Delivery in day(s): 3
ITC595 Information Security Assignments Solution
Stuxnet is among the dangerous computer worms. The worm was uncovered in the year 2010 by the American and the Israelites and it was meant to be used as a cyber-weapon.
The worm mainly aims at PLCs which automate the electromechanical processes like assembly lines in the factory, the amusements rides, or the centrifuges that are used for disconnecting nuclear materials (Karnouskos, 2011).
Security partners believed that Stuxnet development began throughout the Bush governance to disrupt the program for the Iranian nuclear which had bring comprehensive misfortunes. The Mensies Corporation Law and the MBI have offered five Enterprise Security Architecture to apply to a security architectures to mitigate risk (Farwell & Rohozinski, 2011).
What Stuxnet does
The identity of Stuxnet was revealed by InfoSec community in the year 2010, but its development began in the year 2005. Notwithstanding it capability of the attack and the spread rate of infection, the worm has no harm to the computer systems that are not included in the uranium enrichments. When the worm infects the computer it countercheck to ensure if the computer is linked to the certain models of PLCs. The warm alters the PLCs programming in the uranium centrifuges and it results to fast and lengthy spun which damages and destroy delicate equipment within the process (Jacobson, 2015).
Stuxnet worm affects computer networks and it spread indiscriminately across the computer networks, the worm attacks the SADA systems which is responsible for reprograming of the computer devices (Sanders, 2018).
Operation of Stuxnet harm the centrifuges that are utilized in the process of the uranium enrichments, it alters the rotor speed. The sudden changes in the speed caused distortion and vibrations. Before they can attack it alter the speed of centrifuges and thereafter damage the rotors (Broad, Markoff & Sanger, 2011).
The worm acts like a man-in the middle , the attack manipulate the system process , it legitimate a code that will run in the basis of unidentified fake values to achieve the desired goals (Mo, Weerakkody & Sinopoli, 2015).
Stuxnet qualitative analysis
A common features of Stuxnet, Fame Dugu and Gauss, this has been dynamic for a long period of time prior to their discovery. This stealthiest is attained by cautiously avoiding the creation and the generation of visible incongruities anomalies (Walsh, Ye & Bushnell, 2009).
Stuxnet discovery and analysis
Stuxnet is just like Dugu worm in regards to the philosophy design, mechanism and the internal structure and the details of implementation. There is also a difference that exist between the two Stanching from their varying objectives. Many people believed that Dugu and Stuxnet originated from same developers. Stuxnet attack PLCs and harmfully regulate uranium centrifuges (Walsh, Ye & Bushnell, 2009).
Stuxnet generate anomalies within the affected system which can be easy to notice. Stuxnet cannot be detected by computer antivirus, I think Stuxnet can be detected by use of the following ways
Stuxnet connects to C&C server. If the traffic are monitored closely it will be very easy to determine unusual activity in the traffic that can be sign and this must be investigated.
If Stuxnet worm spread via the use of USB drive and if various computer platform exist like windows, Linux and BSD systems. The USB will not be executable by a computer platforms that may contain the worm in it, by noticing this one would have a sample to analyse the malware (Grobman & Cerra, 2016).
Honeypots- Stuxnet is very serious because it falls on the honeypots. If a common honeypot is utilize to detect the malware, the malware will disregard, but if the honeypot employ a new technique, the malware will not be able to detect. It is important to note that other malware such as Fame and Dugu blow-out only when it receives instructions from the C&C servers (Kenney, 2017).
Stuxnet spreading mechanism
Stuxnet has a capability to readily spread over a computer networks, the worm has got also a minimum spread limit for instants it infects a maximum of three computers via an infected flash. As shown in the figure 1 below, Stuxnet uses many method to spread (Thompson, 2016).
Though USB Flash- the PLCs are link to the computers without the use of internet, therefore the worm requires other means of infecting the computers. Diverse kinds of Stuxnet utilize unique ways on performing this, recent versions of Stuxnet use Window LNK susceptibility and old versions utilize autorun.inf file exposure (Fell, 2017)
Fig: ways Stuxnet use to reach the target
1. Through WinCC- the worm search that run Siemens WinCC, this is an interface for their SCADA computer systems. This link by use of a password that is hardcoded into the WinCC system, thereafter it attacks the system database by the use of SQL commands (Kerr, Rollins, &Theohary, 2010.).
2. Through network shares – the worm may use folders that are shared by windows to propagate over a network.
3. Though MSO8-067 SMB susceptibility- in case of a remote server contain this vulnerability, the worm may send a deformed path via SMB, this permits an arbitrary code to be executed on the remote computer (Peng, Jiang, Xie, Dai, Xiong & Gao, 2012).
4. Though MSO8-061- the worm copies itself and places its copy on a remote system via weakness, the worm will the run the copy on the system, thus infecting remote machine by utilizing 0-day escalation privilege. It will initiate a dropper file to attack the computer.
