Duqu Analysis Shows ICS-SCADA Networks Vulnerable

Thursday, December 15, 2011



The European Network and Information Security Agency (ENISA) has released analysis of the Duqu malware and the Trojan's similarities to the infamous Stuxnet virus that is thought to have caused severe damage to Iranian uranium enrichment facilities, setting back the nation's nuclear weapons program by as much as several years.

While Duqu is similar in may respects to Stuxnet, some research team have concluded that its main purpose is to harvest data, not affect physical control systems such as those impacted by Stuxnet.

"DuQu is a newly discovered malware variant, dubbed “son of Stuxnet”, due to the strong similarities in their architecture and targets... large sections of the DuQu code are similar to the code of Stuxnet [CrySyS 2011]. A subsequent Symantec report reinforced the similarities in structure and behaviour between DuQu and Stuxnet suggests that DuQu was written by attackers who had access to the Stuxnet source code or even by the Stuxnet authors themselves [Symantec Security Response 2011]. Moreover, DuQu uses an identical driver to inject the main malware module into the target computer," the ENISA report states.

ENISA notes that Duqu was employed in a set of highly targeted attacks aimed at a handful of entities who possessed specific kinds of sensitive information, part of a trend that is increasingly threatening valuable intellectual property and systems that govern critical infrastructure.

"Targeted attacks on critical infrastructures pose a high risk to society: an important difference in Industrial Control Systems (ICS) malware is the ability to intervene in physical processes, for example (as in the case of Stuxnet), increasing the speed of a centrifuge in a uranium enrichment plant," ENISA reports.

The study includes a warning that Europe's industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks are ill prepared to cope with similar threats.

ICS-SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants.

"Europe’s critical infrastructures are still not sufficiently prepared for attacks like DuQu. In particular, Europe lacks specific initiatives and policies to address ICS security. There are no commonly adopted ICS security standards, guidelines or regulations, corporate management is not sufficiently involved, and there are numerous technical vulnerabilities," the report states.

The study alludes to a pending report from ENISA with a focus on ICS-SCADA security that is expected to be published late this year or early in Q1 of 2012. The report will call for several actions to be taken to bolster network security at critical facilities.

"The study proposes seven major recommendations for securing ICS, which call for the development of pan-European and national ICS strategies, preparation of good practices, security plan templates, awareness raising, test beds/maturity frameworks as well as ICS CERTs and fostering research," the report explains.

One of the main challenges in protecting these networks is the fact that these systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.

Given that systems governing critical infrastructure systems in the United States are more or less the same as those of their European counterparts, American stakeholders should take note of this ENISA study and the pending report on mitigation recommendations.

Download the full Duqu report from ENISA here:

Source:  http://www.enisa.europa.eu/media/news-items/duqu-analysis/view

Possibly Related Articles:
Viruses & Malware
SCADA malware Stuxnet Headlines Network Security Infrastructure ENISA Targeted Attacks ICS Industrial Control Systems DUQU
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked