SCADA Systems and Stuxnet

May 3, 2011

Supervisory control and data acquisition (SCADA), generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes. Industrial processes include those of manufacturing, production, power generation, fabrication, and refining, and may run in continuous, batch, repetitive, or discrete modes. Infrastructure processes may be public or private, and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, Wind farms, civil defense siren systems, and large communication systems. And facility processes occur both in public facilities and private ones, including buildings, airports, ships, and space stations. They monitor and control HVAC, access, and energy consumption.

SCADA systems have evolved through three generations: Monolithic, Distributed, Networked. In the first generation, “Monolithic”, computing was done by mainframe computers. Networks did not exist at the time SCADA was developed. During the Second generation: “Distributed”, the processing was distributed across multiple stations which were connected through a LAN and they shared information in real time with proprietary protocols. The current generation SCADA systems, “Networked” generation, use open system architecture rather than a vendor-controlled proprietary environment. The SCADA system utilizes open standards and protocols, thus distributing functionality across a WAN rather than a LAN.

For the current generation SCADA system, SonicWALL UTM research team has researched the public protocols and created the following application signatures to monitor and control the SCADA traffic.

  • 773 Modbus — Outbound TCP
  • 774 Modbus — Inbound TCP
  • 6017 ICCP — COTP Connection Request
  • 6018 ICCP — Unauthorized Association Request
  • 6019 ICCP — Unauthorized MMS Write Request Attempt
  • 6029 ICCP — Invalid OSI-SSEL
  • 6034 ICCP — Invalid OSI PSEL
  • 6035 DNP3 — Disable Unsolicited Responses
  • 6036 DNP3 — Unsolicited Response Storm
  • 6037 DNP3 — Cold Restart From Client
  • 6038 DNP3 — Stop Application
  • 6039 DNP3 — Warm Restart
  • 6040 DNP3 — Broadcast Request from Client

From the statistics, we can see the SCADA systems are well distributed in the following countries: 

  Country			Networks	hits  UNITED STATES			2182		15539047  INDIA				486		20317  CANADA				391		389251  TAIWAN, PROVINCE OF CHINA	304		6479034  ITALY				266		150232  UNITED KINGDOM			224		42618  SPAIN				181		6823  BRAZIL				137		22696  TURKEY				123		480351  GERMANY			103		2499369

As the description of the third generation of the SCADA system, more and more open system architecture rather than a vendor-controlled proprietary environment are widely used. Due to the usage of standard protocols and the fact that many networked SCADA systems are accessible from the Internet, the systems are potentially vulnerable to remote cyber-attacks. In particular, the most security issues that researchers are concerned about:

  • the lack of concern about security and authentication in the design, deployment and operation of existing SCADA networks
  • the belief that SCADA systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces
  • the belief that SCADA networks are secure because they are physically secured
  • the belief that SCADA networks are secure because they are disconnected from the Internet

For the above concerns, SonicWALL research team has devoted consistent efforts to protect their customers from being attacked by attackers taking use of SCADA related vulnerabilities. For example, the following IPS signatures were developed especially for the SCADA vulnerabilities. There are also more than 100 generic shellcode IPS/GAV signatures that cover the rest of the SCADA attacks in the meantime.

  • 6027 Modbus TCP Illegal Packet Size
  • 5056 CitectSCADA Buffer Overflow Attempt
  • 5951 RealFlex SCADA SCPC_INITIALIZE BO Attempt
  • 5952 RealFlex SCADA SCPC_INITIALIZE_RF BO Attempt

Stuxnet, as one of the SCADA vulnerabilities, is a Windows computer worm discovered in July 2010 that targets industrial software and equipment. The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only SCADA systems that are configured to control and monitor specific industrial processes. Different variants of Stuxnet targeted five Iranian organizations, with the probable target widely suspected to be uranium enrichment infrastructure in Iran. It is said the Iran nuclear program, which uses embargoed Siemens equipment procured clandestinely, has been damaged by Stuxnet.

SonicWALL research team paid attention to the Stuxnet worm when it was first discovered. The GAV signatures detecting Stuxnet worms were first created on July 13th, 2010. The signatures are listed as bellow. Some of them may have retired because those variants have been removed from the affected websites.

  • 5423 Stuxnet
  • 4228 Stuxnet.A_5
  • 3917 Stuxnet.A_4
  • 1601 Stuxnet.A_3
  • 41726 Stuxnet.B
  • 42142 Stuxnet.B_2
  • 41962 Stuxnet.D
  • 41730 Stuxnet.A_2
  • 41728 Stuxnet.A

For the current deployment, we can see the top 10 networks affected by Stuxnet grouped by countries are: 

  Country                         Networks   UNITED STATES                     206   INDIA                              11   BRAZIL                             10   CANADA                              8   UNITED KINGDOM                      3   FRANCE                              2   GERMANY                             2   ICELAND                             2   PHILIPPINES                         2