Stuxpocalypse: Hide Your Women and Children!

Friday, September 23, 2011

Infosec Island Admin


“Last year, after Stuxnet was identified as a weapon, we recommended to every asset owner in America – owners of power plants, chemical plants, refineries and others – to make it a top priority to protect their systems… That wakeup call lasted only about a week. Thereafter, everybody fell back into coma,” Langner told The Christian Science Monitor in a recent interview.

Ralphy, Ralphy, Ralphy... Could it be that your company needs more attention? You personally perhaps?

This crying “stuxpocalypse” thing is getting a little out of hand and seems rather low rent, well, wait a minute... Looking at that swank faux leopard pillow you have there, maybe this is your style... Ok, back on topic..


Where was I? Oh yes..

Ralph, sure, there are many systems out there running PLC’s and yes, they are likely vulnerable to any number of attacks.

However, can you please look back and see how long it actually took persons unknown *cough* USA/UK/Israel *cough* to create the Stuxnet attack and breathe a little before you go crying to the likes of the Monitor?

I’m sorry, but you are just making yourself look really.. Well.. Needy.

Lets look at the facts shall we?

"Funny thing is, all these control systems, if compromised, could lead to mass casualties, but we still don’t have any significant level of cybersecurity for them,” Langner said.

FACT CHECK: ALL the control systems? Really Ralph, that is not going to happen… You smell the hype here folks? MASS CASUALTIES! FUD FUD FUD I’m sorry, no Ralph, sure, if the system were taken down (say power) there would be, the old and infirm would be the first to go, but a wholesale “fire sale” is not going to happen.

It’s really the stuff of movies.. Say, you been watching Die Hard recently?

"The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks…. With every day [that] cyber weapon technology proliferates, the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares,” Langer stated.

FACT CHECK: Say Ralph, I seem to remember there being a whole cyber security initiative by the Obama admin that seems to me, covers this area. Though, yeah I would love to see an expedited process, people are looking at this AND knew about these types of attacks WAY before Stuxnet showed up!

I mean, how do you think they got the idea in the first place to create such a vector of attack huh? I might also suggest that all of the people who you might be asking about this may not want to talk to you in the first place. It would be like me walking into your house as a stranger and asking “So, what’s your wife’s favourite position in bed?”

“Most engineers are aware of the problem, it’s just that they don’t get the budget to fix the problem. The risk is just discounted. As long as management doesn’t see an immediate threat, there is a tendency to ignore it because it costs money to fix,” Langner explained.

FACT CHECK: Uh yeah.. No.. After what happened in Iran, we are not likely to just avoid the issue altogether... Once again, I point to the previous statement (wife –> sex –> positions).

Rare are the vendors or the end users that are going to divulge the problems they have because they are afraid of compromise, no matter how hard it may be to carry out.

“I couldn’t stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened.”

FACT CHECK: Well more of a comment really //BEGIN SNARK/SAVE US RALPH! SAVE US!//END SNARK/ people listened... Though, not necessarily to you... Trust me.

“I’m afraid cyber-arms control won’t be possible… It will be costly to fix the vulnerabilities in industrial-control systems. But it will be definitely more costly if we wait until organized crime, terrorists, or nation states make their move first.”

FACT CHECK: Gee Ralph, how about you forget the SCADA systems out there that now have attention and think about everything else out there online. Like, say, every frikkin Windows XP instance still out on the Internet and within private networks that are not patched? How about the fact that said systems are connected to the internet on a regular basis and SCADA aren’t (crosses fingers).

Well, they aren’t “supposed” to be. Or did you miss that salient fact that it took a concerted effort to get the Stuxnet into the Iranian facility in the first place because they were NOT connected to the internet as readily as other places?

Ya know... It’s called HUMINT. We needed someone to plant that USB or place it physically in a box on site. See Ralph, its not just some magic incantation and suddenly you’re infected.

Need I also remind you of the four zerodays used? Yeah..

So please Ralph, get off the Stuxnet nipple.. We know about it.. We just aren’t talking to YOU about re-mediations.


Cross-posted from Krypt3ia

Possibly Related Articles:
Information Security
SCADA malware Cyberwar Stuxnet Network Security Infrastructure Programmable Logic Controllers
Post Rating I Like this!
Andrea Zapparoli Manzoni Hello Scot,

I religiously follow you on Kript3ia, and I love your sharp comments, but this time I have to disagree.

Langner is surely crying wolf, but only to a certain degree.

