Stuxnet, Flame, Duqu Less Dangerous than Conventional Attacks

Thursday, June 21, 2012



While many in the security sector have been consumed with analysis and conjecture regarding emerging details on a series of designer malware threats that target Industrial Control Systems, security provider Stonesoft advises attention not be diverted from protecting against less sophisticated attack methods.

ICS networks, which include supervisory control and data acquisition (SCADA) systems, administer operations for critical infrastructure and production including manufacturing facilities, refineries, hydroelectric and nuclear power plants.

The discovery of Stuxnet in 2010, and the subsequent revelations about its counterparts Flame and Duqu have brought critical infrastructure security to the forefront of the public's attention, but Stonesoft warns that the most serious threats to industrial control systems are still the old tried-and-true exploits.

"Despite widespread warnings around Flame, Stuxnet and Duqu viruses, Stonesoft advises organizations relying on SCADA and industrial control system (ICS) networks to be vigilant against conventional network threats. These threats pose a far greater threat to SCADA and ICS network security, and include gaps in security infrastructure, advanced evasion techniques (AETs) and simple denial of service attacks," Stonesoft said in a press release.

Analysis of Flame and Duqu revealed they were designed as intelligence gathering tools rather than as a method of payload delivery like Stuxnet, which targeted Siemens Programmable Logic Controllers (PLCs), and is thought to have caused severe damage to Iranian uranium enrichment facilities.

Still, the greater threat lay in attacks that employ more simple methodologies - like exploiting buffer overflows, weak encryption, and the ubiquitous denial of service attack.

“Our advice to ICS and SCADA network managers is to be informed of new threats like Flame, but be especially vigilant against the more conventional, widely understood threats. In all likelihood, a simple denial-of-service attack has a better chance of wreaking havoc on their network than Stuxnet or Duqu. It’s important they don’t drop the ball as the game advances,” said Olli-Pekka Niemi, Vulnerability Expert at Stonesoft.

One of the main challenges in protecting these critical networks is the fact that the earlier systems were not necessarily designed with cybersecurity in mind. Rather, the security solutions have been layered on in a piecemeal fashion after the networks were operational, leaving ample room for attackers to compromise their functionality.

Stonesoft recommends that SCADA and ICS administrators should concentrate on protecting their networks with the following strategies:

IPS protection.

  • By monitoring all data traffic, and only allowing it into the network if it’s safe, IPS devices keep the network clear of malicious traffic. If the device detects malware attempting to enter the network, it will automatically sever the data connection and prevent network penetration. IPS devices can also facilitate virtual patching, which protects vulnerable servers in between scheduled maintenance windows.

AET detection capabilities.

  • Hackers have always used evasion techniques to skirt IPS protection. Most recently, they have developed advanced evasion techniques (AETs) that combine and modify traditional evasions. The result is that an organization can be re-exposed to old threats as well as susceptible to new ones.

Advanced normalization.

  • Sophisticated threats like AETs and advanced persistent threats (APTs) require advanced security mechanisms – namely normalization. Using advanced normalization, the IPS interprets the data traffic and assembles the packets in the same manner as the end system. This allows the IPS to detect malicious code hidden in the data flow. Normalization is nothing new, but the ability to perform it without sacrificing network performance has traditionally been a challenge. SCADA and ICS networks must ensure traffic normalization is both powerful and realistic in real-world traffic scenarios.  

Software-based security.

  • Most network security solutions deployed in industrial environments are hardware-based, making them difficult, time-consuming and expensive to update. Software-based solutions eliminate these hurdles, eliminate human error and improve security effectiveness.


Possibly Related Articles:
SCADA Attacks Stuxnet Headlines Network Security Infrastructure ICS Industrial Control Systems DUQU Flame
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.