Imagine a nefarious computer virus, one some industry experts say may be
the most sophisticated piece of malware ever written. Imagine this worm,
loaded onto a Siemens Programmable Logic Controller (
PLC),
creating two hexadecimal words as its output: DEAD F007. Now imagine
this piece of malware,
Stuxnet -- or something
like it -- coming to an industrial plant near you.
[login]
Let's start by dispelling one myth that seems to be growing up around
this piece of PLC-controlling software: PLCs are not super-secret
devices, but are standard bits of industrial control equipment that can
cost as little as $200 (and, for really complicated ones, many
thousands), and are available from industrial supply houses all over the
world without any kind of security check. The software used to program
PLCs is no more secret than the devices themselves.
WinCC,
the compromised program, may not be known to many programmers or
sysadmins who work in offices, but it is a familiar tool for industrial
plant people in many different fields.
Siemens, based in Germany is one of the biggest of multinational big
dogs in the PLC field. They sell into the U.S., China, Brazil, India,
and almost anywhere else there's any industry at all. Want to count
cereal boxes on an assembly line and measure out the right amount of
cereal for each one? You can program a Siemens PLC for that application,
no problem. Want to spin your Uranium-enrichment centrifuges at just the
right speed? Ditto. Or run track-mounted speed detectors and switch gear
for your high-speed rail system or the moisture control on your
Yankee dryer? No
problem. If there isn't a PLC app for that already, writing one is no
big deal.
An early article about the Stuxnet infection in Iran claimed that it
infected "millions" of industrial control computers there. This is
unlikely. Indeed, it's unlikely that Iran has millions of industrial
control computers, period. And Stuxnet is not -- at least in forms
discovered so far -- an Internet-spread problem, but one that typically
infects a computer network when someone plugs a USB stick containing the
worm into a computer on that network.
Another
article,
on Forbes.com, postulated that the Stuxnet worm's purpose was to disable
satellites run by the Indian Space Research Organization, which would
mean more business and prestige for China's AsiaSat.
And maybe some Siemens PLCs are not supposed to be going to Iran, after
all. A New York Times
story
published on Sept. 29 said, "...last year officials in Dubai seized a
large shipment of those controllers — known as the Simatic S-7 — after
Western intelligence agencies warned that the shipment was bound for
Iran and would likely be used in its nuclear program."
That same story mentions the Biblical-sounding connection of one of the
worm's file names to the
Book of Esther,
"a clear warning in a mounting technological and psychological battle as
Israel and its allies try to breach Tehran’s most heavily guarded
project." But it also says, "Others doubt the Israelis were involved and
say the word could have been inserted as deliberate misinformation, to
implicate Israel."
And then there's that DEAD F007 "leetspeak" PLC output. Eric Loyd,
President of
Bitnetix, says that
no matter how juvenile DEAD F007 sounds, "Stuxnet is far from a
kid-hacker attack." Indeed, Loyd is one of many IT experts who believes
Stuxnet may be the most sophisticated piece of malware ever written,
with its use of four seperate Windows zero-day attacks, not one but two
genuine security certificates (now revoked), and it's ability to not only
monitor but modify instructions for the targeted Siemens PLCs.
While PLCs may be a mystery to many -- even most -- programmers and
syadmins, they are not complicated, nor do they take advanced degrees to
figure out. In most of the industrial world, they are the responsibility
of guys who wear their names on their shirts. Indeed, the whole point of
SCADA is that it makes
plant processes easy to visualize and control.
So far there is no concrete evidence that Stuxnet-infected computers or
PLCs have affected Iran's nuclear fuel enrichment program or delayed the
startup of the country's one nuclear reactor. But there are suspicious
coincidences that make it seems like Stuxnet might have done
something to Iran's nuclear efforts, depending on which
contradictory reports coming out of Iran you want to believe.
On one hand Iranian government sources say Stuxnet has not caused
problems or delays to anything nuclear, and on the other they claim they
have arrested "
Nuclear
Cyberspace Spies" and is "fully aware of the activities of 'enemies'
spy services.'"
Stuxnet may not be the biggest problem
Whether Stuxnet is the work of Chinese or Israeli government
cyberwarriors or a computer science student's prank that got out of
hand, there are cures for it, and Microsoft is closing the four Windows
zero-day vulnerabilities that allows the worm to do its mischief and to
propagate laterally within a government or corporate computer network.
And with the right malware protection, a Stuxnet infection can be
detected immediately, says Kurt Bertone, Vice President of Strategic
Alliances for
Fidelity
Security Systems, who says his company's XPS cyber defense products
has no trouble dealing with Stuxnet.
Other virus detection and malware control companies also now have a
handle on Stuxnet, including Siemens, which offers
complete
Stuxnet detection and removal instructions.
But the problem now, Bertone warns, is not so much Stuxnet but other
pieces of malware that are out there but may not have been discovered.
He and Eric Loyd both worry that there may be some "Son of Stuxnet" worm
out there, spread manually, like Stuxnet, or by some other vector, that
will one day cause dangereous problems at nuclear plants, oil refineries
or chemical plants or....
...there are millions of critical points in our modern industrial
infrastructure that use PLCs and other computer-based controls, some of
which are carefully secured against malware infections -- and some of
which are not secure at all but have not yet been attacked.