Step 1: Example of Global Virus (Colin)


What: The Stuxnet worm is a virus specifically targeted towards Windows PCs controlling Siemens industrial control systems. It was allegedly developed by the US in collaboration with Israel to attack and cripple Iranian nuclear power facilities. The virus ended up spreading to other intended targets, including energy companies in the US itself.[2]
Who did it happen to? Iranian power facilities and other countries' facilities with Siemens Step 7 control software installed
Where? Allegedly propagated by the US. Infected Iran, Indonesia, India, Azerbaijan, Pakistan, Malaysia, USA, Uzbekistan, Russia, GB, and others.
When? Discovered in June 2010 but confirmed to have propagated up to a year before


Step 2: IT Background - how does it work?

  1. During development of the virus, some reconnaissance would need to have taken place for the developers to find out the structure of the Iranian ICS LAN, which was not connected to the internet. This information, along with forged security certificates generated with stolen CA certificates, was used to develop Stuxnet to behave as desired.
  2. The virus was introduced to the LAN through some kind of removable drive either willingly or unwillingly by someone with access to the internal systems. The virus then spread itself within the LAN through zero-day OS vulnerabilities.
  3. After being introduced to a host system, the virus searches for the presence of antivirus software and executes the appropriate commands to disable or bypass the AV. If it cannot find a way to bypass AV, it will not do anything. Once the AV is no longer a threat, the virus proceeds to search for the presence of Siemens Step 7 control software. If it is not found on the PC, the virus does not do anything.
  4. If the Siemens software is found, indicating the PC is attached to a programmable logic controller that operates ICS's, Stuxnet then sends modified PLC code designed to sabotage the ICS, such as by disabling safety mechanisms that shut off machinery in the event of overheating. This then can cause physical damage to the machinery controlled by the ICS itself.


Step 3: Explain the Impact


The primary stakeholders here are the nations and companies whose infrastructure are afflicted by the Stuxnet worm and the propagators of the virus (allegedly the US government). The afflicted parties are seriously affected by the virus -- if it propagates as designed, Stuxnet can cause serious physical damage to expensive and dangerous equipment. In the case of Iran's systems, which appear to be the primary target of the virus, the worm could destroy power generation systems, which are a critical part of the national infrastructure. An immediate impact of an attack would be the loss of power access to those served by affected power generation facilities. In the longer term, the damage or destruction of such systems represents a significant loss of investment and requires additional capital to replace or repair. There may also be health and safety effects, given that the virus is designed to cripple early warning systems for critical metrics of the systems controlled by infected ICS's. If a nuclear reactor was let to overheat because of suppressed ICS warnings, for example, works could be exposed to radiation. The propagators of the virus also face ramifications in the long run. Any solid confirmation or proof that governments sanctioned the development of the virus would be disastrous diplomatically in terms of their relations with affected nations. Overall, this internet threat has significant consequences and is potentially damaging to all major stakeholders involved.


Step 4: Possible Solutions


Non-technical:
Limit and monitor/audit personnel access to critical infrastructure. Limiting access to only essential personnel for verified, essential purposes decreases the risk of introducing or spreading the virus in the secure environment in the first place by persons with malicious intent. Monitoring and regularly auditing access to the computer systems can also help to catch malicious actions after the fact and determine the source of an infection. Such safeguards also act as a deterrence against any would-be attacker. However, this solution does not do anything to prevent the actual introduction of the virus into the secure environment if the carrier manages to get past the safeguards. For example, a worker whose USB thumb drive was unknowingly infected with the virus prior to accessing the secured infrastructure could unintentionally introduce the virus by simply plugging the device in as a normal part of his/her work.

Technical:
Physically block all nonessential ports, such as USB and serial, and disable access to such ports in the software. This would effectively remove any possible entry point for infection, even if someone manages to infiltrate the secured environment physically. This is very effective in preventing the introduction of the virus, but can also hamper real work by hindering access to tools needed. Completely blocking all ports also blocks legitimate access.

While the non-technical solution primarily concerns preventing intentional malicious access leading to an initial infection occurring, it does not actual prevent such an infection from taking place. Meanwhile, the technical solution completely prevents all external information from entering the system, blocking the virus from infecting the infrastructure but also blocking some legitimate work. Overall, however, it is still the better solution if the primary objective is to prevent any attack from happening as it virtually guarantees that the virus will never make it into the computer environment.


Sources
  1. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
  2. http://rt.com/usa/news/stuxnet-chevron-cyber-virus-348/