Stuxnet: Re-define standalone

Erwin Wurm: House attack

Image by Dom Dada via Flickr

Supposedly, Stuxnet was using not just one, but four XP zero-day exploits that allowed it to spread from computer to computer, typically via USB sticks. Lots of predators jumped into the fray offering XP users tools to clean their systems with. Mostly at a price, of course. But only Siemens systems were under attack. Warnings went out to not just remove it from Siemens systems as the PLC code might still contain hidden commands. Advice was to restore the system from a secure backup. Next, more people jumped in to warn us all about the upcoming cyber wars.

Cyber wars???

In real life we wake up to a predatorial universe each day. The internet is no different. Although Stuxnet is a highly sophisticated virus and contains a rootkit, it is unlikely to be “the immediate next predatorial wave” because it was probably very costly to develop. Still, the impact on large-scale industrial systems on factory floors and in military installations and chemical and power plants is too costly, and potentially too dangerous – it can for example be used to change safety settings, to ignore the threat of Stuxnet itself, or viruses like it. But an all out world wide cyber war? Unlikely.

The Real Problem

Security and reliability are two pressures that often get overlooked when designing systems, as all stakeholders prefer new features and possibilities. Especially in commercial and industrial contexts. Cost/benefit analyses show “the new feature” is more profitable, and it makes management and customers happier too. In such circumstances system architects either make a stand (at the risk of getting fired and/or spoiling our “team player” reputation), or we involve ourselves in some excellent controlled folly (carries great risk too, but at least it’s fun and that helps healing the pain from the cognitive dissonance we found ourselves in). Maybe later we get our chance and will be heard?

Neither security nor reliability can be tagged on later. Not simply that is. But a system can be re-factored to guard boundaries of subsystems. Configuration information and SCADA (supervisory control and data acquisition) systems must be protected. And PLC integrity can be checked regularly. I recommend re-defining “standalone”.

“Standalone Software”

According to Wikipedia, standalone software can mean:

  • Computer software that can work offline, i.e. does not necessarily require network connection to function
  • Software that is not a part of some software bundle
  • A program that is run as a separate computer process, not an add-on of an existing process, e.g. not a plugin. The term “stand-alone” has been used inconsistently: for instance, on the Apple Macintosh platform, the plugin code has often been referred to as being stand-alone,
  • Historically, a standalone program – a program that does not require operating system’s services to run
  • A portable application, that can be run from a removable storage, without the need for installation procedure.

Redefining …

A standalone entity is something that has no dependencies; it can “stand alone”. It does not only not require network connections to function, when it makes any such connection, an exception is thrown, and all sirens go off. It is indeed a set of separate processes and not plugin code, as in, configuration information cannot be plugged in to elsewhere. It does have operating system services, in particular watchdogs and the likes. And it does not run from any removable storage device.

And while you are at it, consider the entire security landscape

Did you wonder about that “only Siemens systems were under attack” too?

The trick is that installing a rootkit requires using drivers, which Windows machines are well-trained to be suspicious of. Windows requests that all drivers provide verification that they’re on the up-and-up through presentation of a secure digital signature. These digital keys are closely-guarded secrets. Yet Stuxnet’s malicious drivers were able to present genuine signatures from two genuine computer companies, Realtek Semiconductor and JMichron Technologies. Both firms have offices in the same facility, Hsinchu Science Park, in Taiwan. No one knows how the Stuxnet creators got hold of these keys, but it seems possible that they were physically—as opposed to digitally—stolen. — from Siemens: Stuxnet worm hit industrial systems


Posted on October 21, 2010, in Issues and tagged , , , , , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s