Last updateMon, 10 Dec 2018 7pm


Cyber War: Are Your Defenses Sufficient?

trojan horseThe precipitating event in the 1986 Tom Clancy novel Red Storm Rising is a massive fire in a Soviet petroleum installation caused by an infiltrator in the control room. But that attack could be done from thousands of miles away, without a person on site — and in fact there have been persistent reports that a “logic bomb” planted by the CIA in supervisory control and data acquisition (SCADA) software subsequently stolen by the KGB caused a massive explosion at a pipeline in Siberia in 1982. And there is increasing evidence that attacks aimed at industrial and civil infrastructure in countries around the world are no longer a remote possibility, but a serious real-world threat.

The biggest malware news in recent months was the Stuxnet worm. There are reasons to believe that it was designed to attack certain very specific pieces of industrial equipment — specifically uranium enrichment centrifuges in Iran.

Could such an attack happen here? Increased security since 9/11 has helped to reduce, but not eliminate, that likelihood, but the danger of a cyber attack seems to be increasing with time. In the industrial world the main targets would be industrial control systems (ICSs), SCADA systems, distributed control systems (DCSs), and programmable logic controllers (PLCs). This article will take a look at the present state of affairs, give the opinions of several experts, and offer some advice on how a company can protect itself.

What is malware?

Malware can be defined as software designed to cause harm to a computer system or to cause it to perform undesirable activities.

There are several recognized types of malware. Probably the oldest is the virus, usually defined as a program capable of reproducing itself and usually capable of causing harm to files or other programs on the same computer. Viruses are often attached to other, innocuous programs.

A Trojan (short for Trojan horse) is a piece of software that appears to be safe but contains harmful software, like a virus or a worm. A worm is a piece of malware that self-replicates and sends copies of itself to other computers via a network. Unlike a virus, it does not need to attach itself to another program.

A rootkit is “software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications,” according to Wikipedia. Industrial Defender1 defines a control system rootkit as “a piece of software that modifies the behavior of a control system and disguises itself from detection.”

Spyware is software that captures information from an infected computer; it may also take control of the computer to install other software, change default settings, or redirect a Web browser. A keylogger is one type of spyware. Adware is software that causes a computer to display advertisements; some adware contains other malware such as spyware.

One popular form of attack, the denial of service attack or distributed denial of service attack, while common, is of less concern to industrial users because it targets websites, rather than control systems.

Who are the attackers?

Many people seem to have the impression that most malware attacks have been launched either by hackers out for bragging rights or by criminals looking to steal identities, extort money or build networks of zombie computers. But they are also launched by foreign governments, terrorists and independent political actors, e.g., Wikileaks and its defenders. The purposes include espionage, either military of industrial; the pursuit of directly salable information for fraud or identity theft; to cause embarrassment; or as preparation for other attacks.

Malware attacks can also be used to sabotage military installations or civilian infrastructure, either for political reasons or for extortion.

Testifying in April of 2007 before the House Committee on Homeland Security Subcommittee on Emerging Threats, Cyber Security, and Science and Technology, O. Sami Saydjari, president of the nonprofit Professionals for Cyber Defense, pointed out that “cyber warfare will be economic and social warfare.” Saydjari was later quoted in a Sept. 26, 2007 article by Jean Meserve on CNN: “For about $5 million and between three to five years of preparation, an organization, whether it be transnational terrorist groups or nation states, could mount a strategic attack against the United States."

Consequences of a successful attack

Espionage can lead to loss of trade secrets — business plans, customer lists, financial information or intellectual property such as product design information or proprietary technology. A good example was the 2009 Operation Aurora incident, in which an attack traced back to the Chinese government stole intellectual property from Google and managed to gain information on Chinese dissidents.

Sabotage can cause disruption of operations, loss of production, destruction of capital equipment or damage to the community through power outages, failure of water systems, fire, explosion, flood or the release of toxic/radioactive materials. At a minimum such events will cause economic harm; at a maximum they can cause mass casualties. By all reports, one of the Stuxnet worm’s main functions was to sabotage the centrifuges used for uranium enrichment in Iran’s nuclear program. The CNN article by Jean Meserve mentioned above discussed the results of a Department of Homeland Security/Idaho National Laboratory experiment dubbed the Aurora Generator Test in which hacking into an electric generator’s control system caused it to go out of control and self-destruct.

How malware gets in

Malware can enter a system through any interface it has with the outside world — even if that interface is not known to users or system administrators. Infection can come through the Internet or via removable media (the first viruses spread via floppy discs, and the Stuxnet worm is believed to have been propagated by flash memory sticks). But it can also come through other entry points like unauthorized modems or wireless portals that users install for their own convenience.

What about wireless?

Wireless connectivity is rapidly gaining in popularity. Wireless system makers insist their encryption protocols provide good security, but wireless systems have one major potential threat entry point. “While a padlocked fence with razor wire may prevent someone from tapping into your fiber optic or copper cable,” points out Chris Shipp, CISSP, CISM, Cyber Security Manager, Contractor, DynMcDermott, U.S. Dept. of Energy Strategic Petroleum Reserve, “it almost certainly will have no affect on someone attempting to hack into a wireless device because they do not need to have physical access to be successful.”

