IT in Manufacturing


Tofino solutions for industrial data security

September 2012 IT in Manufacturing

Stuxnet is a complex and aggressive computer worm that can infect computers in any control system. While it is critical for Siemens product users to avoid infection, it can negatively impact other products and systems as well.

Preventing the spread of Stuxnet over control networks is key to maintaining safe, reliable and secure industrial systems. The Tofino Industrial Security Solution can mitigate many of the effects of the Stuxnet virus, while also protecting industrial networks against many other methods of accidental or malicious attack.

How Stuxnet spreads

Stuxnet is one of the most complex and carefully engineered worms ever seen. It takes advantage of at least four previously unknown vulnerabilities, has multiple propagation processes and shows considerable sophistication in its exploitation of control systems.

A key challenge in preventing Stuxnet infections is the large variety of techniques it uses for infecting other computers. It has three primary pathways for spreading to new victims:

* Via infected removable USB drives.

* Via LAN communications.

* Via infected project files.

Within these pathways, it takes advantage of seven independent mechanisms to spread to other computers. Stuxnet also has a Peer-to-Peer networking system that automatically updates all installations of the Stuxnet worm in the wild, even if they cannot connect back to the Internet. Finally, it has an Internet-based command and control mechanism that is currently disabled, but could be reactivated in the future.

Many people mistakenly believe that by preventing USB drive infections, the risk from Stuxnet is zero. Unfortunately this is not true. The diversity of attack methods complicates any attempt to control the spread of Stuxnet and requires a ‘Defence-in-Depth’ approach if security is to be effective.

Any security design must include mitigations for all Stuxnet pathways, including USB, network and project file driven infections. This article focuses on preventing network-driven infections, but also provides guidance and suggested reading for dealing with the other pathways.

Preventing USB-driven infections

Stuxnet infects computers via USB drives (even when AutoRun is disabled) via a previously unknown Windows shortcut (ie, *.lnk file) vulnerability. Most analysts assume this is the starting point for new infections, although other mechanisms such as infected laptops, are a strong possibility. For information on mitigating the USB infection pathway, see Byres Application Note AN-118 ‘Stuxnet Mitigation Matrix’.

Preventing network-driven infections

Numerous Stuxnet analysts have commented on how difficult it is to remove the worm from an infected control system. Once it has a foothold, Stuxnet aggressively spreads over local area networks to other computers.

Security experts generally agree that the most effective way to prevent the rapid spreading is to make use of zone-based defences as described in the ANSI/ISA-99.02.01 and IEC-62443 standards. The concept is to break up the network into security zones. Between the zones, industrial firewalls are installed with rules that block the protocols that Stuxnet uses for infection and communications. This way, if a Stuxnet infection does accidentally occur, it is limited to a small number of machines in a single zone.

Dividing the control network into security zones

The first step in Stuxnet prevention is to divide the control system into zones. A zone is simply a grouping of assets that share common security requirements based on factors such as control function, operational requirements and criticality. The simplest solution is to create the following zones based on the ISA-95/Purdue model:

* Safety Integrated System (SIS) zone.

* Basic Control/PLC zone.

* Supervisory/HMI zone.

* Process information/data Historian zone.

* IT network zone.

Security breaches in each of these systems would result in different consequences, so it makes sense to handle each individually. For additional security and reliability, each of these primary zones can be further divided into sub-zones, based on operational function. Increasing the number of zones progressively restricts the spread of Stuxnet to fewer computers, reducing both risk and clean-up costs if an infection were to occur.

Installing Tofino Security Appliances (SAs)

Once zones are defined, the Tofino Industrial Security Solution is used to limit network traffic between zones to only what is needed for the system to operate. Each of the Tofino SAs are customised as needed with software modules, known as loadable security modules (LSMs), and configured by a central server, known as the central management platform (CMP). For Stuxnet control, the following LSMs are recommended:

* Tofino Firewall LSM.

* Tofino Secure Asset Management LSM.

* Tofino OPC Enforcer LSM.

* Tofino Event Logger LSM.

Once the LSMs are loaded, each appliance is configured to prevent the protocols that Stuxnet uses from passing between zones. In particular three protocols need to be managed: Web (HTTP) traffic, Remote Procedure Call (RPC) traffic and MSSQL traffic.

Managing the network traffic

The simplest traffic flows to deal with are the HTTP messages that Stuxnet uses to connect back to its command centre on the Internet. The Tofino Firewall LSM is designed to block all protocols by default, so unless HTTP is specifically needed in the control system, it should be blocked between zones. If HTTP traffic is required (for example to allow IT clients to access a data historian) it should be restricted to only the zone and web server in question and only for inbound access.

Stuxnet makes extensive use of RPC, so controlling this protocol is essential. As noted earlier the Tofino Firewall LSM blocks protocols by default, so if RPC is not required, the Tofino SA can be used with its default settings to prevent Stuxnet RPC traffic between zones.

Unfortunately, it is seldom this simple. RPC is the same protocol that is used for Windows file and printer sharing, Microsoft Event Log, OPC Classic and number of other common services. Thus blocking all RPC traffic may have negative consequences on the industrial process.

To have the least impact on the control system, a mixture of allowed and blocked RPC ports are recommended. All the standard RPC protocol variations are included in the Tofino SA protocol set and can simply be dragged and dropped as needed. First, to prevent Stuxnet from using the network to spread, the NetBIOS Session Service and Server Message Block protocols (Ports 139 and 445) should be either completely blocked or only allowed for very specific servers. This will also prevent file and print sharing between zones, so these rules should be added with care.

