Page 22 - index
P. 22
Internet, local area network or very often through some removable device. It is not
necessarily needed to have a network connection and Stuxnet will get to some PLC.
How is this possible? Well, as it is normal to do some PLC programming, you must use a
computer (usually with Windows platform) with an adequate PLC developer’s tool. A PLC, by
itself, can operate even if it is disconnected from the network, once its governing software
has been transferred into its processor’s system. As it is known, some updates should be
done regularly even through network connections or through removable devices and that’s
how a PLC’s software can get infected. The interesting thing is worm causes the minimal
harm to a PC computer and makes a great damage only to PLCs that have some centrifuges
attached to them. This is feasible because the worm can detect if there is some frequency
converter attached to PLC as the link between a controller and a rotating part of the
industrial machine.
What is also interesting in Stuxnet’s case is that it attacks only some sorts of Siemens PLCs
and it is suitable for 32-bit Windows only. This is the fact because the majority of targeted
infrastructures use an equipment with those characteristics. It is obvious that some insider’s
information about the situation within the industrial plans existed before the development
process of Stuxnet warm has begun. It seems that the project Stuxnet has been carefully
and strategically prepared. That’s why this cyber warfare operations were that successful.
Stuxnet Invalidates Some Security Assumptions
Stuxnet invalidates several security assumptions. Let us see how! The first such assumption
is that isolated systems are more secure. We were talking about this, bit is’ not definitely
case with this worm. As it is known, SCADA systems control mission critical machinery,
many administrators do not connect these computers to a network – attempting to achieve
security by isolation. As a result, you need to update your system somehow. You will do that
through file transfer to such machines which is conducted by removable media. The
designers of Stuxnet exploited this assumption by enabling the worm to spread through the
memory sticks. That allows a system to get infected even if it’s not connected to the network.
Another key security assumption Stuxnet invalidates is the trust relationship set in place by
digitally-signed certificates. In order to provide more stability, modern operating systems,
including Microsoft Windows, limit a computer program’s access to system components. A
normal program requests systems calls to hardware via driver software. As such is the case,
the driver software has more access to lower-level system components than other programs.
To avoid the easy creation of malicious driver software, Microsoft Windows relies on digitally
signed certificates. In order to prevent detection by anti-virus software, Stuxnet uses
legitimate digitally-signed certificates. In other words, this worm will set the trust relationship
in place by digitally-signed certificates that it already uses. The computer’s platform will see
this malicious software as a trusted application.
22 Cyber Warnings E-Magazine – August 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
