Implications of the Stuxnet Worm

to US Shipping Ports

When talk turns to war, amateurs discuss

strategy. Professionals discuss logistics.
- Anonymous

Musings by Borepatch
http://borepatch.blogspot.com
 Stuxnet Recap

A new type of Computer Worm discovered in the summer of
2010

Stuxnet breaks ground several ways:

It uses multiple Day Zero exploits
 It reprogrammed Industrial Process Control systems from Siemens
AG. These are devices used in manufacturing automation
 It is particularly stealthy, using rootkit techniques to hide its
presence
 It spreads via multiple vectors, before causing damage, and in a
controlled manner to avoid generating suspicion (compare with the
SLAMMER worm from 2003)

Speculation is that this was created by State actors as a form of
Information Warfare; speculation is that Israel targeted the
Iranian nuclear program
Why do we think that Stuxnet was
State-on-State Information War?
 The Siemens IPC systems are not unusual, but are very
expensive and not typically available to the average Black Hat
hacker
 Most malware these days is focused on stealing money – e.g.
Capturing online banking passwords – and not on industrial
process control. This is a very unusual target.
 Some analyses of the worm code reveal hints as to its origin,
e.g. Dates supposedly referencing Iranian dissidents, etc. It is
possible that these could have been planed by the worm's
creator to generate suspicion at Israel, however.
 The motive (disabling the Iranian nuclear program) is plausible.
 Implications if this is State-on-
State Information War

Automated processes are a plausible target, even if they use
uncommon hardware/software. ”Security By Obscurity” is over

Air gaps (isolated networks) are no defense: it appears that the
Iranian network is isolated from the Internet, and was infected
via USB removable filesystems. Note that the US DoD
classified network was similarly infected in 2008.

State adversaries can afford to invest millions in programming
talent, and take months or possibly years to create highly
sophisticated payloads. This is not something that a typical
antivirus will defend against.

Impact is likely based on the value of the targeted systems.
Some types of systems may be better managed, and harder to
subvert.
 How to you stop the US 3 rd

Infantry Division?
 Very few State actors can
counter the US military on the
field of battle
 But the US military units need
ammunition and gasoline
 Slowing the flow of supplies –
or getting the wrong supplies
sent – will stop the units due to
lack of gas and ammunition
 The ”teeth” are a very hard
target. What about the
logistical ”tail”?
 Port of Wilmington

Two Port of Wilmington top-lifts rigged with slings work in

tandem to lower a damaged vehicle onto a flatbed truck for
delivery to Camp Lejeune, Sunday, April 10 [2005]. The Port
is handling two ships in four days loaded with several
hundred vehicles and other equipment returning from service
in Operation Iraqi Freedom.
 Top 10 Ports in the US

Rank Port name Total Tons

1 South Louisiana 224,187,320
2 Houston, TX 202,047,327
3 Newark, NJ 152,377,503
4 Beaumont, TX 91,697,948
5 Long Beach, CA 80,066,130
6 Corpus Christi, TX 78,924,757
7 New Orleans, LA 78,085,209
8 Huntington, WV 77,307,514
9 Port City of Texas 68,282,902
10 Baton Rouge, LA 57,082,823
 Port Automation


Efficiency drives throughput, and the number of Gross Moves
per hour is the key metric

Cost per move is critical for competitiveness

Specialized software is provided by multiple vendors (e.g.
NAVIS) to optimize throughput and minimize cost

Your typical Black Hat hacker would not have access to these
types of systems; a State Actor would

A Stuxnet-style worm targeting the major Port automation
software could criple a US Military response, if unleashed in the
weeks or months prior to a conflict
 How do you defend against a
hypothetical threat?

There is no indication that a worm targeting transportation has
been created.

Harder targets are more resilient

It is more difficult for a worm to penetrate a hardened system
 Worm penetration will be less extensive on a hardened system
 Once triggered, damage is likely less on a hardened system

The easiest way to harden systems is to focus on the COTS
portion (e.g. Common OS and application layers)

Automated scanning for missing parches, misconfigurations, etc is a well
understood field, with mature products an well-documented processes

Rapid gains in hardening result in a typical practice that is much
closer to Best Practice
Advice from the UK's Information
Security Chief

GCHQ's director has said that 80 per cent of the

government's cyber security vulnerabilities can be
solved through good information assurance.

Iain Lobban, the director of the signals intelligence

and information security organisation, said if
government departments observed basic network
security disciplines, such as "keeping patches up
to date", combined with the necessary attention to
personnel security, their online networks would be
much safer.

Source: The Register, 13 October 2010