynamic link library file which is loaded into Explorer.exe. The worm has a Main Stuxnet DLL which after execution triggers the installation mechanism followed by the infection mechanism. The rootkits are then installed and the final step is the loading mechanism. The introduction of the Stuxnet worm into a system is done through a USB drive. After the introduction, Stuxnet is designed to propagate through the network and scan for computers with Siemens Step 7 software that are being used to control PLC. The worm then introduces infected rootkit which modifies the codes on both the PLC and the Step 7 software. Simultaneously the worm gives feedback of normal operations from the system.
The Stuxnet worm was able to damage Iran’s SCADA because it met the requirements for the worm to execute. SCADA had a Windows Operating System, a Siemens PCS 7 and STEP 7 industrial software application. Ones the worm was introduced from a USB flash drive. It infected the Windows systems through the use of four zero-day attacks. The worm then infected the Step 7 software and installed itself on PLC devices unnoticed. The worm gave feedback that indicated normal operations. The worm collected information on SCADA industrial systems. It was also used to cause the fast-spinning centrifuges to tear themselves apart. The worm had been designed to erase itself in 2012. Almost one fifth of the nuclear centrifuges was destroyed during the attack by the Stuxnet worm. The attack of Stuxnet was successful against SCADA because it had the worm that executed routines under the main payload attack. It also had the link file which propagated copies of the worm automatically and a rootkit which hid the malicious files from detection (Farwell & Rohozinski, 2011).
Question 3.
One of the lessons learned from Stuxnet is that the design for cyber-attacks can include links to other malware pieces. Malicious malware can share similar source coding framework, and the understanding of them can aid cyber defenders in knowing what kinds of malware to expect in future. For example, the Stuxnet worm was preceded by a less sophisticated worm called the Duqu because they had similar features and had the same source code (Cyber Conflict Studies Association,2012).
Another lesson learned is that cyber-attacks can reveal new attack and threat vectors. (IEEE, 2011). For example, although no organization or state claimed the attack of Stuxnet, it is strongly believed that the worm was a nation-state grade cyber weapon. The attack was attributed to Israel and America although there was never a confirmation.
There is no one step that could have been used to prevent the attack by Stuxnet. However, the solution is comprehensive countermeasures that work together to achieve the desired result. One of the measures is making sure that the command and control networks are isolated from the shared public networks. Another measure is implementing security procedures and policies as part of a continuous improvement program. Another measure is creating a security awareness program. The organization could also have disabled USB devices in secure control systems zones. They could also have implemented a Software Restriction Policies restricting remote and removable media code execution. The organization could have confirmed that all default usernames/passwords have been modified or removed as well as following the vendor’s recommendations when disabling unnecessary services.
Question 4.
One of the guidelines for reducing an industrial control systems network attack surface is implementing an application whitelisting. The application is useful in detecting and preventing malware upload attempts by attackers (NCCIC, 2015). Proper deployment of the applications should be done with the vendors for baseline and calibration. Another guideline is ensuring proper patch management and configuration. It is rather common for most attackers to target unpatched systems. When downloading patches and software are destined for the control network, best practices should be followed. Updates from unverified sources should not be loaded and vendors can digitally sign updates or publish hashes using an out-of-bound communication path. The third guideline is building a defendable environment by segmenting networks into logical enclaves and restricting host-to-host communication paths.
The fourth guideline is reducing the attack surface area. The organization should separate the ICS networks from all untrusted networks most specifically the internet. Additionally, they should lock down all the unused ports in the network. Another way of reducing the attack surface is through turning off all unused services. Real-time connectivity to external networks should only be allowed if there is a defined control function or business requirement. Finally, in cases where a task can be accomplished with a one-way communication, then an optical separation should be used. In cases where bi-directional communication is necessary then a single open port should be used for a restricted network path. The fifth is managing authentication so as to prevent the attackers from gaining control. Highly privileged accounts are often the target so that the attackers can masquerade as legitimate users.
Conclusion
In conclusion, the Stuxnet worm opened a new level of cyber-security attacks. It was the first of its magnitude targeting an industrial system. In the past, serious security measures was not a priority for factory controls and industrial systems the attack on Iran’s nuclear factory triggered an awareness that has caused many industrial control systems to put in place better risk mitigation measures. The level of sophistication of the Stuxnet worm shows that attackers and malicious software developers are not merely hobbyists but also include determined individuals whose efforts can result in catastrophic damages. Also, the lessons learned from the attack can be beneficial to other industries in preventing future attacks. The responsibility of reducing the attack surface area in each industry is an effective way of mitigating against similar attacks in future.
References
Cyber Conflict Studies Association. (2012) The History of Stuxnet: Key Takeaways for Cyber Decision Makers. CCSA.
Farwell, J. & Rohozinski, R. (2011) Stuxnet and the Future of Cyber War. The Survival 53(1): 23-40.
National Cybersecurity and Communications Integration Center- NCCIC (2015) Seven Strategies to defend ICS. Homeland security.