Friday, December 23, 2011

Stuxnet

Stuxnet is a computer worm that targets industrial control systems that are used to monitor and run large scale industrial facilities like power plants, dams, assembly lines and similar 0perations.

How Stuxnet Worm Works

Stuxnet looks for industrial control systems and then changes the code in them to allow the
attackers to take control of these systems without the operators knowing. In other words, this threat is designed to allow hackers to manipulate real-world equipment, which makes it very dangerous.

It’s like nothing
we’ve seen before – both in what it does, and how it came to exist. It is the
first computer virus to be able to wreak havoc in the physical world. It is
sophisticated, well-funded, and there are not many groups that could pull this
kind of threat off. It is also the first cyberattack we’ve seen specifically
targeting industrial control systems.

The worm is made
up of complex computer code that requires lots of different skills to put it together. Symantec security experts estimate it took five to ten people to work on this project for six months. In addition, knowledge of industrial control systems was needed along with access to such systems to do quality assurance testing; again indicating that this was a highly organized and well-funded
project.

"We've definitely never seen anything like this before," said Liam O’Murchu,
Researcher, Symantec Security Response. "The fact that it can control the
way physical machines work is quite disturbing."
W32.Stuxnet
Explained
Download the updated W32.Stuxnet Dossier, November 2010 (PDF)
Read
the Symantec Security Response Blog post on the W32.Stuxnet Dossier

Watch the video "Stuxnet: How It Infects PLCs"
Update: The infection
figures below were produced using telemetry data generated by Symantec
products, and are therefore weighted towards countries with a larger Symantec
install base. For more comprehensive and up-to-date infection figures,
generated from traffic going directly to W32.Stuxnet command and control
servers, please see
our
blog from July 22
or our W32.Stuxnet
whitepaper
.
We have received some queries recently
regarding the new rootkit threat being called “Tmphider" or
"Stuxnet.” This threat, discovered recently, has been garnering some
attention due to the fact that it uses a previously unseen technique to spread
via USB drives—among other interesting features. We have compiled some of the
questions we have been receiving along with our current responses. Analysis of
the threat is still ongoing and we will update this blog with more information
as appropriate.
Q) Am I protected against this threat?
A) Yes, Symantec added
detection for this threat on July 13. The threat is detected as
W32.Stuxnet,
you can read some details of the threat
here.
Q) I've heard that there are multiple files
associated with this threat. Any details?
A) Yes, there are
multiple files associated with the threat. The files consist of the threat
installer and the rootkit component. They are both detected as
W32.Stuxnet.
Here are the file names of these components:
~WTR4141.tmp
~WTR4132.tmp
Mrxcls.sys
Mrxnet.sys
In addition, the threat creates associated
shortcut/link files on a system. Here are some examples:
Copy of Shortcut
to.lnk
Copy of Copy of Shortcut
to.lnk
Copy of Copy of
Copy of Shortcut to.lnk
Copy of Copy of
Copy of Copy of Shortcut to.lnk
Q) Who is being targeted by this threat?
A) While our analysis
is ongoing, we've seen that a significant proportion of machines seeing this
threat are in South East Asia. The “Others” category has a listing of 50+
countries, but their visibility of this threat is minimal.
Q) Does the threat use a new, unpatched
(zero-day) vulnerability?
A) The threat is
indeed using a previously unseen vulnerability to spread using removable
drives. The vulnerability have been confirmed by Microsoft who have released a
security
advisory
for this issue
Q) Do you know what OS platforms are seeing
the attacks?
A) Our in-field data
shows that multiple versions of Windows are seeing these malicious files.
However, not all versions may be vulnerable to the exploit being used. Here is
a breakdown:

Q) Does the threat in question contain a
rootkit? What does it hide?
A) Yes, the threat
does contain a rootkit component that it uses to hide two types of files:
All files that end
in '.lnk'.
All files files
that start with '~WTR' and end with '.tmp'.
The threat has a user and kernel mode
rootkit. The '.sys' files mentioned above are used in kernel mode; the '.tmp'
files are used to hide the files via user mode.
This means that when a system is infected,
you will not be able to see the files that are copied to the USB drive because
they are being hidden by the rootkit. However, our product will still detect
these files.
Q) What does the threat do?
A) The link files,
mentioned above, are part of the exploit and are used to load ~WTR4141.tmp,
which in turn loads ~WTR4132.tmp. The threat contains many different functions.
Our analysis of these functions is currently ongoing; however, we can confirm
at this time that the threat is using some DLLs from Siemens for the product
'Step 7' to access SCADA systems. It uses a predetermined username and password
to connect to the database associated with the SCADA systems to obtain files
and run various queries to collect infromation. It may also gather other
information relating to servers and the network configuration.
Q) Do you detect the .lnk files used in this
attack?
A) Yes, we have
released a signature set that is designed to detect the .lnk files used in this
attack. These files are detected as
W32.Stuxnet!lnk,
from Rapid Release definitions July 16, 2010, revision 035 onwards.
Q) Will turning off AutoPlay protect me
against this threat?
A) No, unfortunately
this worm exploits a newly discovered and unpatched vulnerability in the way
that Windows Explorer handles .lnk files. This feature is unrelated to
AutoPlay, so turning AutoPlay off will not help prevent being compromised in
this attack. That said,
turning off AutoPlay
is generally a good idea.
--------------------
Update: Changed threat name
from W32.Temphid to W32.Stuxnet.

Monday, July 11, 2011

Pre Event Media Interview by Capt SB Tyagi in the Energy Infrastructure Security Conference at Kualalumpur, Malayasia


What do you view as the key threats to energy infrastructure, especially in context of increasing interoperability?

Interoperability has been boon and bane both – depending on which side you are looking at it! For infrastructures it gives multiple choices, ease of operations, and integration of technologies. But, it also creates multiple vulnerabilities, ease of strikes and selection of targets for the saboteurs and miscreants. The most vulnerable targets to energy infrastructures would be its supervisory controls and the people managing them!

How will technology and efficiency shape the new critical assets security future and what cyber threats are Asia’s energy firms most susceptible to?

It can never be over emphasized that the technology increases the efficiency of people. However, personal efficiency is not always dependent on technology alone as efficiency is personal trait and it is mindset which makes some people more efficient then others. Thus, getting right technologies for ‘naturally’ efficient people in operations of key infrastructures is the necessity. The multiple cyber threats coupled with the vulnerabilities of SCADA System will remain most susceptible to security breaches which can be stopped only if technologies are sturdy.

As the case with Japan, natural disasters are a significant threat to the energy infrastructure. What are some of the other human and natural threats to the energy infrastructure in Asia?

Human are the worst enemy of the nature. It can not control the nature but keeps interfering with it in most dangerous manner! The catastrophic swings of nature causing floods, famine, tornados and tsunamis are on increase. If it makes any sense, almost all the major civilizations and mythologies mention end of human race by ‘mega floods”. Energy infrastructures' worst natural threats are in shape of floods, tsunamis, tornados and earthquakes!

From an investment point of view, what would you identify as the safest nations to invest in for energy projects? Why are they attractive?

It is question; businessmen are best equipped to answer.

In your view, what are the untapped opportunities for energy infrastructure security in Asia?

Sea, wind and sun are nature’s blessing to human kind! We are yet to explore the endless possibilities for their use in energy generation.

Going forward how will energy infrastructure security in the region evolve by the year 2020 and where will most of the emphasis be in terms of energy infrastructure security?

Fossil fuel is bad word in today's world! Oil will remain under cloud, though Gas will have many takers. Even disastrous example of Japan’s latest damages to its nuclear power plants, the nuclear energy would be preferred option. The security of these energy infrastructures would require balance of technology empowering the human elements of security management apparatus. The future is in us –human beings - for if we think that technologies will solve our problems, then either we do not understand the technologies or we do not understand our problems!

Wednesday, April 13, 2011

Security of Key infrastructures

What are the Key Infrastructures? Transport, communication and Energy sectors have great role in nation building and economical prosperity. Energy security draws attention of planners and saboteurs world over. Focus is on Energy Security which is core of Key Infrastructures and also very vulnerable. US has defined the Key Infrastructures as - “Systems and assets, whether physical or virtual, so vital to the country that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” - US Patriot Act

There is no definition of this term but broadly it is defined as “Key infrastructures are those, damage to which will adversely affect Nation’s Defense preparedness and Economy. “ Key infrastructures are those, damage to which will adversely affect Nations defense preparedness and economy. Following are the areas falling in the category of ‘Key or Critical Infrastructure –  Energy infrastructures – nuclear, hydro, coal and gas  Information & communication infrastructures  Water resources  Financial institutions  Transport infrastructures  Space – development and research  Food – supply chain  Health infrastructures Because of the private ownership of major elements of critical infrastructure any security and control measures will (almost by definition) require the involvement of both private and public interests. However the national authorities will often have sole competence in the area.


