Possible Stuxnet Defense Developed

By | May 21, 2013

Posted in: Network Security Trends

Researchers at North Carolina State University (NCSU) have developed an innovative way of protecting networked control systems from cyber attack – raising the possibility of a defense against Stuxnet-type sabotage.

A release from NCSU (http://news.ncsu.edu/releases/wms-chow-dncs/) said Dr. Mo-Yuen Chow and PhD student Wente Zeng had created an algorithm that detects and isolates cyber attacks on systems of the kind used to coordinate transport, power and other infrastructure. Because they often rely on wireless or Internet connections, these systems are vulnerable to cyber attacks such as Stuxnet – the worm that affected Iran’s uranium enrichment program in 2009 and 2010.

The NCSU software detects when an individual agent in a distributed network control system  has been compromised and isolates it, “protecting the rest of the system and allowing it to continue functioning normally,” the release said.

“We have demonstrated that the system works, and are now moving forward with additional testing under various cyber attack scenarios to optimize the algorithm’s detection rate and system performance,” the release quoted Zeng as saying.

Richard Stiennon, an analyst at IT-Harvest, said the paper in which Chow and Zeng  described their work used non-industry standard nomenclature, “so some assumptions have to be made.” “Industrial control systems are comprised of sensors, drivers, and data collection points as well as command and control software such as Siemens Step7,” he said. “I am not aware of architectures that are comprised of independent autonomous nodes. Reading between the lines this appears to be a behavior-based algorithm, which is new. Most SCADA (supervisory control and data acquisition) security solutions are based on signature and protocol enforcement.”

The Stuxnet attack, widely believed to have been a US/Israeli collaboration, infected computers  connected to SCADA industrial control systems at the Iranian plant and caused centrifuges to speed up and slow down randomly, leading to their failure.  Would the Iranians be wishing they had installed something like this years ago?

“The infected controllers in the Stuxnet incident would probably not have been detected by this technique,” Stiennon said. “The controllers that directed speed changes to centrifuges explicitly acted normally to avoid detection. They did not talk to each other at all and they did not have a beaconing or ‘phone-home’ component that would most likely be the surest way of behavior anomaly detection.”

He said operators of control systems would be better served by enforcing protocol policies and ensuring good network separation.

Chow told SecurityBistro that he and his fellow-researchers did not know if their software would have been effective in defending against the Stuxnet attack. “Our algorithm is in the basic research stage and focuses on distributed control systems,” he said. “The (Iranian)  nuclear plant, which is a much more complex system that we are not familiar with, may belong to a different class of system.”

Chow said the algorithm had so far been demonstrated in simulation on networked mobile robot systems. “We will soon validate it on an actual networked mobile robot system in our lab, and will also validate it on simulated smart grids. I’m not sure at this stage when the software will become commercially available.”

You May Also Be Interested In: