PN900 | Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™

Introduction

Description

Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™

Released: 21 July 2010 Updated: 10 August 2010

Multiple credible sources disclosed that in the days and months prior to 14 July 2010 a series of cyber events occurred that took advantage of a previously unknown Windows™ vulnerability and delivered a specially crafted payload of malware that targeted industrial control systems, SCADA/critical infrastructure processes specifically. Technical details and a patch for the Windows vulnerability used during these events have been released by Microsoft in the recently updated Microsoft Security Advisory (2286198) v2.0 dated 2 August 2010. The specific malware, commonly known as W32.Stuxnet, has been analyzed by numerous antivirus vendors and is a known threat Windows®-based systems.

Rockwell Automation recommends that all industrial control system users, regardless of the make or brand of components employed within the system, take necessary steps to safeguard against potential future attacks of this type by implementing good cyber security measures as outlined below.

Background

A Windows™ operating system vulnerability known as the Shortcut Icon Loading Vulnerability (CVE-2010-2568) was confirmed as a means to allow malware commonly known as W32.Stuxnet to load and execute on PCs. The malware has also been confirmed to specifically target Siemens WinCC and PCS-7 SCADA software products. These products are typically used to control critical infrastructure processes that include power generation, power distribution, water/wastewater and other similar applications.

Rockwell Automation continues to closely monitor every aspect of this situation for new information and developments in order to provide our customers with timely and appropriate advice on this matter. Furthermore, we are continuing to work closely with appropriate authorities to review our proactive plans.

Given that industrial applications are known to heavily rely on mission-critical products built on the Windows operating system, Rockwell Automation is issuing guidance for all industrial control system customers. The following measures are intended as additions to a company’s own security policies and can help to reduce associated risk and enhance control system security.

Vulnerability Description

The Shortcut Icon Loading Vulnerability currently uses USB drives as a means of transport to infect a PC, and does not rely on user interaction or the optional AutoPlay feature employed by the Windows operating system for devices that connect to USB ports.

The Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010 details the threat and risk as follows:

What causes the vulnerability?

When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?

An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the target system.

An attacker could also setup a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows attempts to load the icon of the shortcut file, invoking the malicious binary. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).

Rockwell Automation has compiled the following immediate recommendations that include advice from Microsoft, Department of Homeland Security (DHS)/ICS-CERT plus added specific Rockwell Automation recommendations that can help mitigate the threat and simultaneously enhance the security of control systems:

MICROSOFT recommends immediate application of a Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010.

NOTE: Rockwell Automation’s Patch Qualification team has completed an initial and partial qualification of the Microsoft Patch 2286198. See Rockwell Automation’s Immediate Recommendations below for additional information.

DHS/ICS-CERT recommends concerned users immediately implement the following measures:

Mitigations

• Establish strict policies for the use of USB thumb drives on all enterprise and control system networks.
• Caution users of this attack vector and remind them that unknown USB’s should never be plugged into a business or personal computer.

Specific to this Shortcut Icon Loading Vulnerability and the specific W32.Stuxnet virus, malware samples were provided to the antivirus vendor community. Most major antivirus suppliers have already released updated virus definitions to contain and remove the malware.

• ICS-CERT recommends consulting antivirus vendors and to consider scanning systems with current antivirus software.

NOTE: Rockwell Automation software is proactively tested for compatibility with Symantec’s Norton Antivirus software.

DHS/ICS-CERT reminds users to exercise caution when using USB drives. For more information on best practices and removable media, see the ICS-CERT Control Systems Analysis Report "USB Drives Commonly Used As An Attack Vector Against Critical Infrastructure."

www.us-cert.gov/control_systems/pdf/ICS-CERT%20CSAR-USB%20USAGE.pdf

Additional DHS/US-CERT Security Tips for use of caution with USB drives can be found here:

www.us-cert.gov/cas/tips/ST08-001.html

ROCKWELL AUTOMATION recommends concerned customers take the following additional precautions to enhance protection to industrial control systems:

Mitigations

1. Apply the Microsoft Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046.
   
   NOTE: The Rockwell Automation Patch Qualification Team Partially Qualified KB2286198 on 9 August 2010, with Full Qualification on 19 August 2010.
   
   Go to RAid:35530 for more specific information regarding the qualification of this patch.
   
2. Restrict control system access to only those authorized to work with these systems.
3. Make sure that all control system PCs are running end-point protection software (e.g. Antivirus, Anti-malware) and that all signatures are up to date.
4. Make sure that all control system PCs follow a regimented, timely patch management process. Before applying any patch, Rockwell Automation’s recommends customers confirm that the patch has been qualified by the Rockwell Automation Patch Qualification service (www.rockwellautomation.com/security).
5. Where practical, disable all unused USB ports on control system PCs.
6. Consider alternatives to USB drives (e.g. network file transfer) for transferring data files to the control system
7. Discontinue use of any USB drive or similar device if the validity, authenticity, and security of the hardware should come in question.
8. Purchase USB drives from trusted sources.
9. Only use USB drives manufactured by a trusted vendor
10. Format USB drives on a non-mission critical computer that is running up to date end-point protection software (e.g. Antivirus, Anti-malware) prior to connecting the USB drive to any critical industrial control system equipment.
11. Maintain physical security for USB drives, dongles and keys to ensure only authorized users have access and usage rights.
12. Should a failure in physical security policy regarding USB drives be identified, perform step 9 (format USB drive on non-mission critical computer) prior to subsequent connecting to any control system equipment. Seek instructions from supplier of USB dongles and keys prior to any further use on control system equipment.

NOTE: Similar caution with optical media should be employed as with USB drives. Software delivered on CD+/-R, DVD+/-R etc. non-production optical media (e.g. user-generated, "burned" not "pressed" media) is presumed higher risk than production-grade media.

As more information becomes known, Rockwell Automation expects these recommendations will be refined to help further protect control systems from the resulting risk.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security through the use of layered security and defense in depth practices when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at www.rockwellautomation.com/security.

KCS Status