Ralph Langner is the closest thing to a rock star that you get in the Dockers and pocket-protector world of industrial control systems. The German researcher made headlines in 2010 as among the first security experts to analyze parts of the Stuxnet worm’s code devoted to manipulating programmable logic controllers by Siemens, and the first to explicitly link the Stuxnet malware with an effort to disable Iran’s uranium enrichment operation.
Since then, Langner he has been quoted in countless articles and on TV. He was profiled (peevishly) in Vanity Fair (a piece that prompted a hillarious, written response from Langner) and spoken at the uber-hip TED Conference.
These days, Langner is keeping busy with Langner Communications, his consulting firm which works with ICS vendors and their customers on security issues. And he’s also keeping in the spotlight. Threatpost caught up with Langner at the recent S4 Conference, an annual gathering of the leading researchers in industrial control system security in Miami. Langner always looms large at the conference and others like it, including WeissCon, a Washington D.C. Conference where, in 2010, Langner unveiled some of the first details of his analysis of Stuxnet.
And so he did this year, taking attendees through an analysis of Stuxnet code used to manipulate Siemens PLCs, promoting a new book and trailing a camera crew from the prime time TV news show 60 Minutes. I caught a ride with Langner in his rented Mercedes (he says he’d have preferred a Corvette) and, later, at the Conference. These are excerpts from our conversations.
Threatpost: We’ve seen in the last year Stuxnet variants like Duqu¸ and other malware that seems to use aspects of the Stuxnet code. What do you think is going to be the legacy of this malware? Is it going to become a platform similar to, say, the Zeus malware or is it just going to kind of fade away?
Ralph Langner: Well, this won’t go away. This won’t fade away. When I heard about the discovery in respect to (Stuxnet variant) Tilded, I would say I was by no means surprised. I was actually expecting that, because this is such a high profile operation, such a level of sophistication that I had bet that the attackers have been working on this – so that this was a long-term approach attempt that they have been working on this for a couple of years –not specifically on Stuxnet, but just to build up offensive cyber attack capability. And so if you really wanna do that, what we now see is actually what you would try to achieve.
You want to create a set of reusable tools. I mean, reusability is a big thing in software development, and certainly also applies to sophisticated cyber attackers. So these guys are pros, and they are just using the latest technology and architecture. So this didn’t surprise me at all. And it would also not surprise me if it would see an attack executed by the very same group, just targeting completely different product base. So, for example, doing something against Rockwell, PLCs, or doing something against Areva safety controllers that are used in the nuclear industry. This would not surprise me at all because if you’re doing work at this level of sophistication, you have all the experience, the architectures, the strategy that can be used against any industrial control system target. So this is, in a way, not really about Siemens products, and I think there are many people who pointed that out aleady.
Threatpost: The thing that seems concerning here is Stuxnet sets the precedent that there may be malware out there targeting ICS systems that is either dormant or that is slow – that is kind of manipulating the reality that operators of this equipment are living in, but doing so in a really subtle way over a long period of time.
So it would seem like one of the issues that the community needs to talk about – to really address this head on– is this idea of provability, right, that being able to prove that the reality that is being presented by a device is actually what’s going on, on the device.
Ralph Langner: Yeah, that you’re actually – to recognize that you were under attack. That’s a big issue that that’s a very good point. And so there are some people in the community who argue that we need better forensics. That might be true, but I think what is even more important, let’s start with the capability to actually detect that you’re under attack. This is where it all starts. And I would say that major installations and critical infrastructure really are not prepared for this. So when they would be attacked, it would probably take a year until they notice, which is exactly what we have seen in the case of Stuxnet.
Threatpost: Sure. Well, and one of the classic arguments is that, well, they don’t have any virus or they don’t have intrusion detection tools because those introduce too much latency and require too much maintenance and they’re going to hurt availability.
Ralph Langner: Yeah, but wait a second. Antivirus wouldn’t have helped because you didn’t have a signature for this specific malware, and for the next attack of this caliber, you also will not have a signature, so this wouldn’t help very much.
