Friday, November 19, 2010

Symantec's W32.Stuxnet Dossier- Breakthrough v1.3, Nov 2010
Dutch Profibus expert provides crucial pieces to the puzzle

As of October, much had already been research and shared with critical infrastructure organizations around Stuxnet given the broader industrial control system, DCS, SCADA implications. As provided in the publicly available Symantec's research blog series and W32.Stuxnet Dossier white paper:
  • Stuxnet has been in play since at least 2009.
  • Specifically looks for Siemens PLC models S7-417 and S7-315-2, both widely deployed in the US.
  • PLC infection only occurs when the PLC contains the Profibus-DP communications processor
  • Windows 64-bit platforms not affected (32-bit targeted).
  • Malware package very sophisticated even with some sloppy controls (could’ve been more restricted and targeted, and stayed hidden longer).
  • The question of how to ensure the integrity of PLC code has not been addressed in detail.
Stuxnet raises the bar, serves as a road map even if not viewed as easy to repurpose by talented security researchers and hackers studying it. There has also been speculation that this type of malware may have been used to make several Iranian petrochemical facilities dramatically "go bang" in 2009.

On Nov 12th, Eric Chien's posting Stuxnet: A Breakthrough keyed in on important tips and insights provided by a Dutch Profibus expert that helps determine exactly the purpose for Stuxnet. Symantec's updated W32.Stuxnet Dossier v1.3 Nov 2010 white paper now more clearly describes how the malware targets and sabotages specific models of higher speed motor driving frequency converters over an extended time frame.

This additional insight underscores the need to increasingly manage similar potential "Advanced Persistent Threat" risks to critical infrastructure. Stuxnet's very clever payload is just one example of how similar hidden, targeted malware could pose a substantial threat to critical infrastructure even as this real world example has focused more on sabotaging systems akin to those used in uranium enrichment activities.