I'm in the DCS/SCADA cybersecurity field and I work with many oil&gas / energy utilities, and although we've been talking for countless hours in several, top level meetings, *nothing* has been done until today.

No assessments, no VAs, no PTs, no remediations, no new policies or organizational changes, no-freakin-thing.

This seriously scares me, not only because the sons-of-stuxnet could (and probably are) around the corner, but because today those infrastructures can be severely disrupted even by script kids and lunatic geeks.

It doesn't take nation states, terrorists and skilled hacktivists: a quick search on Shodan to find a target and Metasploit would do the trick. It's like givin kids a remote control for ICBM launchers, and wish they won't use it.

Considering what is at stake here, to me this is definitely worrisome. As a society that cannot exist without those brittle infrastructures, the risks we're taking are unreasonable.


Andrea Zapparoli Manzoni

Craig S Wright I agree with @AZM,
I have been involved with several SCADA systems that have a direct kinetic impact if compromised and many of these have little or no security.

As an example, a Java based transport system that controls switching and signals that is just using http (no encryption) and is on the same network as the departments head office accounts systems).

Forget APT, this is a system that looks like a game to outside people and could result in 1000s of lost lives (and was nearly taken down by a random scanning worm a few years back).
Craig S Wright "How about the fact that said systems are connected to the internet on a regular basis and SCADA aren’t"

Umm.. @K Fact Check...
Energy systems - online
Rail systems - online
Sewerage systems - online
Water systems - online
Engine Management (Airlines) - Online
Air Traffic Control - Online

@K I assume that you have missed that last few years (decade) all of these systems are online. At best, they have a crunchy layer from NAT.
Robert M. Lee I have to agree with Andrea. I think a lot of your "fact check" opinions are misleading at best. I have a lot of respect for your interest and now finding Kryp3ia (just found it today and finding) I will be reading it as I think there is a lot of interesting information.

The point remains though, Mr. Langner is "sounding the alarm" because most people aren't listening. McAfee and the Center for Strategic and International Studies found in 2010 that only 35% of critical infrastructure owners checked their systems for Stuxnet; of those 40% were infected.

There is a certain level of complacency in the ICS community in regards to cyber security whether it be focused on Stuxnet or not. There are many who are well prepared/invested/and trained to mitigate threats but there simply aren't enough. The roots of the community are focused in providing availability, not security. "Keep the water pumping. Keep the lights on. Keep the power going, at all costs."

Also, I feel your critique on Mr. Langner's comment about copy-cat attacks fails to recognize the real point. While some people in the world may have recognized the threat as you put it, most people including asset owners did not. These are the people that we have to convince to check their systems, protect them, and be ready for copy-cat like attacks from Stuxnet, Conficker, Slammerworm, etc. It's not that Stuxnet is so unique in its ability to cause trouble in ICSs but it's unique in how targeted it was towards PLCs and ICSs.

We weren't ready for the things of the past let alone future cyber weapons. The truth is the money isn't there and "security" is a never ending process that doesn't give the immediate satisfaction necessary to earn money from asset owners, vendors, and the government.

Most of your "Fact Check" pieces just seem like obscure opinion pieces devoid of facts. You seem like an intelligent individual with undoubtedly more experience than I, but your last point focusing Stuxnet towards HUMINT alone shows that you do not fully understand the situation nor the attack vectors. And that is speaking from my perspective in the cyber and intelligence gathering communities.

Robert M. Lee
Andrea Zapparoli Manzoni I believe StuxNet is like warplanes in the first world war, bulky, slow, and very raw tech. They hit their targets by chance, more or less.

Still they achieved a "wow" effect on infantry and old-fashioned generals, and were quickly developed into full-blown, deadly, horribly efficient weapons.

20 years later, armed jets were already streaking in the skies, and the 3d warfare domain (air) became the most strategically important (until today).

Given that ICT evolves much faster than any other industry / knowledge field, I fear that 5 years from now the 2nd gen cyberweapons will be more similar to an F22 than to a P-51, compared to the Red Baron's Fokker biplane that is StuxNet.

