Stuxnet: what lessons can be learned twelve years on?

Stuxnet computer worm: what is its legacy today? | Stormshield

In 2010, the world discovered Stuxnet. A malware that hit the PLCs in charge of the centrifuges of an Iranian uranium enrichment plant and which highlighted the vulnerability of industrial environments. Since this episode, which came from a small infected USB key, the cyber risk has been extended to the entire industrial world. And more than ten years later, the infrastructures of JBS Foods (agrifood industry) and Colonial Pipeline (energy industry) were victims of cyber attacks and would see their production lines affected for weeks.

Despite the years, the modus operandi of cyber-attackers has evolved, but factories’ industrial control systems remain a prime target. In this article, we decipher the impact that Stuxnet had in 2010. What legacy did this attack leave for the cybercriminals of 2022? What have industrialists learned from it? Some elements of an answer and comparative views.

 

Stuxnet, the nightmare of industrial environments

So what exactly is Stuxnet? In June 2010, the Stuxnet worm was detected on a machine belonging to an employee at the Bushehr nuclear power plant in Iran. The objective of this worm was to reprogram the operation of Siemens industrial PLCs, in order to alter the proper functioning of the centrifuges and thus halt the Iranian nuclear enrichment programme under development.

The worm infected 30,000 IT assets across the country and was later detected in Germany, France, India and Indonesia, increasing the number of compromised assets to 45,000. However, by design, Stuxnet should have been undetectable malware. And for good reason, since it had the ability to analyse the communications sent to the PLCs and to install itself on a host by means of lateral movement. To do this, the cyber-attackers analysed the functioning of OT communication protocols and discovered technological weaknesses related to authentication.  "For their attack, the creators of Stuxnet used the lack of authentication and encryption in the Siemens S7 protocol, as well as the lack of an anti-replay check," explains Marco Genovese, Pre-Sales Engineer and Industrial Environment Expert at Stormshield. This weakness made it clear that these OT protocols should have had a security layer built in. This need for additional security was later implemented in the second version of the protocol called S7 Plus. Unfortunately, many industrial companies still use this protocol in its 2010 version. " Based on the use of a series of Zero-Day vulnerabilities in the Windows OS and targeting the Supervisory Control and Data Acquisition (SCADA) industrial process control system, for many this cyber attack was the first targeted attack to alter the operation of industrial machines in a highly secure environment. At the time, compromising such an industrial control system not connected to the Internet seemed to be an extremely complex task, since in 2010, cyber attacks were mainly targeting IT environments. Stuxnet was the first known attack to target OT environments, bringing with it the realisation that industry could now be the victim itself. Prior to this episode, the complexity of the industrial environment and the difficulty of implementation suggested that attacking this type of target was not an attractive investment.

And to address this complexity, the development of this malware required significant financial and human resources to understand the workings of the Iranian nuclear enrichment programme and Siemens' technological infrastructure. All this work enabled the development of layer after layer of compromise points with the aim of reaching the S7-300 PLC, in charge of the centrifuges' speed controllers, at the end of the chain. For Ilias Sidqui, senior consultant at Wavestone, the complexity of this attack quickly led to its attribution to a state player: "In order to develop this malware, it was necessary to build an identical model by acquiring very expensive industrial equipment, which implied knowledge of the versions of the machines used in Iran. The complexity of all these parameters quickly demonstrated that only one or more states were capable of implementing such means. " Combination of Zero-Day attacks, compromise of an information system using a USB key, lateral movement, usurpation of administrator access, ability to reprogramme the PLC, etc. Without knowing it, this worm laid the foundations for a new complexity in cybercriminality.

The complexity of all these parameters quickly demonstrated that only one or more states were capable of implementing such means.

Ilias Sidqui, Senior Consultant at Wavestone

In fulfilling its main objective, Stuxnet made geopolitical history. "There was clearly a before and after Stuxnet, and NATO allies were not mistaken either when, in July 2016 at the Warsaw summit, they recognised cyberspace as an area of military operations in its own right, in the same way as land, sea or sky," says Fabien Miquet, Product & Solutions Security Officer at Siemens. However, this worm also marked the history of cybersecurity, because of its technological and strategic legacies, which were subsequently reused by the main cyber-attacker groups for decades to come.

 

The multiple legacies of Stuxnet

From the demonstration of the feasibility of such an attack to the innovative nature of the modus operandi, post-Stuxnet cyber-attackers will inevitably have been influenced by this attack. Twelve years after its discovery, the technicality and difficulty of implementation still make it a textbook case. The first in a growing family of malware, it will forever remain the first worm dedicated to compromising industrial control systems.

And, through this demonstration of the penetration and compromise of a highly secure environment, Stuxnet would give rise to vocations and be copied a few months later. While the techniques and attack vectors differ, the objective would remain the same in many of the cyber attacks that would follow around the world: the targeting of industrial PLCs. From Russia to Iran, these malwares would be categorised in a separate family, referred to as "Stuxnet-like". In 2012, Saudi Aramco and RasGas were the victims of a cyber attack attributed to the Iranian state. The innovation compared to Stuxnet lay in the use of ransomware, in this case Shamoon, to paralyse the activity of these industrial companies. In 2013, the control system of the Bowman Dam floodgates in the United States was compromised. According to an investigation by the Wall Street Journal, this attack was a response by the Iranian authorities to Stuxnet. In 2015, the furnaces of a steel mill in Germany were in turn the victims of a cyber attack. Defined by German intelligence as a "Stuxnet-like" attack, the details and implications of the attack were, however, not disclosed. At the same time, Ukraine was also hit by malware, this time targeting the country's electrical installations with the "Black Energy" and "CrashOverride" malware in 2015, and then "Triton" in 2017. These attacks were attributed to the actions of Russian cybercriminal groups, which above all illustrated the evolution of the threat: " Whereas the Black Energy attack demonstrated the possibility of damaging a power plant without any particular knowledge of industrial messages, the Triton attack highlighted the vulnerability of the OT network protection system itself ," explains Marco Genovese.

