Stuxnet Worm
Investigation of the Stuxnet Worm and the Vulnerability of the United
States to Similar Cyber Attacks
Gregory I Hanson
December 1 st , 2011
EPD 397
Submitted to: Christine Nicometo
Executive Summary The number of unique variations of malicious software, or malware, has increased over one hundred fold
between the years 2005 and 2010 to approximately20 million per year (Morgenstern & Pilz, 2010). As
the number of variations increase, so does the range of targets malware can hit. Specifically, there is
growing concern over malware’s ability to target a nation’s critical infrastructures.
The United States alone has eighteen infrastructures which it deems “essential to the nation’s security,
public health and safety, economic vitality, and way of life” ranging from nuclear, water, and power
management to transportation and communication (Congressional, 2010). These infrastructures use
industrial control systems (ICS) and are managed by programmable logic controllers (PLCs). The PLCs
are just another type of computer, and like computers, they can be targeted by malware (Congressional,
2010).
Most infrastructures, with the notable exception of defense, are privately owned. The Department of
Defense has entire government agencies responsible for its cyber security while privately owned
infrastructures do not. The Aurora Project, conducted in 2009 by the Department of Homeland Security,
showed that ICS within the US used for controlling power generators and grids could be halted by a
cyber-attack, and that these systems are found throughout most - if not all - infrastructures
(Congressional, 2010).
Stuxnet, discovered in 2010, was a targeted attack against Iran’s nuclear program that did just that: target
the PLCs of a particular Siemens supervisory control and data acquisition (SCADA) ICS. Differing from
typical forms of malware, Stuxnet’s initial infections originated from a USB and proceeded to spread to
over 100,000 computers without using the internet (Langner, 2011). Also Stuxnet had only one target and
its goal was to cause physical damage (sabotage versus espionage) by manipulating the PLCs’ operation.
Its code represents the conglomeration of significant time and resources that can only suggest that a
government was behind the attack (Langer, 2011).
Despite the initial effort that went into the code’s construction, this is a weapon that could easily be
reused and targeted against the United States. Stuxnet’s code can be viewed for free online and currently
the only way to stop Stuxnet from getting reused is to prevent the methods it used for spreading from
computer to computer. There is nothing available for preventing how it manipulated PLCs
(Congressional, 2010). As the increasing number of unique forms of malware show, finding a new way
to spread from computer to computer would be only a small hitch, making the bulk of Stuxnet’s code
reusable without nearly the same amount of initial effort that went into its creation.
Now, with the weapon available for use by virtually anyone, Stuxnet could be doctored to target a specific
facility, or its scope widened to target any number of critical infrastructures within the US for maximum
damage. An attack like this could degrade or stop operation in facilities that deliver water, gas, or power.
The resulting impact would be felt by an entire town or city with the possibility of cascading affects
which was the case with power outages that began in Ohio and spread across northeastern US and even to
parts of Canada in 2003 (Congressional, 2010).
Industrial control systems use programmable logic controllers which were originally designed without
thought or concern for cyber security (Langner, 2011). In order to prevent an attack against the US, ICS,
such as Siemens’ SCADA software, must be redesigned to include more complex forms of data
encryption when communicating with PLCs and the PLCs themselves must be redesigned with some
form of antivirus software. Also, until these new systems are available for purchase, facilities using the
out of date models must put more effort into preventing contact with infected devices and implement
more advanced forms of virus protection software on site (Congressional, 2010) (Langer, 2011).
