Dr Richard Piggin MBCS examines the new threat of Duqu, Stuxnet and UK cyber security and asks what’s the relevance?

Cyber security is an all-embracing term, meaning different things to different people. Put succinctly, it defines defences to computer systems from electronic attack. These may range from email scams to state-sponsored disruption of computer based systems, such as the electricity grid, water or transport systems.

The Parliamentary Office for Science and Technology (POST) provides independent analysis of policy issues with a science and technology basis, and has recently produced a briefing entitled, ‘Cyber Security in the UK’ (POSTnote 389, September 2011).

The briefing provides background to recent events and discusses the potential for large scale attacks on national infrastructure, emerging issues and implementing cyber security. Topics covered include responsibility for UK cyber security, types of attacks, and an emphasis upon industrial control systems and the need to improve resilience, security and knowledge in both industry and government.

Shortly after the POSTnote was published, the antivirus firm Symantec released details of a new trojan called Duqu, again aimed at industrial control systems, highlighting the issue of cyber security in the public domain once again.

Ever wondered how malware is named? Some files created by the Duqu Trojan begin with the letters DQ. This is a variant of the Stuxnet worm, which is believed to have been targeted at Iran’s nuclear programme with the aim of disrupting processing by making changes to industrial control systems.

This was a defining moment; Stuxnet was the first virus to target physical infrastructure, as opposed to abstract IT systems. Duqu is both very similar and yet different, instead of the payload that targets control systems, Duqu’s payload contains the means to reconnoitre networks and steal information. 

Why is this important to UK cyber security?

Industrial control systems and supervisory control and data acquisition systems (SCADA) are utilised throughout the national infrastructure in water, electricity, gas, petroleum, pipelines and transport.  They are ubiquitous in manufacturing and even drive such diverse things as theme park rides, baggage systems and ski lifts.

Industrial control systems (ICS) and SCADA are the building blocks of automated systems where control or monitoring of a process is required; many also have varying degrees of safety-related functionality, from protecting operators, users or customers, to members the public.

With the ‘just in time’ nature of the economy, for example the reliance of 80% of the UK population on five supermarket retailers who hold four days worth of stock in their supply chain, the potential disruption from a cyber event could cause significant loss of revenue, reputation and confidence felt well beyond the national infrastructure.

Damage to affected brands can take years to recover. The POSTnote highlight that 50 per cent of respondents in a recent survey of security specialists from across industry stating there was a case for improving their cyber defences.

‘Duqu’ provides notice of a future SCADA attack

Duqu targets appear to be European industrial control system vendors, although analysis continues on new variants of the Trojan. Duqu has been hailed at the precursor to the next Stuxnet by Symantec.

The functionality of Duqu shows it is the intelligence mechanism for gathering information and discovering vulnerabilities for subsequent analysis and exploit development. After 36 days the Trojan removes itself, providing a high degree of stealth and making identification of affected systems difficult.

Early versions of Stuxnet had similar functionality, fingerprinting configurations of industrial control systems, which were then attacked in a very precise manner, with infected non-matching configurations remaining physically unaffected.

The similarity also extends to the use of identical source code, indicating that the perpetrators are likely to be the same skilled and highly resourced group responsible for Stuxnet. Both malwares provide blueprints for future attacks, although the high level of sophistication limits the number of entities with the resources available to launch such attacks.

Protecting against cyber security threats

Organisations generally manage information risk using Information Assurance (IA) processes based on ISO/IEC 27001 and ISO/IEC 27002 standards originally developed in the UK.

The ISO/IEC 27001/27002 series standards provide a framework for cyber security under the explicit control of management, however, compliance is voluntary. These standards provide formal requirements to obtain certification, the emphasis encourages ownership and accountability of security. 

The ISO/IEC 27000 standards are a risk based management system that specifies the overarching structural requirements that define the information management framework. They include how to deploy, monitor and continuously improve the system. As such it is flexible depending on the requirements of the organisation, as it does not require specific security measures to be implemented.

For more specific technical guidance on ICS and SCADA security, organisations can consider a number of sources. In the UK the Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides security advice to the national infrastructure. Specific SCADA advice is offered by the CPNI in a series of Process control and SCADA security good practice guidelines. The foundation of the best practice is three guiding principles:

  • Protect, detect and respond. It is important to be able to detect possible attacks and respond in an appropriate manner in order to minimise the impacts.
  • Defence in depth. No single security measure itself is foolproof as vulnerabilities and weaknesses could be identified at any point in time. In order to reduce these risks, implementing multiple protection measures in series avoids single points of failure.
  • Technical, procedural and managerial protection measures. Technology is insufficient on its own to provide robust protection.

Further technical and management standards that will form a framework for UK implementation of industrial cyber security include the work done by the US International Society of Automation (ISA). 

The ISA have published the ISA-99 series of standards that deal with Industrial Automation and Control Systems Security. Collaboration between ISA and IEC is developing a similar series of technical standards under IEC 62443, which will incorporate a management framework that embodies the approach of the ISO/IEC 27000 series.

In an arena of voluntary compliance, those implementing ICS and SCADA security need to keep abreast of technical developments and employ recognised best practice. The absence of regulation in industrial cyber security is regarded as benefit, not stifling developments in a fast moving area.

The challenge is to adopt a holistic approach to implementing a range of measures that provide defence in depth, whilst recognising cyber security is a continuous process and contingency planning for inevitable cyber events is crucial.

About the author
Dr Richard Piggin is a Security Sector Manager at Aktins. Richard has an Engineering Doctorate in Industrial Control Systems communications from the University of Warwick and has previously worked for several control system vendors in network, security and safety-related roles. He is a UK expert to several IEC Cyber Security Working Groups involved in producing IEC 62443 covering Industrial Automation and Control Systems Security.