So how safe are wireless networks, really? The answer to that, says Bradford H. Hegrat, CISSP, CISM, Sr. Principal Security Consultant, Rockwell Automation, depends on a number of variables. “[Y]ou have to consider the intended use of the network,” he says, “and whether or not it will be used for control, alarming and events, reporting or just higher level information sharing. Each one of these items has a different weight on data confidentiality, integrity and availability.” The nature of the network is also important, he continues: Does it provide readings from some otherwise inaccessible gauges, or is it part of a plant-wide control network? Before looking at security, he suggests, one should check availability. It’s best, he explains, to design the control system so it can continue to operate even if the wireless network goes down. “Once the designers get beyond that,” he says, “we can start to talk about protocols, encryption, access methodologies, site surveys, etc.” And while some of the earlier wireless systems had weak security, adds Shipp, the newer ones seem much more robust.


W32.Stuxnet, which has been variously called a worm, Trojan or virus, represents a step change in malware. For one thing, it’s enormous, at about half a megabyte, and its creation clearly required a very large investment of time and manpower, including intimate knowledge of the targeted equipment and extensive quality control testing. More importantly, while not the first piece of malware that targets industrial equipment, it is the first worm discovered to include a programmable logic controller (PLC) rootkit. It gets into Windows-based systems via at least four previously unknown (zero-day) vulnerabilities, which is unusual for malware (the vulnerabilities have since been patched by Microsoft). It is both very sophisticated and very specific, targeting control systems that use Windows and Siemens WinCC/PCS 7 SCADA software for PLCs, and, while it burrows deeply into both the Windows machine running the overall control system and the PLCs (and if it has the opportunity reports what it finds back to, and receives updates from, its command and control servers — or did, until they were taken down), it mounts an actual attack only on systems that use two particular brands of variable-frequency motor drives (one made in Iran and the other in Finland) that are running within a particular frequency range. That’s an extremely specific attack. Symantec reports the vast majority of infected systems are in Iran.

Stuxnet most likely gets into a system initially via an infected memory stick, but can then spread to other computers networked with that one, although patches to prevent that are available. In addition, major anti-spy software companies have included Stuxnet signatures in their databases, which means that Stuxnet is probably no longer a threat to companies that update their protection signatures and are diligent in running malware sweeps.

But while Stuxnet may be defanged, the principles on which it operates, and the technology embedded in it, signal a new age for malware.

An attack does not need to be as sophisticated as Stuxnet to gain entry to unprotected control systems. The Nessus Project has an extensive list of plug-ins to counter many known vulnerabilities in PLCs and other control equipment. In addition, “As of Oct. 1, 2010, the national vulnerability database has 51 [ICS] vulnerabilities currently listed, and organizations like Critical Intelligence are tracking 119 disclosed vulnerabilities,” said Michael J. Assante, President and CEO of the National Board of Information Security Examiners, in testimony at a hearing entitled “Securing Critical Infrastructure in the Age of Stuxnet” before the Senate Committee on Homeland Security & Governmental Affairs.

Referring to Stuxnet as what it is — a weapon — Assante went on to say that “we must understand that the attacks we should be most concerned with are not designed to disable their digital targets, but to manipulate them in an unintended way to achieve a desired physical outcome. Many professionals have limited their thinking to dealing with the loss of individual elements or capabilities of their control systems and have failed to fully embrace the implications of calculated misuse.”

And we are vulnerable, Assante went on: “[W]e have not sufficiently studied nor considered the potential for these types of attacks on large interconnected systems, such as the electric grids, or in highly controlled and potentially dangerous industrial processes.” And Shipp sees in Stuxnet “confirmation that recently there has been and will continue to be increasingly sophisticated and targeted attacks against critical infrastructure components.”

How likely is such an attack on us? “It is inevitable,” Shipp continues, “that an attack using something very similar to Stuxnet will be launched against the West. The question is not if, but when such an attack will occur.”

Hegrat points out that Stuxnet was a point-targeted tactical digital weapon system whose effectiveness depended on it specificity. “To have a widespread, generalized attack focused on the West,” he says, “one would have to change the goals of such an attack from point target disruption/sabotage/destruction, to area, industry or theater-level disruption of service/operational effectiveness,” which would diminish its effectiveness. That said, he goes on, it would not be difficult to create a denial of service level attack that would, for example, disable (brick) all Siemens PLCs.

What Stuxnet represents

Stuxnet, like Google’s Operation Aurora, says Hegrat, is an example of an Advanced Persistent Threat (APT). “The real danger with APTs is their resource pool and determination,” he says. “This determination can include physical compromise like Stuxnet through USB (essentially, Stuxnet compromised human beings and used human beings as an attack vector). According to InformationWeek.com, 1 in 4 malware packages spread via USB.” In the future, he continues, “[w]e will continue to see this attack vector growing; couple that with an insider APT and this will be extremely damaging.”