India’s Economic Rise & Infrastructure


Best consideration for Indian economical development will require following steps:  Development of infrastructures to cope with the growing demand;  Policy for sustainable growth and up-gradation of existing assets.  Ensuring availability of resources through domestic efforts or through long term supply agreements or through buying assets abroad;  An elaborate network for easy availability for domestic stakeholders;  Above all, institutional and policy mechanisms to ensure an equitable usages both in terms of reaching underdeveloped regions and in terms of the economically backward sections of the Indian society.


Major Areas of Security Concerns


The creation of any key-infrastructure is a major logistical operation from locating and investigating new sites to the movement of personnel and establishment of facilities. It takes an enormous amount of resources to establish such sites and all the operators have to rely on a sound cloak of security to prevent theft of equipment, extortion, sabotage and kidnapping of work force. There are following major areas of security concerns – • Security of survey parties and their equipments (even explosives!) • Land acquisition and establishing camp sites: Pre-camp: armed / static security • Security during movement of essential equipments and key personnel • Travel protection of executive and employees • Transportation of heavy machinery and raw material - rail, air & sea • Commencement of construction activities – labor unrest, law-and-order • Establishing early oil / gas collection centers and security thereof • Security of off-shore platforms, receiving terminals, dispatch terminals, compressor stations etc. • Security of larger installations such as refineries, LPG plants and petrochemical complexes • Security of supply chain – storage / warehouse, rail / road transportation • Intelligence gathering and disaster planning • Constitution of Emergency Response Teams For the Key Infrastructures such as power, oil and gas, security is always a major concern as this sector world over has high probability and vulnerability from terrorist attacks and sabotage. Their operations also have high criticality.


Strategies for Reliable Security of Key Infrastructures


Following are the specifics of the security management of this sector - Optimizing Assets through Centralized Command & Control Integrated command and control systems must be positioned to provide an integrated solution, which captures and validates data that can be used throughout the organization during normal operation, whilst providing relevant, useful information in difficult and emergency situations. This approach will enable operators of critical national infrastructure to optimize their assets whilst maintaining their investment in legacy systems. New developments in technology can improve the security of personnel and assets and provide enhanced operational capabilities.


Biometric Integrated Safe System of Work


Integrated Safe System of Work (ISSoW) is a key tool in ensuring the safe operation of Oil and Gas installations. However, such systems can only be truly effective if user identities can be quickly validated and definitively authenticated. For this to be implemented in practice in providing advanced authentication and identity management, the biometrics based access control solutions are found to be very reliable. There are many solutions available solution where worker identities can be positively and accurately registered, identified and managed securely throughout their lifecycle.


High Accuracy Real Time Personnel & Asset Location


There is need to have a system that improves the safety of workers in hazardous environments and helps to improve the effectiveness of emergency response measures. There are systems available which can locate an individual, or asset, to within 1 meter in 3D (e.g. in a multi-storey/multi-level facility) and it can do this up to 1km from a base station. The system provides a position update every second and, for example, could be used to track a lone worker or road tanker's progress through a plant or ensure that personnel are moving towards the correct muster points in an emergency. Such system do not require large amount of infrastructure or extensive cabling and is therefore easily installed in an existing plant at minimal cost.


Situational Awareness - Securely Integrating Site Data


This aspect deals with the need to simply and securely integrate data from a wide variety of systems to show site leaders and managers the overall condition of their site - and what is happening on it. This capability brings together data from operational, security and work management systems and merges this private data with public information from the internet to provide a complete picture. By using underlying open data architecture together with security protection system, it can bring these data sources together and share them securely among multiple disparate user groups, and at different locations, whilst ensuring data validity, security, and privacy. As well as the complete picture, it can also provide custom views for users such as maintenance teams, emergency services and even the media and general public in the event of a major incident.


