Things are getting more and more bizarre at the communications front. CERTs are stretching their intellect in efforts to avoid frank talk without saying something provably incorrect. A good example is ICS-CERT’s most recent advisory on the Stuxnet malware from Sep 29, 2010 (www.us-cert.gov/control_systems/pdf/ICSA-10-272-01.pdf). Let’s look at it in detail.
1. The advisory refers to two different test settings: One with Siemens WinCC AND Simatic Manager (referred to as “Step7” in the advisory) installed, the other with BOTH software products NOT installed. This test setting is incomplete and inappropriate.
2. What’s missing in the test setting? Correct: A P-L-C. As a matter of fact, both WinCC and Simatic Manager don’t do anything meaningful without a PLC attached. Therefore, it is impossible to make any reasonable statement on how Stuxnet may affect both applications with no PLC to talk to. It’s like analyzing the potential effects of a piece of malware on a printer driver with no printer attached.
3. An appropriate test setting for analyzing the Stuxnet malware would also provide for separate PC systems, one hosting the WinCC SCADA software, the other the Simatic Manager engineering software (= development environment). In real-world environments, both applications are rarely used simultaneously on one machine. Since Stuxnet behaves differently in a WinCC and in a Simatic Manager environment, it is mandatory to set up a lab environment with split systems, otherwise one will deliberately restrict analytic options, and traffic from both environments will be cluttered.
4. The advisory fails to mention the fact that an infected installation may interfere with process control if the following conditions are met: a) infected WinCC environment, b) PLC project has data block 890 configured, c) data block 890 exceeds a certain length, d) data block 890 contains the string “hnds” at a certain position. In this case, the compromised DLL will overwrite certain process variables in data block 890. It will do so every five seconds. But on the other hand, this is certainly not observable if no PLC is attached to the WinCC station.
5. The advisory fails to mention the fact that the actual attack routines are embedded in the file s7otbxdx.dll, and that this digital warhead can be defused by simply deleting s7otbxdx.dll and renaming the original DLL from s7otbxsx.dll to s7otbxdx.dll on a compromised system. Why explain in great length all the funny files that Stuxnet installs and not saying how to simply pull the plug by deleting one file?
6. The advisory fails to mention the fact that the main attack sequence of Stuxnet is executed not in the Windows environment but on the controllers.
7. The advisory fails to mention the fact that Stuxnet injects rogue ladder logic into PLCs. Even though this is proven in lab experiment and undeniable, this fact seems to be treated by some as a dare confession.
8. The advisory fails to mention the fact that the most significant threat posed by Stuxnet is not Stuxnet itself but the possibility that attack techniques used by Stuxnet, most prominently injecting rogue ladder logic into PLCs, will be copied and will get available within hacker toolkits. The advisory contains zero advice on how to address this threat.
What do we make out of this? Send suggestions to stuxnethelp(at)langner.com.