What companies can do to protect themselves

With all the threats out there, and all the ways malware can get in, how can a company protect itself? The first step is making sure all potential entry points are known and secured. The use of removable media like memory sticks, CDs and DVDs should be banned — and the ban strictly enforced, with a written policy so that violators can be dealt with. Anyone who wants to play computer games can do it at home.

If a plant has both a control network and an office network there should, ideally, be an air gap (no connection at all) between them. This can seldom be done (management tends to want to see what’s happening in the plant), so whatever connection there is must be heavily protected with firewalls and other means.

Another step seems obvious, but is often neglected: Make sure all protective software (virus blockers, etc.) is kept up to date. For a home or office PC this can be a simple matter, since most protective software vendors offer automatic updating of their databases, but in a plant it’s not so easy. For one thing, these updates tend to come via the Internet, and all Internet connections should be kept locked down, so the updates may have to be done manually. And even if there’s a well-thought-out way to do the update, there’s always the worry that making any change may cause something to quit working, so software updates may well be deferred, and even vital security patches from Microsoft may not get installed when they should.

One technique that seems to be gaining followers is the use of whitelisting, which involved establishing a list of applications and software vendors considered trustworthy; only applications on the whitelist, or software from approved vendors, can be run. Also useful is host-based intrusion prevention (HIPS) technology, which watches for suspicious activity within a particular host computer. Other intrusion prevention systems include network-based intrusion prevention (NIPS), wireless intrusion prevention systems (WIPS) and network behavior analysis (NBA).

Industrial Defender also recommends strict firewall egress filtering. Stuxnet and some other malware are designed to communicate with specific command & control (C&C) servers via the Internet, both to upload information they have stolen and to download instructions from their masters (similar to the automatic updating of an antivirus program). If the malware cannot connect to its C&C server, it cannot change its function.

While all these precautions are good, Hegrat insists they are, and always have been, insufficient. “It's been my stance for my entire career,” he says, “that you must always assume that you are compromised.” Many current security standards, he continues, are written from that point of view. This position, he continues, is mirrored by the National Security Agency's Director of the IAD (Information Assurance Directorate) with respect to U.S. Department of Defense networks. This stance, he adds, is assumed in many security standards, such as ISA99 and NIST 800-82, as well as in the Rockwell Automation/Cisco Systems Converged Plantwide Ethernet (CPwE) Design and Implementation Guide.

The answer to this can be found in the motto, “The proof is in the packet,” Hegrat concludes. “In this mind set of hyper vigilance,” he says, “the only way you can ensure hostile entities are not communicating on your control systems networks is to do that detailed packet analysis. If you control the variables you can whitelist the traffic. Essentially, controlling the variables is the key to a more secure system. After all, if the [National Security Agency] says ‘There's no such thing as secure anymore,’ I'd have to say that security has always been a myth and that it never existed in the first place.”

Shipp also recommends the 800-series guidelines published by NIST.

Getting expert help

While many of the procedures and recommendations mentioned seem fairly straightforward, some are fairly complex and even the simple ones can add up to a significant amount of work. And misguided attempts to patch security holes can cause systems to malfunction. It takes intimate knowledge of the systems to be protected and considerable expertise to make sure you’re protected without causing plant problems. Assigning a dedicated staff person to the role of chief security guru (and making sure that person receives the training and certification needed) is an excellent plan, but it’s also a good idea to hire an expert, at least to get started.

But how do you evaluate the skill level of an “expert”? Start by listening to what the candidate talks about, suggests Shipp. “[E]ffective cyber security is a business requirement and it must be approached first from a business perspective not a technical one,” he says. “The most effective security consultants will speak in terms of business risk and mitigation of risk.” The consultant should talk about defense in depth; he or she should have experience on your type of equipment, “and preferably industry-recognized certifications from ISACA, (ISC)2 or SANS.” The last named, he continues, should be enough if you are simply looking for a technically-skilled consultant to perform a penetration test. And before you share any company information with a prospective consultant, or allow access to your systems, do a thorough background check.

A background and reference check may be difficult, however, says Hegrat, because most such people and organizations require a non-disclosure agreement, and may also need legal indemnification before performing penetration and social engineering tests. A consensus is developing, he continues, that the best course is an interview with detailed questions on the interviewee’s scope of services and deliverables. That can be followed up, he goes on, with a trick from the penetration tester’s toolbox: “[D]o some Internet-based research not only on the consultancy, but the consultant themselves. The ICS Security field is dangerously small — we are all pretty easy to find on the Web.”

1The Stuxnet Worm and Options for Remediation, by Andrew Ginter, Chief Security Officer, Industrial Defender. Last updated: Aug. 23, 2010

Organizations and companies with useful information

Note: Mention of particular commercial entities is provided as a service to our readers, and in no way constitutes a commercial endorsement of same.

Subscribe Fall18


• Print magazine
Digital magazine
• VALVE eNews
Read the latest issue

*to qualified valve professionals in the U.S./Canada

Looking for a career in the Valve Industry?

ValveCareers Horiz

To learn more, visit the Valve Careers YouTube channel to watch the videos below or visit ValveCareers.com a special initiative of the Valve Manufacturers Association

  • Latest Post

  • Popular

  • Links

  • Events

New Products