When Stuxnet malware hit the mainstream media in September 2010, it all sounded like a plotline straight from a Tom Clancy thriller. After all, Stuxnet—the first worm ever developed to reprogram industrial systems—was reportedly designed to take aim at Iranian nuclear power stations. More specifically, Stuxnet targeted the Siemens industrial control systems implemented at so-called “high-value infrastructure” installations in Iran.
The media response was appropriately hysterical.
TEC’s managing editor David Clark decided to de-Clancify the affair by going straight to the front lines of defense, at Siemens AG.
Clark interviews Stefan Woronka, Siemens’ director of professional services.
TEC: Please tell me about your role at Siemens.
Woronka: Director, Professional Services—responsible for Industrial IT Security Services within the Industrial Automations Systems Business Unit. We offer consulting and implementation of solutions around industrial IT security. This starts with risk assessments for existing sites and suggesting measures for implementation. We support the implementation and conduct reviews on a regular basis. The reviews are based either on a policy established at the client or an accepted standard.
Could you tell me a little bit about the way in which Stuxnet was first brought to your attention, and about your initial thoughts and reactions?
Our management informed relevant departments, including Industrial IT Security Services. My first thoughts were: “What´s that, I want to know more,” as first information about Stuxnet was not really clear about what the malware was dedicated to. Within hours a team in our organization was activated and actions were defined, such as detailed analysis within our security labs together with Siemens CERT [computer emergency response team] cyber forensics experts.
According to a Kaspersky Lab news item, “Stuxnet is a working—and fearsome—prototype of a cyber weapon, that will lead to the creation of a new arms race in the world.” Is there really something we should all be worrying about, or is this simply a hyperbolic sound bite?
Now, more than three months after the first appearance of Stuxnet in the news, we can state that in none of the cases known to Siemens from the industrial environment was a plant’s control system affected.
Manufacturers of virus scan software have reported massive Stuxnet infections in some countries, with no distinction being made as to whether office PCs or industrial systems are affected. In the four months, a total of 21 Siemens customers worldwide from an industrial environment have reported an infection with the Trojan.
In all cases, Stuxnet exploited security gaps in Windows-based operating systems. The virus could be removed in every case without any adverse effects on plant processes. In none of the cases did Stuxnet influence control software or even attempt to do so. This behavior corresponds to the insights gained from the analysis that Siemens carried out on the virus.
Stuxnet searches systematically for a very specific plant configuration. If it does not find such a configuration, the virus is not activated. But the potential which lies in Stuxnet is something that everyone should take seriously. It was obviously the first attempt at malware for industry or infrastructure applications. And the experts say this may not be the last such attempt. Therefore, operating companies as well as system integrators now should be sensitized and should undertake measures to analyze their security situation.
Security is not buyable as a single product or a technical feature. Security is a steadily ongoing process that links products, people, and processes.
Do you anticipate copycat attempts to replicate some or all of Stuxnet’s capabilities?
Microsoft has issued security patches to close “the Stuxnet gap.” So the Stuxnet case will be finished soon. But as I mentioned, experts say this may not be the last such attempt. So the whole security community, as well as Siemens, is working on concepts and improvements to withstand future attacks.
A hypothetical question: Imagine you were the project manager for the conception and development of Stuxnet. What criticisms would you be leveling at your development team right now? Any lessons learned for the Stuxnet dev team?
If you find the dev team for this, let me know. I also have some questions. I’m working on the opposite side.
Let’s move on now to questions that relate more broadly to IT security concerns for manufacturers. The Siemens white paper Security Concept PCS 7 and WinCC outlines strategies for dealing with the following threats (page 23):
- Denial of service
- Circumvention of specific security mechanisms (such as “Man in the middle”)
- Intentional maloperation through permitted actions (such as password theft)
- Maloperation through non-configured user rights
- Data spying (e.g., of recipes and business secrets or operational plans for plants and their security mechanisms)
- Manipulation of data (e.g., to downplay the importance of alarms)
- Deletion of data (e.g., log files to cover up attack activities)
That’s a lot of worrying, right there. Is there any such thing as a bulletproof IT security approach?
Basically I´d like to point out that
there is no 100% security, and
there is no silver bullet for security threats.
For every defense there is an offense and for every offense there must be a defense.
A solid security solution touches three domains: people, products, and processes. To start with a project, you have to design security into the solution, you have to raise awareness by all people doing the project and later operating the site, and you have to take care of standard operation procedures to cover all relevant aspects. And you have to build your security architecture with several layers of defense. Those layers may also address one of the three above domains.
As you know, cloud computing is being pushed very hard by software vendors with a lot of marketing spend; if I’m to believe their white papers and case studies, manufacturers seem to indeed be moving toward increased cloud adoption. Does cloud computing present inherent security challenges that you’d like to bring to the attention of manufacturers considering such a move?
Cloud computing, like any other IT solution, has general as well as specific risks that need to be analyzed. Once analyzed, measures need to be defined to mitigate the risks.
Security solutions for industry: Are there new or future solutions/features/developments you’d particularly like to highlight?
There are solutions that are becoming more popular within the industrial IT security community, but need to be developed and evaluated further. In my opinion, whitelisting technology and intrusion detection technology will give the opportunity to gain higher levels of security in the future. Also we will see special solutions for industrial IT security that take care of the needs of the operators’ priorities, which lie in availability and integrity (without ranking these two) and lastly in confidentiality.
But these are only products or solutions, which still need to be implemented properly. This is where our organization comes into play. We help our customers implement security solutions, but it does not end with the mere solution. It always comes back to the three domains: people, products, and processes. Setting up a security program and using external knowledge may help to raise the overall level of security.
What advice would you give to IT managers who are perennially trying to dispel the perception of the IT department as an impediment to user productivity (thanks to restrictions on the use of various information media and mobile devices, constrictive rights management, and so on)?
The highest priorities for an operator of a plant lie in integrity and availability, and lastly in confidentiality. It falls upon the IT department to understand the order and then to adjust its measures accordingly. But it also falls upon the operator to understand the need for IT security, and that the IT department can offer support with its expertise. Working jointly together will help both, and give the operation a higher level of security.
Thus within the community we expect a higher degree of security programs coming up.
What top-level advice would you give to a manufacturing organization seeking a comprehensive IT security solution for the first time?
The first questions I ask is: “Do you have a security policy for your operations in place?”
Within that policy the organization should address all relevant topics. For the creation of a policy, manufacturing organizations should start with an assessment of all critical assets. Assessing the risks gives deep insight into what is really critical, and thus needs higher attention. From there, measures will be defined to mitigate those risks. Finally, IT security is not a one-time project. It must be the daily business of everyone.