Congressional Research Service. (2010, December 9). The Stuxnet Computer Worm: Harbinger
of an Emerging Warfare Capability. Retrieved from Nuclear Threat Initiative website: http://www.nti.org/
Langner, R. (2011, May 23). Stuxnet: Dissecting a Cyberwarfare Weapon. Security and Privacy,
IEEE, 49-51. doi: 10.1109/MSP.2011.67
Morgenstern, M., & Pilz, H. (2010). Useful and useless statistics about viruses and anti-virus
programs. Proceedings of the CARO Workshop,
TABLE OF CONTENTS
1. INTRODUCTION ............................................................................................................................................ 1
2. INVESTIGATION AND ANALYSIS OF STUXNET ..................................................................................... 2
2.1 INVESTIGATION OF HOW STUXNET SPREADS ....................................................................................................... 2
2.1.1 Investigation of Spreader ............................................................................................................................. 2
2.1.2 Investigation of Dropper .............................................................................................................................. 3
2.1.3 Investigation of Malicious Payload ............................................................................................................. 4
2.2 STUXNET VERSUS TYPICAL MALWARE ................................................................................................................ 4
2.2.1 Analysis of the Spread of Infection............................................................................................................... 4
2.2.2 Analysis of Stuxnet’s Code ........................................................................................................................... 5
2.2.3 Analysis of Stuxnet’s Goals .......................................................................................................................... 6
2.3 EVALUATION OF STUXNET’S USE ......................................................................................................................... 7
3. STUXNET’S IMPACTS ON THE UNITED STATES .................................................................................... 8
3.1 INVESTIGATION OF VULNERABILITIES IN US CRITICAL INFRASTRUCTURES TO A SIMILAR ATTACK .................... 8
3.2 EVALUATION OF A STUXNET-LIKE ATTACKS ON THE US ..................................................................................... 8
3.3 INVESTIGATION OF PREVENTATIVE METHODS ..................................................................................................... 9
4. CONCLUSION ............................................................................................................................................... 10
REFERENCES ................................................................................................................................................... 12
LIST OF FIGURES & TABLES
Figure 1: Path of Stuxnet Infection. ............................................................................................ 3
Figure 2: Geographic Distribution (%) of Stuxnet Infections by Country. ............................ 5
Figure 3: Typical Stuxnet Infection Pattern. .............................................................................. 5
Table 1: Summary of Key Differences Between Stuxnet and Typical Malware. .................. 10
1
1. Introduction In 2005 approximately 360 new types of malicious software, or malware, were discovered each
day, leading to a yearly count of approximately 130,000 new variations (Morgenstern & Pilz,
2010). Each one of these strands is capable of stealing or corrupting data in their own unique
way. In 2010 these figures have increased over one hundred fold. Recorded statistics show that
over 50,000 new variations of malware were introduced on a daily basis and approximately 20
million new strands will have been introduced by the end of the year (Morgenstern & Pilz, 2010).
Personal computer users are reminded of increasing cyber threats every time their anti-virus
software updates, an email from a suspicious sender arrives in their inbox, or a popup box
appears unexpectedly within a web browser. However, personal computers, or PC’s, are not the
only type of computer present in today’s modern world. Reliance on computers for daily
operation has spread to not only businesses and corporations, but also nationwide infrastructures
such as electrical power generation, water distribution, defense, transportation, and
communication (Congressional, 2010).
Corporations and businesses are already subject to various cyber-attacks as demonstrated by the
popularized hacks by the group known as Anonymous against companies such as Sony, VISA, or
the security firm HBGary, but what about a nation’s infrastructures (Bright, 2011)? As they
become increasingly dependent on computers, are these infrastructures not also susceptible to the
same cyber threats? An attack to any single infrastructure could result in ripple effects felt across
the entire nation. In fact, with the exception of defense, most of these critical infrastructures are
privately owned companies and therefore responsible for maintaining their own security (Derene,
2009).
These critical infrastructures perform their operations using Industrial Control Systems (ICS).
ICS monitor and control the machinery necessary for the completion of industrial processes by
reading in data and measurements and then deciding how to adjust the system in order to
continue performance. Processes include, but are not limited to, nuclear plant management,
electrical power generation, water distribution, waste control, oil and gas refinement, chemical
production, and transportation (Congressional, 2010). ICS are computer controlled, and just like
PC’s, are vulnerable to cyber-attacks (Derene, 2009).
The United States displays growing concerns over the probability of this type of threat due to the
political ramifications and widespread impacts such an attack would have (Congressional, 2010).
In 2009 the Department of Homeland Security conducted an experiment dubbed the Aurora
Project to determine the vulnerabilities of industrial control systems used to control power
generators and grids. The experiment, which proved that a cyber-attack could successfully cause
operations of a power generator’s control system to cease, shows that these vulnerabilities are
present in the United States and across multiple critical infrastructures (Congressional, 2010).
Stuxnet, discovered in July 2010, was a piece of malware that exploited this vulnerability.
Stuxnet was a targeted cyber-attack and its goal was to cause physical damage to its target, in
this case, Iran. The Department of Homeland Security’s Acting Director of the National
Cybersecurity and Communications Integration Center stated during a November 2010 hearing
that Stuxnet was an unprecedented “coordinated effort of information technology vulnerabilities
2
and industrial control exploitation completely wrapped up in one unique package,” and within
his closing remarks contains the best description of what Stuxnet means to the cyber-security
world: “game-changer” (Congressional, 2010).
