Malware attacks aren’t really news anymore – they’re routine. Nevertheless, when Stuxnet disabled an Iranian nuclear facility in 2010 it was big news. Malware was introduced into the facility's local area network by jumping the air gap between the internet and the internal network via an insider.
The attack was sophisticated, employing four Windows zero-day exploits, and it was the first malware to include a programmable logic controller (PLC) root kit, enabling it to attack a specific Siemens controller. The payload included two stolen, signed digital certificates issued by VeriSign, which appear to have enabled Stuxnet to authenticate into the environment. Once inside the facility, Stuxnet propagated and then located and operated a digital control for a valve or control a module critical to the facility’s infrastructure, with the intent of damaging the facility. In other words, Stuxnet was a digital weapon that did mechanical damage, earning itself a new classification: weaponized malware.
Stuxnet Raises Questions – Can They Be Answered?
Stuxnet’s origin is not clear, but two questions are particularly pertinent. The first: When will weaponized malware and its derivatives be used for another attack, and what will it attack? This is impossible to answer. We don’t know when or where an attack will occur. We do know, however, now that Pandora's box is open, more attacks will happen.
The second question: How can threatened organizations assess and address this new security risk? This can and must be answered. We know how the malware was delivered – the stolen certificates allowed it to act as a trusted application and communicate with other devices.
Digital Certificate and Key Management Practices and Policies Are Central to Defense
Zero-day vulnerabilities are, by definition, impossible to defend against. Preventing the use of stolen digital certificates by weaponized malware in a networked environment is not.
As sensitive processes proliferate, so to do increasingly sophisticated strategies for compromising them, making digital security imperative. The increased use and dependence on encryption to protect sensitive information and devices increases the need for taking rigorous measures that will protect certificates and keys.
One reason Stuxnet succeeded is because it masqueraded as a trusted insider. The sad truth is, however, that most organizations are negligent when it comes to managing their encryption certificates. They have no strong policies. They do not know how many certificates are active in their network, where they are installed, who installed them, whether they are valid, when they will expire, and if they’re valid and authorized for use on the network – conditions that make them more vulnerable to Stuxnet-like attacks.
Organizations can take steps to reduce the risk of a successful attack. In the wake of Stuxnet, several standards and guidelines have been published that focus on creating best practices in security management for control systems. Best practices call for organizations to deploy defense-in-depth technologies that address digital certificate and encryption key policies, and provide capabilities that can find and eliminate vulnerabilities. This type of defense is broadly applicable to any organization – public or private – with assets to protect.
Know Your Digital Certificates
Organizations can protect themselves from the risks associated with digital certificates by deploying technologies that automate the certificate management process. Unfortunately, managing the lifecycle of encryption certificates and keys, as well as the systems that rely on them, has been challenging. As more and more certificates and keys need to be deployed, organizations are reaching a tipping point, forcing them to look for automated management methods. Siloed point solutions are available, but they have not proven completely successful because they are incapable of dealing with management needs across the entire organization.
Needed are enterprise-wide encryption management strategies that provide more-centralized oversight, better support the broader deployment of encryption, improve security, and reduce the cost of managing encryption. New systems management platforms that can support enterprise-wide strategies are now emerging. These platforms, which are employed on enterprise systems that can be used to control devices such as PLCs, may handle several broad functions:
- Discovery: The foundation of key and certificate management is the ability to rapidly discover and verify all certificates and keys, and to develop an accurate inventory of where they are deployed. High-performance, network-based systems can rapidly discover certificates across the enterprise and allow administrators to customize discovery, for example, by scheduling automatic execution of periodic discoveries or by filtering out test certificates or retired systems. Administrators can review the discovery results and quickly determine which certificates need attention.
- Certificate and key monitoring and alerting: Monitoring encryption keys and certificates for impending expiration dates and automatically sending notice of expiration dates in advanced allows administrators to take action on them.
- Automated certificate authority (CA) enrollment: In cases where administrators perform certificate and key management operations manually, this option allows them to enroll for certificates through the management platform instead of going directly to the CA.
- Automated management and provisioning: Manually managing and provisioning private certificates and keys is time consuming, complex, and error prone. It exposes organizations to risks, as administrators have direct access to private keys. Automated management and provisioning results in improved security, better compliance with policies, reduced administrative overhead, and improved reliability.
Weaponized malware that relies on stolen certificates can succeed because it exploits poor certificate management. The defense against this type of attack is obvious: organizations must take the security of keys and certificates just as seriously as they take physical or data security. They need to implement strict practices and policies, they need to know where these assets are, and they need to manage and monitor them so they do not fall into the wrong hands. And, they need to act now.
Jeff Hudson, CEO of Venafi, has been a key executive in four successful, high-technology start-ups that have gone public. Hudson brings over 25 years of experience in information technology and security management, and has spent a significant portion of his career developing and delivering leading-edge technology solutions for financial services and other Global 2000 companies.