Stuxnet, the potent malware reportedly deployed by the U.S. and Israel to disrupt an Iranian nuclear facility a decade ago, helped change the way that many energy-infrastructure operators think about cybersecurity.
The computer worm drove home the idea that well-resourced hackers could sabotage industrial plant operations, and it marked a new era of state-sponsored cyber-operations against critical infrastructure. Years later, industrial cybersecurity experts are still learning from the destructive potential of Stuxnet’s code and how it was deployed.
While Stuxnet was an extraordinary situation — an intensive operation designed to hinder Iran’s nuclear program — it holds lessons for the wider world in securing industrial equipment that moves machinery.
In a new study to improve security, a researcher at the cybersecurity subsidiary of European planemaker Airbus describes how he designed a program to execute code in a “Stuxnet-type attack” on a programmable logic controller (PLC), the ruggedized computers that monitor and control industrial systems like pumps, circuit breakers and valves.
Familiar tactics, different target
Airbus’s Flavian Dola was able to use one of Stuxnet’s tricks: replace a file running on the PLC with his own malicious code, and then use that to hook together functions in PLC communications to execute the code.
Airbus published Dola’s research this week in a post that has since been taken down. An Airbus spokesperson told CyberScoop that the research was removed because the company is still working with Schneider Electric, the vendor whose product is vulnerable to the hypothetical attack, to assess the findings.
The research, which you can read in full below or in cached form here, will be used for an “advanced security training course” given by Airbus CyberSecurity, the paper says. The subsidiary has 850 employees across Europe and the Middle East that do things like incident response and malware analysis for industrial clients, according to its website. The findings could be a valuable resource for companies trying to defend against the next control-system-focused hack.
Stuxnet compromised two types of PLCs made by Siemens and used at Iran’s Natanz uranium enrichment facility as part of an attack that destroyed an estimated 1,000 centrifuges. For his research, Dola chose a PLC made by another energy-technology giant, Schneider Electric. He injected his code into the PLC to see what he could learn. (Dola had physical access to the PLC, whereas the Stuxnet attackers had to use portable media to get their malware onto an engineering workstation, and eventually, the PLCs at Natanz).
Given the right conditions, “implementing Stuxnet-type attacks on PLCs from other manufacturers is possible,” Dola concluded. Although he conducted his attack on an older version of the Schneider Electric PLC’s software, the PLC itself is still used at industrial facilities.
CyberScoop has requested comment from Schneider Electric on the research.
A common challenge for PLCs
Michael Toecker, an engineer at private firm Context Industrial Security, said the findings underscore broader security shortcomings in PLCs.
“The method used by Siemens and Schneider to program their systems isn’t unique to them,” Toecker told CyberScoop. “Other engineering programs from other vendors use similar methods and are vulnerable to similar attacks.”
“This is why the software supply chain for these programs needs a major overhaul, and the best method of doing this is enforcing code-signing for automation software,” Toecker said, referring to a means of validating that a piece of code is from a vendor and not an attacker.
Dola’s research also alludes to another major cyberattack on an industrial organization: the shutdown of a Saudi petrochemical facility in 2017. That attack used malware known as Trisis or Triton to infiltrate a safety system made by Schneider Electric that allows industrial plants to properly shut down.
Toecker said that Dola’s ability to get the Schneider Electric PLC to accept any new code outside of legitimate software running on the equipment was a tactic that the Trisis attackers also used. “Modern operating systems [such as Android] enforce rules on this code, but PLCs were built prior to this and have not kept pace even as threats increased,” he said.
Reid Wightman, an analyst at industrial cybersecurity company Dragos, echoed that point.
“Lots of PLCs have this issue, where they run compiled logic, and the compiled logic can do way more than the end user or the vendor intend,” Wightman said.
The new report “can help teach people about how PLCs work under the hood,” he added. “Understanding the problem is always the first step towards solving it.”