Threatpost: Right, although, IDS (intrusion detection system) may have picked it up. (Langner looks askance.) You don’t think so?
Ralph Langner: I don’t think so, no. We presently don’t have IDSs that would have detected this. We might, so from a technology point of view, you certainly can design a product that would be capable of doing this. But so far, we haven’t seen it. It’s not available on the marketplace. As a matter of fact, we start to offer a product which goes into that direction a couple of years ago, but guess what? It didn’t sell [laughs] because our customers were thinking, “Well, yeah, that sounds like a good idea, but then on the other hand, who would attack us and blah, blah, blah.”
Threatpost: So the perception of threat is still pretty low, in your opinion?
Ralph Langner: Yes. I think there are probably some more basic things that need to be done, and if you really want to be able to probably respond to a cyber attack. So for example, when you just think about your operating a power plant. How would the operators – or let’s first start with another issue. So look at major installations and critical infrastructure. The point is, I haven’t seen really solid contingency plans for cyber attacks. So point is that the operators and maintenance stuff, management, et cetera, would pretty much have to improvise on how to handle the sophisticated attack. And this might get nasty. One thing that I would suggest –
Threatpost: Nasty in terms of what they would need to do to respond to it?
Ralph Langner: No. They would just run out of time. So they would just make a situation worse by not responding properly to it. And this is another area where we try to train and educate our clients to just include contingency procedures against cyber attacks in to that training. So, for example, when you operate a nuclear power plant, your operators are trained on simulators because in a nuclear power plant, you really, as an operator, you have let’s say, kind of a lazy job because nothing really happens. And so the problem is once you would get hit by a cyber attack, how would you notice this? And how would you respond? This is an issue that I think is important to include in training and it’s also a point to underline that technical solutions alone won’t do the trick.
Threatpost: It also seems to be the case, though, that unlike the world if enterprise networking and LANS and WANS that the deployment scenarios in the industrial control sector are really incredible varied, right? It is manufacturing. It is energy distribution. It is any number of different things. So, while the security community for networking can always more or less assume what the context is, in industrial control, you can’t really do that, right?
Ralph Langner: Oh, no, I disagree.
Threatpost: You don’t think so?
Ralph Langner: Actually, it’s much more simple than what you have just said. So I’ve been in this field for over a decade now, and one funny experience that I made is that there are only very, very slight differences across various industries. So you can’t really predict security problems or a good security posture by looking at the industry. So we find pretty similar stuff throughout the place, throughout various industries. By the way, this is certainly affected by the high number of general-purpose products like the Siemens controllers that we have been talking about, because they are generic, so you can use the very same product to enrich uranium, or to drive an elevator. I’m not kidding.
So you’ll find these products in elevators, too, in building automation. And then, therefore, you find the same set of security problems all over the place. And one thing certainly has to be underlined, also, this is, again, also when we’re talking about vendors, this is not a specific vendor issue.
The only problem I have with this particular vendor, Siemens, is that they were just pretending they were doing everything right. We would be much better off if they would just say, “Okay, our parts are not secure. But that’s not our fault because nobody really asked for it.” So somebody like me would say, “Hey, Siemens. That’s great. That helps us. That’s good news,” because customers are no longer under the impression that everything’s fine and dandy, and that they don’t have to care about anything. But what I wanted to point out is we have a much larger cultural issue because the roots of this development that led to pretty much zero security on the plant floor, have one simple cause. This all comes from electrical engineering. And electric engineering has a completely different approach and mindset, which is something I try to elaborate on in my book. So as an electrical engineer, let’s just say you have a hard time understanding what the fuss is all about in terms of cyber security because for you, it might not appeal as real, something real. Because real is electrical current that you can measure.
Stay tuned for part II of our interview with Ralph Langner on Monday.
Correction: An earlier version of this story stated, incorrectly, that Ralph Langner presented an early analysis of the Stuxnet worm at the S4 Conference in Miami. Langner actually made that presentation at the WeissCon Conference in Washington D.C. The story has been updated to reflect this.