«

»

Oct
11

2010

Clear and present danger: Open letter to Symantec

Dear Liam O’Murchu,

I have now managed to read your Stuxnet dossier. It’s a solid piece of good technical analysis — except for the summary where you draw dangerously misleading conclusions.

1. You fail to understand that contemporary S7 installations are network connected. The picture of your improvised test equipment tells me that a salesperson was smart enough to sell you an old-style USB-to-MPI adapter, thereby blinding you on the wire. One reason why we were so much quicker in our analysis than you was the simple fact that we could relate debugger breakpoints to decoded wire traffic. Every hacker can — and will — do just that if he wants to figure out how Stuxnet injects code.

2. You fail to understand that the protocol manipulations required for code injection are technically not difficult and cannot be ‘patched’, since they are protocol-conformant. You also seem not to be aware of the fact that anybody who intends to duplicate this part of Stuxnet will find handy tools for free on the Internet.

3. You fail to understand that with the tools mentioned, it is possible to create an attack tool that completely bypasses the vendor’s software and directly attacks PLCs on the network. You fail to understand that in modern installations in the private sector, up to several thousand PLCs per installation are connected to flat networks.

4. You fail to understand that with the basic attack technology copied from Stuxnet, it is even possible to write malicious code that uses PLCs as a launch pad for carried-forward attacks against peer PLCs. You fail to understand that attempts to recover from such attacks require all process network stations to be shut down simultaneously.

5. You fail to understand that potential usage of the attack technology contained in Stuxnet is not limited to APT-style directed attacks with insider knowledge, but can also be used for non-directed attacks in hit-and-run scenarios where the emphasis is on brute-force process disruption, requiring zero insider knowledge.

6. You fail to understand that the hacker underground has been studying control systems for years without any success. You fail to understand that this community will eagerly dismantle Stuxnet as a blueprint for how to cyber-attack installations from the cookie plant next door to power plants.

7. You fail to understand that in typical installations, computer systems with access to above mentioned process networks, either fixed or temporary, cannot be equipped with antivirus software large-scale in short term.

8. You fail to understand that the threat posed by post-Stuxnet malware affects not only power plants, but also other critical infrastructure sectors, military installations, and the private sector across different industries. You fail to understand that with your outlook, you promote the dangerously misleading expectation of complacent asset owners that something like Stuxnet can’t happen to them if they are not high-value military targets.

Regards

Ralph Langner
Langner Communications GmbH
Fossredder 12, D-22359 Hamburg, Germany

http://www.langner.com/en

~~~ 1988-2008: 20 Years Langner Communications ~~~