Stuxnet’s code is available online for anyone to view, manipulate, and use for their own
purposes. Therefore it could be reused or rewritten to carry out a similar attack on American soil.
The investigation of the Stuxnet incident will reveal how Stuxnet was able to target a specific
installation with the intent to cause physical damage. Additionally the investigation will show
how this incident differs from other malware and why it is important to explore the
vulnerabilities that it exploited. Following the investigation, this report will analyze how similar
Stuxnet-like attacks could be focused on critical infrastructures in United States, what kind of
impact such attacks would hold, and how to prevent them.
2. Investigation and Analysis of Stuxnet
Stuxnet was discovered in July 2010 and has since been a heated topic of discussion. After
spreading to 100,000 computers across over 11 different countries and escaping detection for
over a year, experts raced to analyze the code of this elusive computer worm (Falliere et al.,
2011). During this analysis, experts came to realize that Stuxnet differed greatly from other
forms of malware, most notably in terms of function and purpose.
2.1 Investigation of How Stuxnet Spreads
The two most common forms of malware are computer worms and computer viruses. A virus
requires some form of action from the computer user to begin the execution of its malicious
code. Worms on the other hand are self-executing, able to burrow their way through a computer
to get to their target, and capable of replicating themselves from computer to computer hundreds
of thousands of times (Congressional, 2010) (Farwell, 2011). While the implementation of these
two fundamentally differ, the outcome, data theft or corruption, remains the same. Stuxnet used
a sophisticated version of worm technology to spread from computer to computer, and its code
can be broken down into three parts: the spreader, dropper, and payload (Langner, 2011). These
parts will be described with respect to Figure 1 which diagrams the various methods in which
Stuxnet spreads.
2.1.1 Investigation of Spreader
Based off of data collected by Symantec Security Response, Stuxnet’s initial infection originated
from five different organizations. These organizations were targeted in three waves of attack:
four were targeted in June 2009, one in March 2010, and three in April (Falliere, O Murchu &
Chien, 2011). The source of these initial infections was a simple USB flash drive. Persons,
either knowingly or unknowingly, possessing infected USB’s (Figure 1, #1) introduced the
Stuxnet worm to computers by plugging it into a computer workstation. Once connected,
Stuxnet gains access to privileged portions of the computer through undiscovered vulnerabilities,
essentially unprotected paths or doors into the computer’s operating system (Falliere et al.,
2011). Once inside, a piece of code known as a rootkit masks the installation of the worm’s
infection and prevents further detection of its activities (Sparks & Butler 2005).
3
Once a computer has become infected, the spreader attempts to spread to other computers using
four different methods. First if the infected computer is running Siemens supervisory control
and data acquisition (SCADA) systems, a type of industrial control system (ICS), Stuxnet will
spread to other computers through the database
that comes with the SCADA software using
hardcoded passwords (Falliere et al., 2011).
Second, it will attempt to spread to other
computers via a local area network (LAN)
connection and shared network drives (Figure
1, #2). Another vulnerability involving a LAN
allowed Stuxnet to spread to other computers
through shared printers (Figure 1, #5). Lastly,
Stuxnet also has the ability to infect removable
drives, such as USB’s, that it comes into
contact with (Figure 1, #4) (Falliere et al.,
2011). These methods give Stuxnet the ability
to spread throughout local computers and
networks even though they are not connected
to the internet. Additionally, if during this
replication process the computer is connected
to the internet, Stuxnet can receive updates
from automated servers (Figure 1, #3) setup in
Malaysia and Denmark by the attackers. Also,
during the spread process if Stuxnet
encounters a computer with a newer version of
Stuxnet, it will update itself.
2.1.2 Investigation of Dropper
The spreader, as described in the previous
section, attempts to infect as many computers
as possible. However, the dropper portion
goes through a digital identification process
on each of the computers it has infected to
determine whether or not to drop the
malicious payload portion of Stuxnet
(Langner, 2011). The dropper searches for
Siemens programmable logic controllers
(PLC’s) (Figure 1, #6). These PLC’s control the function of devices such as pumps, valves,
motors, etc. which execute, control, and monitor a process in an ICS. The dropper checks model
numbers, configuration details, and even goes as far as to download code from the controller, in
order to verify that the controller has the desired digital fingerprint and controls the desired
device (Figure 1, #7) before dropping the malicious payload (Langner, 2011).
