The Stuxnet Trojan was a specifically targeted attack on computer control steering systems. It is presumed that the aim of the attacker was to spy on steering designs in addition to modifying their controls. We have been following the increase in espionage attacks over the last few months, differing from regular vandalism due to their intelligence and clear purpose, which are targeted not only against large companies, but also against our SMB customers.
Stuxnet uses four previously unknown exploits in Windows, not all of which have been patched by Microsoft to this day. To find even a single flaw in Windows requires immense know-how, time and effort, and hackers will happily invest their free time in these projects since such a Zeroday exploit is estimated at a quarter of a million Euros on the black market. The fact that the developers of Stuxnet detected four previously unknown exploits at once shows that we are not dealing with recreational hackers, but with people who have know-how and resources at hand – a dangerous combination.
The control systems in question that are targeted by Stuxnet are often not or insufficiently protected, as they have no connection to the Internet and work independently. Today however, we have to act on the assumption that any computer can be infected. Even if a computer has no direct access to the internet, as is often the case with control computers for production plants, it is still part of a network and connected to other systems. What is really clever with Stuxnet, is that the Trojan enters the corporate network at one point and then spreads further through its own initiative via the network using different methods. This process continues until it locates a computer that has installed the required software – in this case the WinCC.
A further problem is that manufacturers of industrial plants are on the same level in terms of security as Microsoft was ten years ago. Back then, Microsoft hardly paid attention to security. For industrial plants, their focus is on uninterrupted operation and security is secondary. An example: Even after learning about the Stuxnet infection, Siemens advised its customers not to change the default passwords in the system, as this could affect the ongoing operation of critical systems.
The security of a company is only as strong as its weakest link. Since divisions and sub networks are interconnected, it is not enough to look at parts of a company or to introduce different measures for different segments. For example, a minimum requirement is a company-wide password policy, which forbids the use of default passwords for the current operation.
The original article/video can be found at Why Stuxnet Is Special