-> There's a window of vulnerability which is widening exponentially here, and the outcome can't be good.

my 0,02c
Krypt3ia @ Andrea.. But you state nothing has been done "until today" so, this is to say something is being done correct? Unlike the complete apathy that Langer is crying wolf about.
Krypt3ia @ Craig, dude, don't even get me started on you. You have posted so far two articles that I and others have found patently clueless. So please, step away from the keyboard before you hurt yourself.
Krypt3ia Finally, @ Robert, You have some points but frankly, if there is such a huge problem and an impetus on hacktivists and nation states to pull this off (aka a fire sale) then why has it not materialized? For that matter, why hadn't it been done already because these vectors have been around for some time. I was seeing SCADA on networks years ago and they could not even react well to a ping sweep never mind actual code to manipulate them. Now that we have had stuxnet, I should think that those systems and players involved would have more impetus to do something about it and this is even implied by Andrea that things are being done "now"

As well, citing such trusted sources as vendors *cough Symantec cough* is rubbush to make any kind of case here. For Christs sake the exploits came out in the public view this year! Langer is just being a frak and trying to promote himself! Secondly, They were only caring IF they had SIEMENS PLC SYSTEM 7's online. So your citation is fallacious at best.

Finally, your use of the term Cyber itself leads me to believe that you may not be as in the know as you claim.

Robert M. Lee @Krypt3ia I think your point of more than nothing being done up until today is very true. There is a lot being done by a number of people but it simply isn't enough nor is it getting the attention it deserves. I've actually used a very similar analogy that Andrea just used numerous times before, so of course I agree with it. I also think that Mr. Langner is in a rough position. He walks a very thin line where if he doesn't do enough no one will listen and yet if he does too much he seems to be crying wolf.

From my limited perspective I'd rather he play too hard and foul a little than take the avenue of not doing enough that so many before him have unfortunately taken.
Robert M. Lee @Krypt3ia to your reply. Cyber deterrence is a very delicate and painfully misunderstood topic. There is a balance that no nation state or group really wants to be the first to figure out. There could have been things done in the past as you have stated. I think your wealth of experience in this area definitely aids you in your understanding and explanation of the issue. However, I don't feel that just because it wasn't done before is a really good defense. And to clarify I'm not speaking about a fire sale happening, I don't think it's impossible but definitely improbably at this point.

Technology is fast moving and political intentions/wills have to catch up to it. There were plenty of people in the political scene that didn't know what capabilities the "underground" had already come up with. Both in the hacker underground and in military units that "didn't exist" until recently. Now that there is media focus and attention on the issue there is a real threat forming for people to use attacks like Stuxnet and future cyber weapons. Just look at the evolution of the cyber weapons black market in the past few years. Supply and demand 101.

The article I cited holds true for a number of points, but not necessarily for what the article is trying to get across. My point was that not everyone is doing enough. There is a ton of room for improvement in the area of security and asset owners/vendors are largely ignoring this issue. Not out of desire to ignore it but out of capability. The point holds very true; as someone who obviously seems to understand hackers I would hope you would be the first to understand that one attack vector can be as good as 100. If we aren't securing our systems across the board, especially our critical infrastructure, then they will fall prey.
Andrea Zapparoli Manzoni @K from my (limited) experience, there is not complete apathy at the middle management level, but the main problem is that there is no committment at the Cx0 level on SCADA Security.

They still think that wearing hard hats and doing maintenance right is "security".

Furthermore, they still believe that their plants networks are "air-gapped", and this is very wrong too.

Over the years, countless web-based interfaces, remote accesses, and holes in the corporate network firewalls were put in place, in order to get information more easily (tipically for remote maintenance and to feed ERPs / top management dashboards).

I call it "happy mindless computing", when someone says "hey why don't we open up port 80 from our HQ to the power plant, so that we can have cool mega-screens around the office showing how much money we're making each second".... This happened everywhere in the last 10years, even in high-risk critical infrastructures.

Another problem is that *a lot* of stuff still runs on NT / W2k machines, unpatched and unpatchable, with no protection whatsoever... There are plants that *must* be shut down if their "historian" stops loggin (because of environmental laws for example), and the historian is a dusty W2k box sitting in a corner since 2002...

Also, there's a chronic lack of documentation, and nobody really knows what impacts what in a 20yr old plant, or why that plug is in that hole, etc.

Then there's another serious show-stopper, that is different plants of the same company use totally different technologies from different vendors, so there's no easy way to rationalize the adoption of remediations (both organizational and technical). Which means huge, huge costs.

Finally, there's a systemic issue: if you secure 49 power plants out of 50, and the last one is breached / put out of order, the whole grid would go down.

I could go on for a couple of pages, I believe you can now better understand why I cannot easily dismiss Mr. Langner's warnings.
Craig S Wright @K You have NO idea just how connected these systems are.
Craig S Wright Is it just me or is the notion that saying the old and infirm will die but who cares (even in jest) is offensive?

“Ralph, sure, if the system were taken down (say power) there would be, the old and infirm would be the first to go, but a wholesale “fire sale” is not going to happen.”
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.