Imagine a nefarious computer virus, one some industry experts say may bethe most sophisticated piece of malware ever written. Imagine this worm,loaded onto a Siemens Programmable Logic Controller (
[login]Let’s start by dispelling one myth that seems to be growing up aroundthis piece of PLC-controlling software: PLCs are not super-secretdevices, but are standard bits of industrial control equipment that cancost as little as $200 (and, for really complicated ones, manythousands), and are available from industrial supply houses all over theworld without any kind of security check. The software used to programPLCs is no more secret than the devices themselves.
Siemens, based in Germany is one of the biggest of multinational bigdogs in the PLC field. They sell into the U.S., China, Brazil, India,and almost anywhere else there’s any industry at all. Want to countcereal boxes on an assembly line and measure out the right amount ofcereal for each one? You can program a Siemens PLC for that application,no problem. Want to spin your Uranium-enrichment centrifuges at just theright speed? Ditto. Or run track-mounted speed detectors and switch gearfor your high-speed rail system or the moisture control on your
An early article about the Stuxnet infection in Iran claimed that itinfected “millions” of industrial control computers there. This isunlikely. Indeed, it’s unlikely that Iran has millions of industrialcontrol computers, period. And Stuxnet is not — at least in formsdiscovered so far — an Internet-spread problem, but one that typicallyinfects a computer network when someone plugs a USB stick containing theworm into a computer on that network.
And maybe some Siemens PLCs are not supposed to be going to Iran, afterall. A New York Times
That same story mentions the Biblical-sounding connection of one of theworm’s file names to the
And then there’s that DEAD F007 “leetspeak” PLC output. Eric Loyd,President of Bitnetix, says thatno matter how juvenile DEAD F007 sounds, “Stuxnet is far from akid-hacker attack.” Indeed, Loyd is one of many IT experts who believesStuxnet may be the most sophisticated piece of malware ever written,with its use of four seperate Windows zero-day attacks, not one but twogenuine security certificates (now revoked), and it’s ability to not onlymonitor but modify instructions for the targeted Siemens PLCs.
While PLCs may be a mystery to many — even most — programmers andsyadmins, they are not complicated, nor do they take advanced degrees tofigure out. In most of the industrial world, they are the responsibilityof guys who wear their names on their shirts. Indeed, the whole point ofSCADA is that it makesplant processes easy to visualize and control.
So far there is no concrete evidence that Stuxnet-infected computers orPLCs have affected Iran’s nuclear fuel enrichment program or delayed thestartup of the country’s one nuclear reactor. But there are suspiciouscoincidences that make it seems like Stuxnet might have donesomething to Iran’s nuclear efforts, depending on whichcontradictory reports coming out of Iran you want to believe.
On one hand Iranian government sources say Stuxnet has not causedproblems or delays to anything nuclear, and on the other they claim they have arrested “
Stuxnet may not be the biggest problem
Whether Stuxnet is the work of Chinese or Israeli governmentcyberwarriors or a computer science student’s prank that got out ofhand, there are cures for it, and Microsoft is closing the four Windowszero-day vulnerabilities that allows the worm to do its mischief and topropagate laterally within a government or corporate computer network.And with the right malware protection, a Stuxnet infection can bedetected immediately, says Kurt Bertone, Vice President of StrategicAlliances for FidelitySecurity Systems, who says his company’s XPS cyber defense productshas no trouble dealing with Stuxnet.
Other virus detection and malware control companies also now have ahandle on Stuxnet, including Siemens, which offers
But the problem now, Bertone warns, is not so much Stuxnet but otherpieces of malware that are out there but may not have been discovered.He and Eric Loyd both worry that there may be some “Son of Stuxnet” wormout there, spread manually, like Stuxnet, or by some other vector, thatwill one day cause dangereous problems at nuclear plants, oil refineriesor chemical plants or….
…there are millions of critical points in our modern industrialinfrastructure that use PLCs and other computer-based controls, some ofwhich are carefully secured against malware infections — and some ofwhich are not secure at all but have not yet been attacked.