The Era of Cyber Espionage & Cyber Warfare, Case Study Example

Introduction

In June 2010, a computer virus called Stuxnet, was found dormant in the databanks of powerplants, factories and traffic control systems all over the globe. The virus is recognized as being 20 times more complex than any virus code previously developed. Stuxnet has the ability to turn off oil pipelines or turn up temperature in nuclear reactors and tell security system administrators that everything is fine. Stuxnet is recognized as the first weapon to be developed entirely from code. The risks of such a weapon in the digital era are virtually limitless, especially considering its capacity to be deceptive and replace project files while going unnoticed.  Stuxnet utilizes real security clearances by exploiting security gaps that system creators don’t know about called zero days. Some believe Israel may be responsible due to the fact that within the code there are references to the Hebrew Bible, while others think the U.S. May be responsible. Stuxnet is an open source weapon that can be accessed by anyone online and redeveloped to influence the operations of virtually any utility or valued security resource in the world. The following will assess some of the more in depth aspects of Stuxnet, specifically how it infiltrated SCADA, the Supervisory Control And Data Acquisition system in Iran.

The Anatomy of the Struxnet virus is detailed in the charts below. It can be seen that as Struxnet attacks project files associated with the Siemens WinCC/PCS 7 SCADA control software it modifies a step in the communication process between WinCC software and the whichever Simens PLC device is running the operations at the time. This step is known as step 7 because it’s specifically WinCC s7otbxdx.dll. The chart below shows what happens in a standard step 7 communication between Siemens and windows and what happens when this communication is intercepted by Struxnet.

The chart above shows that struxnet renames project files and replaces the original without being detected by standard security protocols.

Iran admitted that Stuxnet had infected at least 30,000 computers across the region. The above graph shows the virus infected nearly 70,000 computers. This massive reach and deceptive capacity of Stuxnet is why the worm has been dubbed the most sophisticated malware ever. It specifically targets Windows PCs responsible for the management of large-scale industrial-control systems in manufacturing and utility companies.

The anatomy of the SCADA architecture is shown below. SCADA means Supervisory Control And Data Acquisition. The system itself is not responsible for full control but manages systems in a supervisory and supportive capacity. SCADA systems tend to be used to manage industrial process, like steel development, conventional and nuclear power generation, and chemical distribution. As noted on MSDN, network architecture plays an essential role in network security management. They state that “an architectural style, sometimes called an architectural pattern, is a set of principles—a coarse grained pattern that provides an abstract framework for a family of systems. An architectural style improves partitioning and promotes design reuse by providing solutions to frequently recurring problems” (msdn.com, (2012). Below is a chart breaking down the architectural style of SCADA.

As the chart above shows, SCADA has two basic layers, the data server layer which handles the  technical end and the client layer which involves the engagement between the man and machine. Most computer worms like Stuxnet and viruses tend to target consumer systems such as desktop computers and laptop computers through embedded data. Scada was infiltrated by Stuxnet because it currently does not have a forensic processes to collect from embedded devices on its systems

such as Programmable Logic Controllers (PLC) or Remote Telemetry Unit (RTU). The key issue that arose with struxnet, was that the virus was able to interfere with communications between the controller and client. One example of a secure system utilized to avert file, network, or system corruption can be seen with the RADIUS services which are provided by the Cisco Access Control Server. It protects against communication interference utilizing a specific authentication process. This also allows for further enhanced security and privacy protection solutions. When  an effective supplemental system, similar to SCADA, but one that incorporates digital forensics, is implemented correctly it can  provide this enhanced security through authorization and accounting features of the system (Intel Corporation , 2007).

In the Wu, Disso, Jones, and Campos (2013), study “Towards a SCADA Forensics Architecture,” the authors talk about security precautions that have been enacted since the Stuxnet attack to enhance security measures. They note that digital forensics is an essential aspect of improving the security process. This entails a process of five main guidelines 1)examination, 2)identification of the problem or security threat, 3)collection of evidence, 4)documentation of that evidence. The process is then followed up with step 5 which is an investigation and analysis process to root out the cause of data corruption issues or system threats for future safeguards. The authors note that using traditional digital forensic methods is flawed because “using traditional IT digital forensic process is unsuitable for SCADA systems. This is because currently there are no forensic processes to collect from embedded devices on the SCADA systems such as Programmable Logic Controllers (PLC) and Remote Telemetry Unit (RTU). SCADA system use MODBUS and Distributed” (Wu, Disso, Jones, & Campos, 2013). The main argument the authors make is that Struxnet introduced many invulnerability SCADa, especially in regards to how embedded software is handled from a forensic standpoint, both before and after the fact.

Conclusion

In sum, this massive reach and deceptive capacity of Stuxnet is why the worm has been dubbed the most sophisticated malware ever, but also why additional focus needs to be placed on digital forensics process that can better investigate project files for corrupt behavior. Part of Struxnet’s danger is that it’s difficult to identify. It specifically targets Windows PCs responsible for the management of large-scale industrial-control systems in manufacturing and utility companies. Stuxnet has the ability to turn off oil pipelines or turn up temperature in nuclear reactors and tell security system administrators that everything is fine. Stuxnet is the first weapon to be developed entirely from code. The fact that Struxnet is an open source weapon that can be accessed by anyone online and redeveloped makes it an even more dangerous weapon as it can be reformatted for any purpose.

References

Daneels, A., & Salter, W. (1999, October). What is SCADA. In International Conference on Accelerator and Large Experimental Physics Control Systems(pp. 339-343).

Intel Corporation. (2007). Network in a box: Wireless LAN architecture for Small Offices. Retrieved from: http://www.intel.com/it/pdf/network-in-a-box.pdf

Koo, K. (2012). The Era of Cyber Espionage & Cyber Warfare (Case Study: Stuxnet). Forensic insight Seminar msdn.com. (2012). Chapter 3: Architectural patterns and styles. Retrieved from http://msdn.microsoft.com/en-us/library/ee658117.aspx

Nicolas Falliere (26 September 2010). “Stuxnet Infection of Step 7 Projects”. Symantec

Patrick C. (2011, June 18). Stuxnet: Anatomy of a Computer Virus [Video file]. Retrieved from http://www.youtube.com/watch?v=scNkLWV7jSw

Wu, T., Disso, J. F. P., Jones, K., & Campos, A. (2013). Towards a SCADA Forensics Architecture. In Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research (p. 12).