In parallel to cyber attacks, the Stuxnet modus operandi has also influenced cybersecurity researchers. In 2015, German researchers created another computer worm, dubbed PLC Blaster, capable of targeting the latest generation of Siemens S7 series PLCs, by using part of the Stuxnet modus operandi. And whereas Stuxnet needed a host machine connected to the industrial network, the PLC Blaster malware has the ability to directly infect PLCs from the TCP/IP protocol. Presented during the Black Hat USA conference, this proof of concept demonstrated the vulnerability of industrial environments and the ease with which this worm can spread from one piece of equipment to another.

 

Could the Stuxnet attack still claim victims?

Is an attack like Stuxnet possible in 2022? This is a pertinent question and the answer is unequivocal for Ilias Sidqui: "A Stuxnet-like scenario is still possible in 2022 because the principle remains the same; there have always been, there are and there will always be Zero-Day vulnerabilities that allow cybercriminals to have an offensive advantage. " Marco Genovese considers that an attack is therefore still possible, but not necessarily against the nuclear industry: "Nowadays, it will certainly be more difficult to carry out a Stuxnet-like attack on a nuclear power plant, but the latest actions carried out in Ukraine demonstrate that it is now possible to impact physical energy networks (water, gas, electricity) through a cyber attack. "

It is also important to note that the most recent significant cyber attacks have not used very advanced operating modes. The cyber attacks against Colonial Pipeline and JBS Foods were more like opportunistic acts than premeditated attacks like Stuxnet. Through the use of a leaked password on the dark web for Colonial Pipeline and a known vulnerability in a remote login tool for JBS Foods, the difficulty of penetration and implementation was far less complex than it was for Stuxnet. Because, in fact, the attack surface of industrial companies is increasing. In recent years, this trend has been explained by the adoption of IT/OT convergence in information systems. A boon for cybercriminals. Nowadays, IT environments and traditional office environments are interconnected with industrial OT environments," explains Ilias Sidqui. A gateway that is also used by cybercriminal groups, so there is no longer any need to carry out specific developments or search for Zero-Day vulnerabilities. This is why we are seeing more and more ransomware attacks targeting industrial environments. "Accelerated digitalisation ultimately creates opportunities for everyone: you, me, our customers, and so on, but also for attackers on our increasingly connected systems," adds Fabien Miquet. Far from being an inevitability, we just have to be aware of it, and we have a kind of duty to warn: no digitalisation without cybersecurity! "

So then, how mature is the industrial sector in the face of this threat? A figure from Gartner, which explained that 60% of successful attacks in 2020 were based on the exploitation of known but unpatched vulnerabilities, provides an initial response... In our 2021 barometer on cybersecurity in operational networks, 51% of respondents said they had experienced at least one cyber attack in their operational network. And 27% had already experienced a production stoppage or disruption. Yet, there are many possible ideas for protection solutions. Vulnerability detection, patch management, network segmentation, training, etc. Cybersecurity solutions seem to be facing a challenge of deployment in industrial environments. As Fabien Miquet confirms: "It is indeed a real challenge to secure a factory whose ultimate goal is not to develop its technologies but rather to produce in a stable and sustainable way. And it doesn't matter that these technologies are "insecure by design"; the fact that they have been working for thirty or forty years is still enough for many industrialists today, even though they were not designed to implement cybersecurity. Mentalities definitely do not all evolve at the same speed; it usually depends on the frequency with which cyber attacks occur... In response to these events, Siemens has implemented new security mechanisms in its machines. To achieve this, we have imported best practices from the IT world into the OT world. For example, our PLCs now use the TLS encryption protocol, known and recognised for its robustness. "

 

Thus, unwittingly, the authors of Stuxnet have greatly influenced and pushed forward the complexity of cyber attacks in OT environments. And the convergence of IT/OT environments appears to facilitate the movement of attackers from one environment to another. It will be interesting to observe how OT managers will adapt in the coming years to make technical debt, OT/IT environments, the use of new technologies and cybersecurity coexist. Quite an agenda!

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
To address cyber threats to operational networks (OTs), which are on the rise with the deployment of Industry 4.0 (Cloud, Big Data, 5G, Internet of Things), Stormshield recommends a single, comprehensive approach. The aim is to ensure that networks function properly and that there is business continuity for all players: energy, transport, industry, health, etc., and all other sectors.
Twelve years after Stuxnet, what is the current state of cybersecurity practices in the operational environments of industrial companies? To answer this question, we surveyed more than 200 decision-makers from the industry sector on their expectations and needs regarding the deployment of solutions in operational environments. Read the white paper analysing this 2021 barometer.

About the author

mm
Vincent Nicaise
Industrial Partnership and Ecosystem Manager, Stormshield

With his many years of professional experience, Vincent negotiates the cyber sphere with genuine commercial, marketing and technical gusto. A fan of street art, octopus and cybersecurity (not necessarily in that order), he is responsible for partnerships with the entire cyber-industrial ecosystem. A busy man indeed.