Figure 1: Path of Stuxnet Infection. Stuxnet infection begins with a
USB device (1) and then propagates to other computers who share a
LAN connection (2), a common shared printer (5), and by infecting
USB’s (4). Once a computer with Siemens SCADA software is found, it
looks for a specific PLC (6) which controls centrifuges (7). Also,
infected computers connected to the internet can receive Stuxnet updates
from an update server (3) (edited from Riley & Vance, 2011).
1: Infected Flash Drive
3: Update Server
5: Shared Printers
6: Programmable
Logic Controllers
(PLC)
7: Centrifuges
2: Local Area Network
(LAN)
4: Other USB’s
4
2.1.3 Investigation of Malicious Payload
Stuxnet contained malicious code for three different types of controllers, each ranging in levels
of complexity (Langer, 2011). Thus, once the identification criteria had been met, the dropper
injects the corresponding malicious code into the controller, authenticating its actions using
legitimate passwords. This code runs stealthily alongside the original PLC code, monitoring the
information being relayed, and takes over occasionally after being triggered by a combination of
timer and condition based interrupts. For the two simplest controllers, when the Stuxnet code
took over it would halt code execution for as long as 50 minutes. For the more complex
controller, the original code continues execution but is isolated from the actual input/output
occurring on the system. Instead, the malicious code feeds the original with recorded data values
from earlier and prevents it from gathering the incoming data (Langer, 2011). The injected
malicious code also has a rootkit similar to that used in the spreader. This rootkit hides the
malicious code when the PLC’s code is viewed and prevents it from accidentally getting
overwritten (Falliere, 2011).
2.2 Stuxnet Versus Typical Malware
Combined, Stuxnet’s parts make it a very hazardous and unique piece of malware. It has the
ability to spread to computers that are isolated from internet connections in several different
ways, the rootkits included in its code grant it the ability to move from computer to computer
relatively undetected, and its malicious code was targeted to hit only specific PLC’s. It was a
unique from other forms of malware in several different ways: how it spread, how its code was
written, and its final goal.
2.2.1 Analysis of the Spread of Infection
One aspect that makes Stuxnet different from other forms of malware is that it was a highly
selective, or targeted, attack. Typical malware will indiscriminately attack any computer it
comes into contact with and it usually spreads via the internet. Stuxnet had spread to over
100,000 computers for over a year before its discovery in July 2010 (Falliere et al., 2011). While
100,000 is small number in comparison to the millions of computers other pieces of malware
have infected, Stuxnet spread without the use of the internet. The infection spread on an
international scale to computers in Iran, Indonesia, India, Pakistan, Germany, China, and the
United States (Falliere et al., 2011).
Based off of data collected by Symantec, Stuxnet appears to have targeted a specific country:
Iran (Falliere et al., 2011). Figure 2 shows that almost 60% of infections occurred in Iran with
the next highest concentration of infections located in Indonesia with almost 18% and India with
10%. Due to the constraints built in by its programmers, Stuxnet’s spread was limited to LAN
and USB device propagation. Therefore, the highest concentrations should be where Stuxnet
was originally released. Since Iran has the highest concentration of infections, the five
companies originally targeted must have been in Iran.
5
Figure 2: Geographic Distribution (%) of Stuxnet Infections by Country. The Stuxnet worm’s goal was to infect computers
with Siemens software installed. However, due to the limited nature on how Stuxnet spreads, it is not only targeted based on
installed software but also on location. With the high number infected computers in Iran, it is safe to assume that Iran was the
intended target of the attack (Falliere et al., 2011).
Also, Stuxnet’s spreader had several failsafes built into
it. Figure 3 is a plot of the data collected by Symantec
for one of the targeted companies, showing how Stuxnet
spreads out after an infection. The spread occurs
primarily in a linear pattern with a limited number of
branches. The reasoning behind this pattern is that each
Stuxnet infection had a built-in max number of
replications. After replicating itself three times, Stuxnet
removes itself from the infected device. Second, each
instance of infection only has 21 days to attempt to
spread to another computer (Chen & Abu-Nimeh, 2011).
Lastly, Stuxnet also has an expiration date of June 24 th
,
2012 written into its code (Farwell, 2011). These factors
work as a failsafe by preventing Stuxnet from spreading
beyond its original scope and a means to stop it should it not
perform as desired. These factors also work together to
create a stealthier piece of malware, the fewer systems
infected the less likelihood of detection.
