Tech Wake-Up: Continuing and Real Industrial Security Threats
By Mark Devlin
April 12, 2012
First Stuxnet, then Duqu: Now, another New Duqu
We’ve kept you informed about the sophisticated industrial Stuxnet worm, then Duqu, in several articles here on The Blog. (I won’t bog you down with more links; a site search will easily reveal many related hits right here on IEN.)
As if Stuxnet and Duqu weren’t enough for industrial control systems professionals to worry about, now you can add yet another new variant of W32.Duqu.
Symantec—who either doesn’t know or won’t reveal their source code provider, according to this article at ABC News—recently revealed that they received ‘one small part’ of new Duqu attack code. That small part is ‘the loader file used to load the rest of the threat when the computer restarts.’
How do they know it’s new?
Checking the code we can see the authors have changed just enough of the threat to evade some security product detections, although this appears to have only been partially successful.
One of the more significant changes to the code is the encryption algorithm they use to encrypt the other components on disk. The difference in the algorithm is shown below:
The new one also makes it into systems through ‘a legitimate document,’ apparently tagging along with a driver file…
While this isn’t the first Duqu variant, it’s the first one discovered this year.
Information is sketchy and minimal for now, though Symantec says the discovery is important since it shows ‘that the attackers are still active.’
If granddaddy Stuxnet was Made in the USA to cripple Iran’s Natanz uranium enrichment facility then, umm, we also gave the rest of the world code that will likely be turned against its designers: us. Funny how this whole virus thing works, isn’t it?
(For an excellent Duqu primer/overview, see this PDF at Symantec released last year.)
Industry’s a Big Target, and Doesn’t Care?
According to this very worthwhile article at Ars Technica, that’s apparently the case in industrial control systems.
First, a little bit of background. A ‘zero day’ vulnerability (virus, worm, trojan, etc.) is one that attacks before equipment manufacturers (whether PCs or PLCs, for instance) or software providers (OS and app developers) issue a protective patch. In the consumer and general enterprise worlds, that’s actually a window—one that’s typically closed (with a patch) before any or too much damage is done.
Not only are there variants to known vulnerabilities such as Duqu, but now—thanks to industries (and I really hate to say this, but I’ve been saying it for a few years now and Ars Technica backs up my concerns) that don’t really seem to care enough to develop and issue patches, we now have an vulnerability approach variant: ‘forever days.’ That means either tolerate the infection and ‘Good luck, brave industrial soldier,’ or ‘Here’s a warning and how you might be able to work around the vulnerability until you update your systems and buy more millions worth of our stuff.’
What the heck am I talking about? Ars Technica describes it very well (Links intact.)…
The latest forever day vulnerability was disclosed in robotics software marketed by ABB, a maker of ICS (industrial control systems) for utilities and factories. According to an advisory (PDF) issued last week by the US Cyber Emergency Response Team, the flaw in ABB WebWare Server won't be fixed even though it provides the means to remotely execute malicious code on computers that run the application.
"Because these are legacy products nearing the end of their life cycle, ABB does not intend to patch these vulnerable components," the advisory stated. The notice went on to say that the development of a working exploit would require only a medium skill level on the part of the attacker.
IEN has deep, long-term relationships with many of the companies involved, and I really don’t want to put those things at risk. But c’mon, folks (manufacturers)…don’t customers who have spent tens of thousands minimum, tens of millions maximum, on industrial control systems deserve better?
‘Okay, we’ve seen this before,’ you might say as a reader: ‘Devlin’s overreacting again.’ This time, really, no. I’m not. Check this out…
"They're just not going to get patched," said Terry McCorkle, an independent security researcher who specializes in ICS devices used to control equipment on factory floors, dams, and in other industrial settings. "The big question is how many of their clients are actually set up to take those advisories and take action upon them?"
We’re of course talking not only about process but also discrete control—that could be compromised by an attacker with ‘medium skill level’???
I’m not singling out ABB here, nor does Ars Technica. GE, Seimens, and Schneider are also playing in the same neighborhood.
Apparently, the problem isn’t lack of customer support, but the relatively easy (and dismissive) classification of ‘legacy system.’ Once something is a legacy system, in this context, the manufacturer evidently assumes that it’s going to be phased out soon anyway, so why worry about it? Correct me if I’m wrong, but we have ‘legacy systems’ running everything from assembly lines to refineries and, um, nuclear plants? One would think such systems wouldn’t be moved to the back of the line, especially in the context of compromised system control and/or activity.
Here’s what GE had to say to Ars…
GE public relations manager Eli Holman defended the decision not to issue an update fixing the bug.
"We advised our customers that the 'Administrative Website' option will be removed as an installation option in the next release of Proficy Historian and that an updated alternative will be re-introduced in a future version of the product," Holman wrote in an e-mail. "In the interim, we recommended that customers uninstall the Web administrator and instead use the fully-supported Historian Administrator thick client."
Wonderware, on the other hand, “spent a lot of time trying to fix the problems.”
For the others: such large, key, globally-recognized and -respected corporations—not to respond to either customers or journalists about such vulnerabilities seems, well, wrong at the very least.
(People have lost their jobs over less than what I’ve said here, so I hope to still be with ya’ll here on the blog next week.)
If any of the companies involved would like to comment to me, IEN, or any other industrial publication for that matter, we can all be reached pretty easily. (Email? IEN.com. My name’s Mark.)
Help me be on your side without sacrificing readers in the process.
Execs Being “Pulled Into Cyber Security Out of Obligation…”
…not by choice,” says Michael Fey, SVP of advanced technology and field engineering at McAfee, according to this article at SC Magazine.
We’ve been covering security breaches, threats, and industrial/manufacturing implications for years at IEN, and I’ve been one of the few (related to several publications) running around, screaming “YOU NEED TO PAY ATTENTION TO THIS,” but—it’s like a nightmare in which you’re trying to scream, frantically moving your lips and mouth, but no sound is emitted.
Fey (sort of) backs me up with the following…
Successful executives have always valued business information. They seek to obtain it, oversee it and execute plans based on it. However, those same executives hold an unclear view of their role as an SOE [Security-Obligated Executives]. What security information should they pay attention to? Should they receive briefings, reviews or dashboards to remain informed? Is a daily, monthly or quarterly security posture briefing appropriate? Is today's headline-grabbing attack something that should concern them? Are they properly spending to safeguard the organization? Should they know about all of the latest cyber attacks against their company? Should they even care? The answer is a definitive…maybe.
If you’re fighting the secure-systems fight from boots-on-the-ground to boardroom levels, check out Fey’s article at SC. It might help give you some ammunition.
Soon, hopefully, execs will stop seeing security vulnerabilities as ‘acceptable risks.’
Enjoy your weekend, and remember: You can kill a helicopter with a car—if you’re out of bullets…