Stuxnet worm

Stuxnet SCADA attack, 2013 Slide 1

Cybersecurity Case StudySTUXNET worm


Cyber-warfare• The STUXNET worm is computer malware which

is specifically designed to target industrial control systems for equipment made by Siemens.

• These systems are used in Iran for uranium enrichment

– Enriched uranium is required to make a nuclear bomb

• The aim of the worm was to damage or destroy controlled equipment


What is a worm?

• Malware that can infect a computer-based system and autonomously spread to other systems without user intervention

• Unlike a virus, no need for a carrier or any explicit user actions to spread the worm


The target of the worm


The STUXNET worm• Worm designed to affect SCADA systems

and PLC controllers for uranium enrichment centrifuges

• Very specific targeting – only aimed at Siemens controllers for this type of equipment

• It can spread to but does not damage other control systems


Worm actions• Takes over operation of the centrifuge from

the SCADA controller

• Sends control signals to PLCs managing the equipment

• Causes the spin speed of the centrifuges to vary wildly, very quickly, causing extreme vibrations and consequent damage

• Blocks signals and alarms to control centre from local PLCs


Stuxnet penetration• Initially targets Windows systems used to

configure the SCADA system

• Uses four different vulnerabilities to affect systems

– Three of these were previously unknown

– So if it encounters some systems where some vulnerabilities have been fixed, it still has the potential to infect them.

– Spread can’t be stopped by fixing a single vulnerability


Stuxnet technology• Spreads to Siemens' WinCC/PCS 7

SCADA control software and takes over configuration of the system.

• Uses a vulnerability in the print system to spread from one machine to another

• Uses peer-to-peer transfer – there is no need for systems to be connected to the Internet


The myth of the air gap• Centrifuge control systems were not

connected to the internet

• Initial infection thought to be through infected USB drives taken into plant by unwitting system operators

– Beware of freebies!


Damage caused• It is thought that between 900 and 1000

centrifuges were destroyed by the actions of Stuxnet

• This is about 10% of the total so, if the intention was to destroy all centrifuges, then it was not successful

• Significant slowdown in nuclear enrichment programme because of (a) damage and (b) enrichment shutdown while the worms were cleared from equipment


Unproven speculations• Because of the complexity of the

worm, the number of possible vulnerabilities that are exploited, the access to expensive centrifuges and the very specific targeting, it has been suggested that this is an instance of cyberwar by nation states against Iran


Unproven speculations• Because Stuxnet did not only affect computers

in nuclear facilities but spread beyond them by transfers of infected PCs, a mistake was made in its development

• There was no intention for the worm to spread beyond Iran

• Other countries with serious infections include India, Indonesia and Azerbaijhan


Unproven speculations

• The Stuxnet worm is a multipurpose worm and there are a range of versions with different functionality in the wild

• These use the same vulnerabilities to infect systems but they behave in different ways


• One called Duqu has significantly affected computers, especially in Iran. This does not damage equipment but logs keystrokes and sends confidential information to outside servers.


Summary • Stuxnet worm is an early instance of

cyberwarfare where SCADA controllers were targeted

• Intended to disrupt Iran’s uranium enrichment capability by varying rotation speeds to damage centrifuges

• Used a range of vulnerabilities to infect systems

Stuxnet worm

Technology

Transcript of Stuxnet worm