The Stuxnet worm was designed to target Siemens industrial control systems used in Iran's uranium enrichment centrifuges. It spread to these systems through infected USB drives and exploited multiple Windows vulnerabilities. It then took control of centrifuges and varied their speeds, damaging around 1,000 centrifuges and slowing Iran's nuclear program. While not intended to spread beyond Iran, it ended up infecting systems in other countries as well through file transfers.
3. Cyber-warfare
•
The STUXNET worm is computer malware which
is specifically designed to target industrial control
systems for equipment made by Siemens.
•
These systems are used in Iran for uranium
enrichment
–
•
Enriched uranium is required to make a nuclear bomb
The aim of the worm was to damage or destroy
controlled equipment
Stuxnet SCADA attack, 2013
Slide 3
4. What is a worm?
• Malware that can infect a computerbased system and autonomously
spread to other systems without user
intervention
• Unlike a virus, no need for a carrier or
any explicit user actions to spread the
worm
Stuxnet SCADA attack, 2013
Slide 4
5. The target of the worm
Stuxnet SCADA attack, 2013
Slide 5
6. The STUXNET worm
• Worm designed to affect SCADA systems and
PLC controllers for uranium enrichment
centrifuges
• Very specific targeting – only aimed at
Siemens controllers for this type of equipment
• It can spread to but does not damage other
control systems
Stuxnet SCADA attack, 2013
Slide 6
8. Worm actions
•
Takes over operation of the centrifuge from the
SCADA controller
•
Sends control signals to PLCs managing the
equipment
•
Causes the spin speed of the centrifuges to vary
wildly, very quickly, causing extreme vibrations and
consequent damage
•
Blocks signals and alarms to control centre from
Stuxnet SCADA attack, 2013
local PLCs
Slide 8
9. Stuxnet penetration
•
Initially targets Windows systems used to configure
the SCADA system
•
Uses four different vulnerabilities to affect systems
–
Three of these were previously unknown
–
So if it encounters some systems where some vulnerabilities
have been fixed, it still has the potential to infect them.
–
Spread can’t be stopped by fixing a single vulnerability
Stuxnet SCADA attack, 2013
Slide 9
10. Stuxnet technology
• Spreads to Siemens' WinCC/PCS 7 SCADA
control software and takes over configuration
of the system.
• Uses a vulnerability in the print system to
spread from one machine to another
• Uses peer-to-peer transfer – there is no need
for systems to be connected to the Internet
Stuxnet SCADA attack, 2013
Slide 10
11. The myth of the air gap
• Centrifuge control systems were not
connected to the internet
• Initial infection thought to be through infected
USB drives taken into plant by unwitting
system operators
– Beware of freebies!
Stuxnet SCADA attack, 2013
Slide 11
12. Damage caused
•
It is thought that between 900 and 1000 centrifuges
were destroyed by the actions of Stuxnet
•
This is about 10% of the total so, if the intention was
to destroy all centrifuges, then it was not successful
•
Significant slowdown in nuclear enrichment
programme because of (a) damage and (b)
enrichment shutdown while the worms were cleared
from equipment
Stuxnet SCADA attack, 2013
Slide 12
13. Unproven speculations
• Because of the complexity of the worm, the
number of possible vulnerabilities that are
exploited, the access to expensive
centrifuges and the very specific targeting, it
has been suggested that this is an instance
of cyberwar by nation states against Iran
Stuxnet SCADA attack, 2013
Slide 13
15. Unproven speculations
•
Because Stuxnet did not only affect computers in
nuclear facilities but spread beyond them by transfers
of infected PCs, a mistake was made in its
development
•
There was no intention for the worm to spread
beyond Iran
•
Other countries with serious infections include
India, Indonesia and Azerbaijhan
Stuxnet SCADA attack, 2013
Slide 15
16. Unproven speculations
• The Stuxnet worm is a multipurpose
worm and there are a range of versions
with different functionality in the wild
• These use the same vulnerabilities to
infect systems but they behave in
different ways
Stuxnet SCADA attack, 2013
Slide 16
17. • One called Duqu has significantly
affected computers, especially in Iran.
This does not damage equipment but
logs keystrokes and sends confidential
information to outside servers.
Stuxnet SCADA attack, 2013
Slide 17
18. Summary
• Stuxnet worm is an early instance of
cyberwarfare where SCADA controllers were
targeted
• Intended to disrupt Iran’s uranium enrichment
capability by varying rotation speeds to
damage centrifuges
• Used a range of vulnerabilities to infect
systems
Stuxnet SCADA attack, 2013
Slide 18