Applying a Formal Enterprise Architecture framework in preventing a Stuxnet attack
When adopting a security measure to stop a Stuxnet attack on the network it should be done by following good practice guidelines. A good architectural framework should be effective in preventing the threat and any other (Fides, 2017).The basis of designing a proper system that will prevent the attacks is done by following certain principles including; the ability to shield, identify and respond to the threat. It is important for the security infrastructure to be able to identify a threat and respond appropriately to reduce the effects. The framework should also have a more in depth defence measure to detect vulnerabilities within any point in time .To minimize the risks, adopting more than one defence mechanism within the network will reduce single points of failure. The security measure should also be inclusive of technical, procedural and managerial approaches to the layout of the system. Technological measures are not enough to guarantee a proper secure system without proper guidelines that stipulate the procedures followed when a security breach occurs (Holloway, 2015).
To apply a proper security measure to mitigate a Stuxnet attack, it is recommended that the infrastructure to have certain capabilities that include;
Denying access to the hardware and network devices of the system and the power plant, guard individual network components from exploitation. This involves applying security patches in a swift technique as much as possible. The security measure is required to test, disable the ports that are not in use and apply restrictive measures that require authentication to gain access to the components of the nuclear plant’s system (Hespanha, Naghshtabrizi, & Xu, 2009).The security measure should be able to track activities within the system and trail the processes which assists in conducting an audit of a breach if it occurs. The defensive framework should apply security controlling measures like antivirus applications and software that verifies the integrity of files in preventing, deterring and mitigating malware (Edwards, 2014).
Applying the SABSA security architecture would be an effective solution in securing the power plant. The SABSA approach has a similar design to the Zachman architecture. A wide scope is covered by the architectural design that offers a variety of security services including limiting availability, the use and agility status of all the components that make up the nuclear system. The SABSA architectural design implements a security measure that covers even the non-functional requirements of the system. This would be effective in securing the nuclear plant from any external illegal access to their system (Mueller & Yadegari, 2012).The security architecture follows a six by six matrix in organizing the views and aspects of the system. This matrix approach allows the security design to correspond with the developing strategic management stages of the systems’ lifecycle allowing new users and necessary domains to be added to the system. SABSA hence would be a good alternative for the Iranian government to mitigate the threats that are brought by a stuxnet attack. The attack arises from a malicious application or device gaining access to the plant’s system. A SABSA framework would identify the point of leak and stop the attack before it even happens. TOGA is also a viable option to apply as a security framework. It is less complex and a perfect example as to the way real world frameworks would work. The architectural concept of this approach is however limited as it uses a four by four matrix. Certain important views like operation and design are not covered. The design does not also cover the element of time. Moreover, it lacks a specified security guidance making it challenging to apply on a wide scope (Micmillahi, 2010).
How International laws require a state to act after a Stuxnet cyber-attack or any other
The UN has a charter that regulates the capacity of states to respond to any attacks from another state. The charter has articles stipulating the procedures that the UN allows a state to follow in retaliation if they accuse another state of attacking them. UN charter article 2(4) states “All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or any other manner inconsistent with the purposes of the United Nations” .The attack on Iran’s nuclear plant is still not clear as to who was responsible for carrying out the attack. Rumors exist that the attack might be possibly a plan by US and Israel defense forces to reduce nuclear operations in Iran. This however is not enough evidence that points out who the actual attackers are, limiting the options that the Iranian government has in retaliating the security breach. This means that the Iranian government cannot use military action in retaliating as the article prohibits any state from doing so beyond its borders. The security breach which also did not involve the use of force, but which was more of a cyber-attack limits the possibility of Iran to respond with military force. Doing so would be a violation of the UN article destroying the relation of the country with other states (Kerr, Rollins &Theohary, 2010).
Article 51 chapter 7 of the UN charter which states “Nothing in the present charter shall impair the inherent right of individual or collective self- defence if an armed attack occurs against a member of the United Nations, until the security council has taken measures necessary to maintain international peace and security” The clause is vague as it does not clearly explain what constitutes an armed attack. Cyber-attacks have not been specified as armed attacks, hence the Iranian government cannot act on the account of the clause. Collective defence requires that the original aggressor be identified by UN’s Security Council. In Iran’s attack, the attacker cannot be established as the Stuxnet worm origin is still not clear. The vagueness of the origin of the Stuxnet attack to Iran’s nuclear system also limits the country to respond by using the Tallinn manual. The clauses in the manual also require the attacker to be identified before any action can be taken on them (Mudrinich, 2012).