2.2.2 Analysis of Stuxnet’s Code
Stuxnet’s code is a patchwork of new and existing worm technology. For example, the use of
USB sticks to spread malware is not a new idea. In 2008, classified documents from the United
States Central Command (CENTCOM) were leaked after an infected USB was connected to a
laptop on their network, and in the years since, use of USB’s for spreading computer worms has
increased to over 25% (Farwell, 2011). However, while Stuxnet’s worm technology may be a
patchwork of existing code, Stuxnet as a whole is very unique and very sophisticated.
Figure 3: Typical Stuxnet Infection Pattern. Each
computer that Stuxnet infects has a limited number
of times that it may duplicate itself and a limited
timeframe in which to do it. The data collected by
Symantec shows that the infection primarily travels
outward linearly and does not branch too often
(edited from Falliere et al., 2011).
6
For starters, in order for a typical piece of malware to spread effectively, it must find a zero-day
vulnerability. A zero-day vulnerability is an unguarded door or pathway into a computer system
which is currently unknown and therefore no preventative methods immediately exist to stop
malicious programming from entering the system. Stuxnet on the other hand, in addition to
using multiple known vulnerabilities, used an unprecedented number of four zero-day
vulnerabilities to spread from computer to computer: a USB vulnerability, shared printer
vulnerability, and two user-level escalation vulnerabilities which granted Stuxnet more privileges
in the computer’s operating system (Falliere et al., 2011).
Going further, the more effective forms of malware will use rootkits to conceal their operations
inside of the operating system. Stuxnet’s rootkit was more sophisticated because, as in the case
of the user-level escalations, two stolen legitimate security certificates (passwords) were used for
authentication during the escalation (Falliere et al., 2011). Also, up until now the rootkit used
inside of the PLC’s has only been theorized and Stuxnet is the first known piece of malware to
actually implement it (Falliere, 2011).
All of these factors add up to one final major difference between Stuxnet and typical malware:
code size. The combination of the code’s spreader, dropper, payload – which itself has code for
three different controller types, the number of vulnerabilities it exploited, and the overall
sophistication adds up to a lot of code. Stuxnet itself was written in several different
programming languages and was 500 kilobytes (KB) in size. General malware does not exceed
1000KB, but on average will be approximately 300KB (Chen & Abu-Nimeh, 2011). This level
of sophistication suggests that there was a team of 5-10 programmers working on Stuxnet for up
to six months. Also these numbers do not include non-programming members (i.e.
management), the necessary intelligence gathering at the Natanz facility in order to implement
the digital fingerprinting process the dropper uses, or the time needed to setup a lab capable of
discretely testing the worm (Congressional, 2010) (Chen & Abu-Nimeh, 2011).
2.2.3 Analysis of Stuxnet’s Goals
The goal of a typical piece of malware is either data theft or data corruption. Unlike other forms
of computer malware, Stuxnet “did not steal, manipulate, or erase information - its goal was to
physically destroy a military target” (Langner, 2011). As previously stated, Iran was the
intended target of Stuxnet, but its true goal is even more narrowed than that. The digital
fingerprinting that the dropper performs seeks to identify a specific type of PLC used for
controlling centrifuges. Centrifuges are used to separate and concentrate different isotopes of
uranium. With enough centrifuges, these isotopes can power a nuclear reactor, but with even
more centrifuges, enough isotopes can be collected for use in nuclear weapons (Farwell, 2011).
Once one of the desired PLC’s is injected with the malicious code, Stuxnet can control the speed
of the centrifuge motor by regulating how much power is fed into it. Causing the motor to
switch between high and low speeds at intervals it was not designed for can result in the failure
to isolate the desired isotope of uranium and eventually cause physical damage to the centrifuge
itself (Farwell, 2011).
To date, despite Stuxnet having infected over 100,000 computers worldwide, only Iran’s nuclear
enrichment facility in Natanz has had their PLC’s infected with the malicious code (Langner,
7
2011). Natanz is Iran’s leading nuclear enrichment facility and is currently used for collecting
uranium isotopes for use in nuclear reactors. However, the facility has the capability to modify
its processes in order to produce higher levels of enrichment for use in nuclear weapons (Farwell,
2011). Due to this future capability, it suggests that Natanz was a military or political target and
was attacked with the hopes of setting back Iran’s nuclear program and the facility’s
development for an undetermined amount of time.
The full extent of the damages done can only be guessed since Iran has not released a complete
statement on the results of the attack. Iran has acknowledged that Stuxnet had infected their
computers at several facilities and that culprits behind the initial infection had been arrested.
Despite the lack of information from the Iranian government, there are several known facts
worth highlighting. In late 2009 and early 2010, Iran decommissioned 984 centrifuges from the
Natanz facility and in November 2010 enrichment operations completely stopped for one week
(Shankarian, 2011). Also, during 2009-2010, the International Atomic Energy Agency (IAEA)
reported that despite an increase in the number of centrifuges at Natanz, the amount of enriched
uranium produced did not change – suggesting that the facility was producing less optimal levels
of uranium (Shankarian, 2011).
2.3 Evaluation of Stuxnet’s Use
Stuxnet’s targets were the programmable logic controllers (PLCs) controlling Natanz’s
centrifuges and the goal was to prevent optimal output or damage to the centrifuge motors. The
net result is the delay of Iran’s nuclear program, suggesting the motives behind the attack were
political. In addition, due to the complexity of the resources required to create Stuxnet, the likely
perpetrator behind the attack would have to be a state government and one with advanced cyber
capabilities (Congressional, 2010). To summarize, Stuxnet was a weapon used by one nation to
attack another.
Nations with the required resources and cyber capabilities include the United States, Israel,
United Kingdom, Russia, China, and France (Congressional, 2010). However since the Stuxnet
attack was politically motivated, Iran suspects that Israel and the US worked together since the
two countries would have the greatest motivation for the delay of their nuclear program (Chen &
Abu-Nimeh, 2011).
However, the identities of those behind the attack remain unknown to this day. The only
physical evidence left of the attack is the code itself. Deciphering the code, which was written in
multiple programming languages and by multiple programmers, does not provide any insight
into who was behind the attack? Even the update servers discovered in Malaysia and Denmark
do not necessarily mean that those countries themselves were in anyway involved with the attack
(Farwell, 2011). The code does not provide any form of traceable signature as to who wrote
Stuxnet nor does it point to any geographical location where the code may have originated from.
In addition to this type of attack providing anonymity, it also also provides less chance of a
retaliatory strike since one cannot be delivered if the assailant is not known or where they came
from. While sending a fighter jet may ensure destruction of its target and cause long term
damage, there would be loss of life and a jet would be traceable, whereas creating Stuxnet would
8
cost less than a fighter jet, provide more stealth, and prevents loss of human life (Farwell, 2011).
Through this the perpetrators are able to utilize loopholes in international treaties such as the UN
Charter or the Law of Armed Conflict since the documents have no mention or precedence for
cyber-attacks (Farwell, 2011).
3. Stuxnet’s Impacts on the United States
Regrettably Natanz is most likely not the last time the world will ever see Stuxnet. With the
original code available online for free, literally anyone could modify the original code and direct
it in an attack against the United States. The scope of Stuxnet could be widened for maximum
damage, or it could be targeted, as it was in Iran’s case, against any one of the eighteen critical
infrastructures that the US declares as “essential to the nation’s security, public health and safety,
economic vitality, and way of life” (Congressional, 2010) (Farwell, 2011). A cyber-attack on
any number of these infrastructures could cause widespread impacts and preventative methods
must be investigated.
3.1 Investigation of Vulnerabilities in US Critical Infrastructures to a Similar
Attack
The only current way to prevent Stuxnet from easily being recycled is by blocking the methods it
used for spreading from computer to computer. Therefore the only roadblock that stands in the
way of a similar attack against the United States is finding a new door or path for the worm to
get in through and spread (Langner, 2011). Current solutions in place prevent the use of the
spreader and dropper portions of the code, but there are no solutions available for stopping the
malicious payload from corrupting the communication that occurs within the programmable
logic controller (Langner, 2011). The payload targets the communication between computer and
controller which is a necessary product feature of PLCs and the current models of PLCs do not
have any means of detecting when non-authentic code and communication occurs. Therefore
any critical infrastructure using an ICS, especially one with Siemens supervisory control and data
acquisition systems, is vulnerable to PLC manipulation and corruption (Langner, 2011).
Furthermore, industrial control systems within the United States can be accessed through
multiple means of communication. Stuxnet’s main means of infection occurred through local
area network connections (LAN). ICS in the US, in addition to the local computer terminals or
remote computers connected via LAN connections controlling PLCs, there is also a growing
trend of using wireless devices (Congressional, 2010). These wireless devices open the
possibility of initial infection occurring through the internet and then propagating through
computers connected to the network.