Air traffic


Rogue aircraft can endanger the security of any flights in its vicinity of the flight path! Due to loose security controls at the take-off points unscreened passengers can board it with unimaginable explosives and ammunition! Even this is not needed as aircraft in collision path itself is big danger to other aircraft. Security of Aircraft in the future environment therefore must begin with the aim of improving security on commercial aircraft. It must address classic hijacking situations, September 11-type scenarios and futuristic scenarios involving electronic jamming and hacking of computer systems. Additionally it must address technical issues such as onboard-threat detection, threat assessment and response management plus flight protection.


Security of Offshore Platforms


Off-shore platforms are highly vulnerable, high risk installations having high probability of attacks of terrorist which may be equipped with some of the best technical capabilities. Somalian sea-pirates have well demonstrated that now-a-days any one can get any thing provided they have sufficient funds! It is therefore very important that beside sturdy infrastructure security and the security risk management mechanism including airborne, maritime and ground surveillance, these platforms have very reliable and impregnable communication and cyber security measures. Tracking and positioning of manpower and material is equally important. To devise an action plan to combat attacks on its offshore installations, potential terrorist-related crisis situations should be incorporated in the CMP (Crisis Management Plan) along with the response mechanisms/capacity building required to handle such situations.


The Maritime Sector


The International Ship and Port Facility Security, ISPS code, was introduced in July 2004. It requires ports and vessels to show that they have put adequate security systems in place - and vessels to show that they have been calling only at certified ports. The purpose of the code is to provide a standardized, consistent framework for evaluating risk.


Vessel Automatic Tracking and Monitoring System for the security of large oil infrastructures in high sea areas assume greater importance to rule out attack capabilities of Somalian like out-fits which might draw their attention to the vulnerabilities of these assets.


Cyberspace


The EU has set up a task force to explore what its 25 member states are doing to combat cyber-threats against critical infrastructure. As part of the EU's Critical Information Infrastructure Research Coordination, CI2RCO project, the task force aims to identify research groups and programs focused on IT security in critical infrastructures, such as telecommunications networks and power grids. The scope of the cooperation goes beyond the EU; the task force also wants to include USA, Canada, Australia and Russia. India with its strong IT workforce, known world-over for its prowess must join such cooperative and collaborative efforts!


Robust, Secure, Global Communication Solutions


This capability calls for seamlessly connecting all oil & gas installations of an organization and on more higher level , of the Nation by providing highly available, robust, secure, integrated communication networks for critical operational systems. A number of communication solutions are available which provide robust connectivity and communication helpful for protection of assets and personnel in environments where a high standard of inherent safety is a mandatory requirement. There are resilient telecommunications networks such as Broadband Global Area Network (BGAN), which allow for simultaneous voice & data communications and secure access to applications from almost anywhere in the world. Securing Supervisory Control Systems


Supervisory Control and Data Acquisition (SCADA) systems and other similar control systems are widely used by utilities and industries that are considered critical to the functioning of countries around the world. The Operations, Safety, Security, and IT decision-makers of Key Infrastructures, specially oil & gas, power generation and transmission and nuclear energy are well advised to pay attention to following aspects –  More and more reliability on Local Area Network (LAN), Wide Area Network (WAN) and Broadband Global Area Network (BGAN) brings increased threats to operations of organizations using them. Threats to SCADA are Malware, Insider, Hacker and Terrorists.  The networks are suseptible to attacks aimed to disrupt and destroy them. Such an attack by viruses, worms or other forms of cyber-terrorism on nuclear, oil and gas industry process control networks and related systems could destabilize the national economy and defense preparedness.  We need to keep control systems safe and secure, and to help minimize the chance that a cyber attack could severely damage or cripple infrastructures. We need to identify ways to reduce cyber vulnerabilities in process control and SCADA (Supervisory Control and Data Acquisition) Systems: to identify new types of security sensors for process control networks.  There is real threat to SCADA from mischief mongers prowling in the web-world and the tech-savvy terrorist and Stuxnet is the most lethal combination!


Conclusion


While above are the main strategies for securing the assets of key infrastructure, constant improvement and improvisation need to be carried out to make security measures reliable as well as cost effective, as in present phase of economic melt-down no organization will take decision with out working out the ROI (Return on investment). Dedicated manpower ready to face the disaster would always be central consideration for any security and disaster response plan. To keep them constantly motivated and updated is also another prime responsibility of the Management as otherwise even the best plans are doomed to fail. Only those will succeed in this sector who foresee and fore-plan and rehearse thereafter their security and emergency response plans!