Cigital interviews Ralph Langner of Langner Communications
Ralph was the first to determine that Stuxnet is a directed cybersecurity attack against the kinds of Siemens control systems used to control nuclear centrifuges in Iran. Gary and Ralph discuss what’s involved in introducing the concept of cybersecurity to control systems engineers, how anti-virus vendors originally responded to the Stuxnet, as well as plenty of detailed technical info about the worm with an emphasis on its payload.
There is a little of the usual “for the first time” talk from Cigital and attempts to apply complex information security models to control systems, but Langner makes excellent points about the slow pace of change in engineering and the different, simple and intended design of control systems.
The bottom-line seems to be that the attack, aside from figuring out the Siemens calling conventions, was very basic. Note that at the end of the recording Cigital accuses Siemens of having no security and only just beginning their own security program. Reverse engineering of the calling conventions might be hard, but obviously that’s not the only way to figure them out…
- “Single task real-time system” completely different from IT security. No authentication, no authorization.
- Vulnerabilities in control systems are not bugs. Legitimate product features, they often can not be patched.
- Speculation about attack on SCADA database to ex-filtrate intellectual property did not make sense. Raw data useless.
- Affect on controller was the turning point in Langner investigation because “controllers is all we do. We don’t bother with Windows computers”.
- Wireshark gave results very quickly. Easy to see infection.
- Applied different Siemens equipment to infected Windows system. Process of elimination to figure out which specific controller type and target configuration for Natanz
- Stuxnet attack very basic. DLL on Windows was renamed and replaced with new DLL to get on embedded real-time systems (controller). It was not necessary to write good code because of the element of surprise — only had to work pretty well
- Ladderlogic loader puts code onto a Siemens controller by ethernet or MPI or PROFIBUS, using that one DLL
- Original Siemens DLL had symbolic information but attackers had to reverse engineer calling conventions (protected by obfuscation and believed to be insider knowledge)
- Bad code ran simultaneously alongside Siemens code — “stealth system”
- Very easy to insert calls at beginning of OB1 and OB35
- OB1 main routine called when controller started (like main function but called in a loop many times per second). Stuxnet inserted at beginning of code block (inserts function calls) and makes decision to pass requests to legitimate code or intercept for 315
- OB35 is an event handler called 10 times per second. Stuxnet inserted code at beginning of code block so it would be called 10 times per second
- Easy to do. Controller has no checks for authenticity. No checks for code integrity. Just insert code. Works on any of millions of Siemens 7 controllers found in food and beverage, chemical plants, power plants, etc.
- Frequency converter attacks will only work on specific models and specific installation — attack code queries how many frequency converters attached to 315
- Reading values from frequency converter was compromised — every time a 315 function was called another function ran
- Those who typically program controllers would just take system functions for granted. Attackers know they could be overwritten and the program would still work
- Early mentions of Bushier were Langner’s fault due to speculation and layman understanding of strategic/natural targets of Israel. It was not a Stuxnet target despite presence of expensive Siemens 417 used there. In late September the data structures in code were linked to the actual plant layout in Natanz. Symantec was wrong because they focused on the delivery system instead of the payload. Must look at outside world and plant layout, not just do code analysis.
- 417 used for safety (prevent disaster by monitoring thresholds), 315 used for production (produce uranium). The attack vectors were not about fooling operators, who are the last line of defense (could be at lunch or bathroom). Stuxnet attack on 417 designed to fool front-line automated safety systems that are meant to react within seconds.
- The media did an excellent job reporting on the problem but the tax-payer funded organizations that are required to do the same did not (e.g. DHS)
- Problem of security eduction is not the engineers — it is with the CEOs
