How to detect Stuxnet, Irongate and other similar malware in Automation & Control Systems (PLC/DCS/SCADA) or Safety Instrumented Systems (SIS/ESD)
Stuxnet is arguably the world’s best known piece of Industrial Control System malware that was apparently used to sabotage nuclear plant equipment at Iran’s Natanz facility. The malware did damage to a lot of critical equipment in that facility. It did not just stay inside Natanz however, it spread everywhere and within a couple of years was found on hundreds of other Siemens control systems in Asia, Europe and elsewhere. After it was somewhat accidentally discovered, researchers analyzed it, guessed its objectives and revealed their findings to the world. They also put the code online (presumably for other security researchers to analyze and take steps to harden other control systems). The entire episode put Industrial Cybersecurity back into focus. Several cybersecurity experts and others were warning for quite a long time, about Industrial malware, but nobody in positions of authority seriously believed that something like this could actually happen in the real world. In that respect, Stuxnet was a big wake up call to everybody in the Industrial Instrumentation, Control Systems, Automation Systems, Safety Instrumented Systems and Functional Safety fraternity. It also got noticed by those who were warning about cyber war. Until now, cyberwar experts were studying the implications of hostile agents cyber attacking banking, internet, telecom and other infrastructure including electrical SCADA systems used in power distribution. However Industrial cyber attacks were more in the realm of science fiction than reality. That myth got shattered by this.
II. IRONGATE-STUXNET IN A NEW AVATAR?
Now that the Stuxnet code was there in the open, cyber security and cyberwar experts were warning us about copycat attacks, using code similar to Stuxnet. Any other malicious actor could simple copy and use it in creating similar attacks. This apparently seems to have been done, with the discovery of “Irongate” named by Fireye, who have released a report about it on their blog here.
III. MALWARE COMPONENTS
Note that any well written malware has several components. One part may use so called “Zero Day” exploits, to surreptitiously get into an unsuspecting control system, another part may use obfuscation techniques to hide itself and yet another part may be the main payload (that actually carries out the tasks set by the designers). Stuxnet for example, used as many as four zero day exploits to spread around. However, one of the main components of the Stuxnet payload, was its MITM (Man In The Middle) component, which it used to intercept commands and data to and from the PLC to the Control System’s operator and engineering stations.
To obtain the rest of this whitepaper please Contact Us
Coming Soon! Basic Industrial Cyber Security course in the form of our unique XPRTU software. Learn about the basics of Industrial Cyber Security and get certified for free.