When the Stuxnet worm that attacks Siemens SIMATIC systems was first discovered and made public, one of the first vulnerabilities in the software that was found was a hard coded password. This allowed Stuxnet to steal project information from databases used by Siemens SIMATIC systems. Symantec researchers have found another vulnerability which allows Stuxnet to spread via project files used by the SIMATIC system known as STEP7 projects. Stuxnet uses a variation of Insecure Library Loading or "Binary Planting" which became news in late August but has been known about for a long time. What class of vulnerability will be found in the Siemens SIMATIC software next? These revelations are no surprise to application security experts. Most software is riddled with easy to find and exploit vulnerabilities of this type. Industrial control system software is written no more securely than your average Windows productivity application. The recently released Veracode State of Software Security, Vol. 2 Report data, which is based on over 2900 applications Veracode has tested, shows that 51% of the software had vulnerabilities too numerous or too severe for the software to run securely given its business criticality. Our data shows that 2% of commercial software has a potential backdoor, which is the vulnerability category for hard coded password found in Siemens SIMATIC. Untrusted search path, which is how we report insecure DLL loading, was the 15th most prevalent vulnerability making up 1% of all the flaws we detected. These are well known classes! Veracode can detect both of the classes of vulnerabilities in Siemens SIMATIC found to date with our static binary analysis service. We are performing this testing service for dozens of software suppliers and software purchasers on any given day. Here is my message to the owners and operators of critical infrastructure. It is 2010. Sophisticated attackers are going after your software. They will find the vulnerabilities, exfiltrate your sensitive data and inject themselves into your execution path. But thankfully it is 2010 for defenders too. There is no need to accept insecure software any more. Veracode's 3rd Party Risk Management Program can assess all the software you are purchasing. If there is one take away from Stuxnet, it is sophisticated attackers will find the vulnerabilities in your software infrastructure, exploit them, and completely own your facility. Steve Bellovin commented, "I think Stuxnet should settle the debate about the possibility of weaponized software." The Wall Street Journal has reported that Iran has made statements that this has risen to the level of cyberwar.
The acknowledgment of the infiltration at Bushehr followed another revelation over the weekend that an Iranian investigation found that Stuxnet had infected 30,000 machines involved in running industrial control systems, the director of Iran's Information Technology Council of the Industries and Mines Ministry told another Iranian news agency on Saturday. "An electronic war has been launched against Iran," the director, Mahmoud Liaii, said.
We have seen that once attack techniques become widely known to be able to produce the intended effect they will be replicated by sophisticated attackers and trickle down to organized crime and even script kiddies. It is a national security imperative that we secure the software infrastructure that runs our critical infrastructure. We can start now by assessing software before it comes through the door, is placed into production, and becomes a soft underbelly for attackers.