3.2 Evaluation of a Stuxnet-Like Attacks on the US
Stuxnet poses a significant threat to a vulnerable United States. Stuxnet’s code is available to
anyone with an internet connection and could be reused with variable amounts of efforts.
Computer hackers, foreign intelligence services, organized crime, and terrorists are just a few
potential suspects that the US recognizes as persons or groups who may make use of Stuxnet’s
code for carrying out a cyber-attack against the US (Congressional, 2010).
9
The Department of Defense (DoD) has long been a target of cyber-attacks. In 2008 the DoD
recorded 54,640 cyber-attacks against their systems, a number which has increased from 43,880
in 2007 (blah blah). The DoD has entire agencies responsible for its cyber security yet, in the
first six months of 2009, approximately $400 million went towards repairing damages to their
networks resulting from cyber-attacks (Farwell, 2011). Other critical infrastructures do not have
the benefit of government agencies to protect them against cyber-threats since they are privately
owned and responsible for providing their own security. Thus, if the same concentrated effort
was put towards attacking a privately owned infrastructure, it is safe to assume that the damages
would be even greater.
Damage to networks used by critical infrastructures or the manipulation of PLCs from a Stuxnet-
like attack could degrade or stop the operation of facilities that deliver water, gas, power, or
communication (Congressional, 2010). Imagine rolling blackouts, water shortages, loss of
communication, or even another Chernobyl, all because the PLCs controlling their operations
were not performing as they should. Also, an isolated attack against one system has the
possibility of creating a cascading effect on nearby systems and facilities due to their
interdependence on one another. For example, in 2003 safety mechanisms were triggered after
power lines came into contact with trees in Ohio. These safety mechanisms propagated to other
generators and what began as a power outage in Ohio, became a blackout throughout
northeastern United States and Canada (Congressional, 2010). Thus, even though a critical
infrastructure such as power, which is owned and managed by numerous different companies, it
is still a target for causing widespread impacts and damages.
Through these types of damages, any number of nefarious goals may be achieved. For instance,
for military purposes a Stuxnet-like attack could be used as first strike weapon – covertly
compromising a target before an overt offensive (Chen & Abu-Nimeh, 2011). Also such an
attack could be used to cause political instability and general fear. If a government is unable to
provide security and essential services, the result would be loss of public confidence and fear of
further attacks (Congressional, 2011). Thus solutions must be investigated and implemented in
these critical infrastructures.
3.3 Investigation of Preventative Methods
Updates to anti-virus software have already been released to block the paths that Stuxnet used to
spread from computer to computer, but Stuxnet exploited a problem in industrial control systems
that could take years to fix. Industrial control systems and the programmable logic controllers
they use were originally designed without thought or concern for cyber security (Langner, 2011).
ICS, such as Siemens’ SCADA software, must be redesigned to include more complex forms of
data encryption when communicating with PLCs to provide means of authenticating the integrity
of the system (Langner, 2011).
Also, as Stuxnet demonstrated, current PLCs have no means of verifying that the code they
contain and executing is authentic code. Current PLCs consider code authentic as long as the
executing code is functional and syntactically correct (Langner, 2011). Individual sites should
make efforts to routinely check their PLCs to ensure that no code corruption has taken place.
10
However, the use of PLC rootkits, like the ones used with Stuxnet, would prevent the malicious
code from being viewed. Thus the PLCs themselves must be redesigned to include some form of
antivirus software.
ICS and PLC redesign would take time to complete, and it could take as long as 20 years for
every computer using current models and software to get updated (Langner, 2011). Until these
new systems are available for purchase and use, facilities using the out of date models must put
more effort into preventing contact with infected devices, such as banning the use of external
USB devices, and implement more advanced forms of virus protection software on site
(Congressional, 2010) (Langer, 2011).
4. Conclusion
Stuxnet represents a new era of malware. Unlike typical malware - as shown in Table 1 - Stuxnet
was a targeted attack against programmable logic controllers used in industrial control systems,
and the end goal was to cause physical damage to centrifuge motors controlled by PLCs. Also,
its complex code was the result of multiple programmers working in several different
programming languages. This code included an unprecedented number of four zero-day
vulnerabilities which helped Stuxnet to spread without the use of the internet, the first known
implementation of a PLC rootkit, and several built-in failsafes for limiting its spread and
providing a kill-switch for stopping the code’s spread.