Iran responded to the attack by boosting its own cyber security. The government increased its effort in recruiting more young people for its national militia most of whom were trained in cyber warfare. Revolutionary groups supported by the government in researching and participating in cyber warfare have emerged. Groups known as Basij and IRG have come up and are known to have participated in cyber wars previously. The government of Iran considers this groups to be of importance in offering their services against western cyber-attacks. Western countries are more advanced technologically and have better intelligence in cyber borders. The government of Iran knows this and are victims of the technological advancement by these countries through the Stuxnet attack on their nuclear systems. Having its own cyber space military unit is a benefit to the defence of the country. The government can now be able to stop future attacks and broaden its research on cyber warfare (Halliday, 2010).
Stuxnet is a dangerous computer worm that most likely functions across nations. Most of the Stuxnet infections originated from Iran. Stuxnet would have led to dangerous effects in Iran had it not be detected by the security concerns who saved the situations. This attack was mainly created to act as a security weapon for the Iran, the US and the Israelites.
1. Broad, W.J., Markoff, J. and Sanger, D.E., 2011. Israeli test on worm called crucial in Iran nuclear delay. New York Times, 15, p.2011.
2. Cárdenas, A.A., Amin, S., Lin, Z.S., Huang, Y.L., Huang, C.Y. and Sastry, S., 2011, March. Attacks against process control systems: risk assessment, detection, and response. In Proceedings of the 6th ACM symposium on information, computer and communications security (pp. 355-366). ACM.
3. Edwards, C.I.P.M., 2014. An analysis of a cyberattack on a nuclear plant: The stuxnet worm. Critical Infrastructure Protection, 116, p.59.
4. Farwell, J.P. and Rohozinski, R., 2011. Stuxnet and the future of cyber war. Survival, 53(1), pp.23-40.
5. Fell, J., 2017. Cyber crime-History: Hacking through history. Engineering & Technology, 12(3), pp.30-31.
6. Fildes, J., 2015. Stuxnet worm attacked high value Iranian assets. BBC News. http://www. bbc. co. uk/news/technology-11388018. Accessed, 13.
7. Grobman, S. and Cerra, A., 2016. No Second Chance. In The Second Economy (pp. 59-75). Apress, Berkeley, CA.
8. Halliday, J., 2010. Stuxnet worm is the'work of a national government agency'. The Guardian, 24(9).
9. Hespanha, J.P., Naghshtabrizi, P. and Xu, Y., 2009. A survey of recent results in networked control systems. Proceedings of the IEEE, 95(1), pp.138-162.
10. Holloway, M., 2015. Stuxnet Worm Attack on Iranian Nuclear Facilities. Retrieved April, 13, p.2017.
11. Jacobson, M., 2015. Vulnerable Progress: The Internet of Things, the Department of Defense and the Dangers of Networked Warfare.
12. Karnouskos, S., 2011, November. Stuxnet worm impact on industrial cyber-physical system security. In IECON 2011-37th Annual Conference on IEEE Industrial Electronics Society (pp. 4490-4494). IEEE.
13. Kerr, P.K., Rollins, J. and Theohary, C.A., 2010. The stuxnet computer worm: Harbinger of an emerging warfare capability(pp. 7-5700). Washington, DC: Congressional Research Service.
14. Kerr, P.K., Rollins, J. and Theohary, C.A., 2010. The stuxnet computer worm: Harbinger of an emerging warfare capability(pp. 7-5700). Washington, DC: Congressional Research Service.
15. McMillan, R., 2010. Siemens: Stuxnet worm hit industrial systems. Computerworld, 14.
16. Mo, Y., Weerakkody, S. and Sinopoli, B., 2015. Physical authentication of control systems: Designing watermarked control inputs to detect counterfeit sensor outputs. IEEE Control Systems, 35(1), pp.93-109.
17. Mudrinich, E.M., 2012. Cyber 3.0: The department of defense strategy for operating in cyberspace and the attribution problem. AFL Rev., 68, p.167.
18. Mueller, P. and Yadegari, B., 2012. The Stuxnet Worm. Département des sciences de l’informatique, Université de l’Arizona, http://www. cs. arizona. edu/~ collberg/Teaching/466-566/2012/Resources/presentations/2012/topic9-final/report. pdf.
19. Peng, Y., Jiang, C., Xie, F., Dai, Z., Xiong, Q. and Gao, Y., 2012. Industrial control system cybersecurity research. Journal of Tsinghua University Science and Technology, 52(10), pp.1396-1408.
20. Sanders, C.M., 2018. The Battlefield of Tomorrow, Today: Can a Cyberattack Ever Rise to an “Act of War?”. Utah Law Review, 2018(2), p.6.
21. Thompson, M., 2016. Military aspects of cyber warfare. United Service, 67(3), p.27.
22. Walsh, G.C., Ye, H. and Bushnell, L.G., 2009. Stability analysis of networked control systems. IEEE transactions on control systems information technology, 10(3), pp.438-446