Where NetBIOS Session Service and Server Message Block protocols must be allowed, specific rules can be set up to restrict the traffic to the appropriate servers. For example, the Event Log service manages messages that are generated by both programs and the Windows operating system. This service uses the same protocols as Stuxnet, so blocking it completely may not be acceptable. The solution is to restrict these protocols to a designated Event Log Server, for instance a global rule allows RPC to the Event Log Server and all other RPC messages are blocked by default

If OPC Classic traffic is present, then the Tofino OPC Enforcer module must be used to manage the traffic. OPC Classic’s core technologies, namely RPC and DCOM, were designed before security was widely understood. As a result, OPC Classic uses a technology called dynamic port allocation that has made it impossible to secure using conventional IT-style firewalls.

Unlike most other network applications (such as a web server or Modbus TCP slave), OPC servers dynamically assign TCP port numbers to each executable process serving objects to clients. The OPC clients then discover the port numbers associated with a particular object by connecting to the server and asking what TCP port they should use. Because OPC servers are free to use any number between 1024 and 65535, OPC becomes very ‘firewall unfriendly’ ie, configuring the firewall to leave such a wide range of ports open presents a serious security hole and is generally considered unacceptable practice.

The Tofino OPC Enforcer module solves this issue by automatically tracking and managing OPC Classic’s use of dynamic ports using a technique called Deep Packet Inspection. The firewall can be installed into any network carrying OPC DA, HDA or A&E traffic and requires no changes to the existing OPC clients and servers.

Testing the firewall configurations

Because Stuxnet uses many of the same protocols as valid control system applications, special care must be taken to ensure that the firewall rules do not disrupt the industrial process. Tofino offers a test mode of operation, which allows all network traffic to pass but reports any traffic that would have been blocked by the firewall had it been in operational mode. These reports are shown as a firewall exception alarm in the Event View of the Tofino CMP and separately recorded by the Event Logger LSM.

Test mode is ideal for confirming firewall rules without accidentally blocking traffic that should be allowed, and thus impacting plant operations. All Tofino Industrial Security Solution installations should be run in test mode for at least 24 hours before switching to full operational mode.

Detecting Stuxnet infections

Once the Tofino SAs are in place they provide excellent ‘watch-dogs’ to warn if an infection is occurring. Specifically, Stuxnet generates a significant amount of event traffic that can be captured using either the Tofino CMP or the Tofino Event Logger LSM. The attempts of Stuxnet to contact external web servers are particularly good markers.



Credit(s)



Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Development of motor control units for automotive industry
Siemens South Africa IT in Manufacturing
SEDEMAC has adopted the Siemens Xcelerator portfolio of industry software, which is used in the development of its motor control units and engine control units. The motor control units are used in EVs, hybrids, ebikes and power tools, while the engine control units are used for off-road and on-road engines.

Read more...
Cybersecurity and cyber resilience – the integrated components of a robust cyber risk management strategy
IT in Manufacturing
Organisations continuously face numerous cyberthreats in today’s digital landscape, and while many prioritise cybersecurity to safeguard digital assets, their strategies for cyber resilience often become neglected.

Read more...
Sustainable last-mile delivery electric trucks
Siemens South Africa IT in Manufacturing
Workhorse Group, an American technology company focused on pioneering the transition to zero-emission commercial vehicles, has adopted the Siemens Xcelerator portfolio of industrial software as it builds electric trucks for sustainable last-mile delivery.

Read more...
South Africa’s role in the AGI revolution
IT in Manufacturing
AI has found its way into general conversation after the emergence of large language models like ChatGPT. However, the discussion is increasingly turning to the search for Artificial General Intelligence (AGI), which could entirely change the game.

Read more...
Predictive asset performance management with ABB Ability Genix
ABB South Africa IT in Manufacturing
The ABB Ability Genix APM suite is a comprehensive asset management platform powered by AI, IIoT and model-based predictive data analytics. This enables a paradigm shift towards a more proactive and predictive asset management approach.

Read more...
Intelligent automation primed for $47 billion revenue by 2030
IT in Manufacturing
According to GlobalData, the intelligent automation market is set to grow from $18 billion in 2023 to $47 billion in 2030, driven by advancements in AI, particularly the rapid adoption of generative AI.

Read more...
Chocolate manufacturing with Siemens Xcelerator
Siemens South Africa IT in Manufacturing
Freybadi, one of the largest chocolate manufacturers in Indonesia and a trusted supplier of chocolate in the Asia-Pacific, Middle East and African regions, has adopted the Siemens Xcelerator portfolio of industry software to optimise its manufacturing and production processes.

Read more...
A CFO’s guide to unlocking the potential of gen AI
IT in Manufacturing
CFOs of leading global organisations understand that their role extends beyond mere financial oversight; they are pivotal in steering organisation-wide transformation, particularly in the realm of technological advancement.

Read more...
Higher level cybersecurity certification for Schneider Electric
Schneider Electric South Africa IT in Manufacturing
Schneider Electric’s EcoStruxure IT NMC3 platform has obtained a new and higher level of cybersecurity certification, making it the first data centre infrastructure management network card to achieve SL2) designation from IEC.

Read more...
Industrial automation edge AI
Vepac Electronics IT in Manufacturing
Teguar, a leading provider of industrial computer solutions, has announced an innovative partnership with Hailo, an AI chip maker renowned for its high-performance edge AI accelerators. This marks a significant step forward in Teguar’s mission to provide powerful and reliable computing solutions for a wide range of industries.

Read more...