The PLCs that Stuxnet targeted were originally designed without the forethought of cyber
security. Even though updates to anti-virus software provide solutions for stopping Stuxnet’s
ability to spread from computer to computer, there is nothing available for stopping another
Stuxnet-like attack from infecting PLCs and manipulating them in the same way. The United
States’ Aurora Project proved that vulnerabilities exist within their ICS which manage critical
infrastructures responsible for providing essential services such as defense, communication,
power, and water. Thus Stuxnet, with its code available for free online, could be re-written to
target PLCs within the United States.
Stuxnet Typical Malware
Targeting Extremely selective Indiscriminate
Target Type ICS/PLCs Computers
Initial Infection
Vector Removable flash drive Internet/Networks
Exploits Four zero-days One or less zero-days
Spread
Constraints Several failsafes None
Goal
Sabotage: physical damage
to centrifuge motors,
minimize uranium output
Espionage: data theft
or corruption
Table 1: Summary of Key Differences Between Stuxnet and Typical Malware. This table
provides a summary of some of the key difference from Stuxnet to typical malware in terms of
functionality and goals (created by author).
11
In order to prevent such an attack from occurring on US soil, ICS, especially as Siemens’
SCADA software, must be redesigned to include more complex forms of data encryption when
communicating with PLCs and the PLCs themselves must be redesigned with some form of
antivirus software. Only a full recall and new model would nullify the Stuxnet threat. Until
these new systems are available for purchase, facilities using the out of date models must put
more effort into preventing contact with infected devices and implement more advanced forms of
virus protection software on site.
Stuxnet was game-changer with respect to the newer range of targets malware now possess as
well as how and why malware is used. Stuxnet opened the door for malware to no longer target
just a single person or business – now malware can target a nation. The critical infrastructures
within the Unites States must recognize the broadened scope that malware now contains and
implement methods to protect the people who rely on their services.
12
References
Bright, P. (2011). Anonymous speaks: the inside story of the HBGary hack. Law & Disorder:
Tech Law in the Digital Age. Retrieved from http://www.onneutral.com/
Chen, T. M., & Abu-Nimeh, S. (2011). Lessons from Stuxnet. Computer, 44(4), 91-93.
doi:10.1109/MC.2011.115
Congressional Research Service. (2010, December 9). The Stuxnet Computer Worm: Harbinger
of an Emerging Warfare Capability (Doc No. R41524). Retrieved from Nuclear Threat
Initiative website: http://www.nti.org/
Derene, G. (2009, April). How Vulnerable is U.S. Infrastructure to a Major Cyber Attack.
Popular Mechanix. Retrieved from http://andymars.com/
Falliere, N. (2010, Aug 19). Stuxnet Introduces the First Known Rootkit for Industrial Control
Systems. Symantec Security Response Blog. Retrieved from http://www.symantec.com/
Falliere, N., O Murchu, L., & Chien, E. (2011, February). W32.Stuxnet Dossier Version 1.4.
Symantec Security Response, 1-68. Retrieved from
http://large.stanford.edu/courses/2011/ph241/grayson2/docs/w32_stuxnet_dossier.pdf
Farwell, J. P., & Rohozinski, R. (2011, Jan. 28). Stuxnet and the Future of Cyber War. Survival.
doi: 10.1080/00396338.2011.555586.
Fidler, D. P. (2011). Was Stuxnet an Act of War? Decoding a Cyberattack. Security and
Privacy, IEEE, 56-59. Retrieved from http://ieeexplore.ieee.org/
Langner, R. (2011, May 23). Stuxnet: Dissecting a Cyberwarfare Weapon. Security and Privacy,
IEEE, 49-51. doi: 10.1109/MSP.2011.67
Morgenstern, M., & Pilz, H. (2010). Useful and useless statistics about viruses and anti-virus
programs. Presentation given at CARO 2010 in Helsinki. Presentation retrieved from
http://www.f-secure.com/
Riley, M. & Vance A. (2011, July 20). Cyber Weapons: The New Arms Race. Bloomberg
Businessweek. Retrieved from http://businessweek.com
Shankarian, P. (2011, April 15). Stuxnet: Cyberwar Revolution in Military Affairs. Small Wars
Journal. Retrieved from http://www.dtic.mil/dtic/
Sparks, S., & Butler, J. (2005, October). “Shadow Walker” – Raising The Bar For Rootkit
Detection. Presentation given at the 2005 Black Hat Briefing in Tokyo, Japan.
Presentation retrieved from http://blackhat.com/