M
M Griffin
To do exactly what Stuxnet did took quite a bit of effort. However, to do something equally effective against most typical targets would not be any more difficult than what many virus authors already do today. Yes it was a targeted attack, but that isn't new. Google was subjected to a targeted attack not long ago that was successful at getting confidential business information. The attackers in that case new that Google used MS Windows XP with IE 6 in their Chinese ad sales office, and they simply took one of the many commercially (black market) available off the shelf MS Windows and IE6 viruses that are out there and added their own custom payload to scoop up Google's sales data. This type of targeted attack happens all the time. There is nothing unusual about that and there is nothing to stop any interested party from repeating this with an industrial target.
There is an entire industry dedicated to creating and selling MS Windows viruses to people who want them. If you want a zero-day MS Windows exploit (one that has never been used before), you can buy those too, they just cost more money (I think the going rate is around $10,000). Some virus authors offer support contracts to their customers. Getting an MS Window virus is not a problem.
As for creating the virus payload (the part that would affect the control system), that doesn't look to be that difficult either. You could use the vendor's own programming software to create your PLC changes, record a download to the PLC, and then figure out how to "re-play" that back again later. If you target an MS Windows SCADA or HMI system instead of a PLC, the job would be even easier as the virus could do the job directly via the OPC server. Since a lot of the more lucrative potential targets have SCADA systems, that's a good target to look for.
There's really only two things which have prevented this problem from occurring so far. One is that the automation control industry is so technologically backwards that it has been difficult to apply current common virus techniques to it. For example, modern viruses normally depend on a network to spread, and networks have only recently become common on the plant floor. Indeed, some of the techniques used by Stuxnet should be quite familiar to anyone who recalls the days before PC networks became common and viruses were usually spread by infected floppy disks.
The other thing which had prevented this from happening is that the people who make money from viruses simply weren't aware of the potential market. Now that Stuxnet has happened, their thoughts will be turning to the automation market and what can be done there. Now someone just has to use their imagination to figure out how to make money by knowing that a generating plant, pipeline, or mine will be knocked out during a certain time window. I'm sure that a commodities speculator could handle that end of things.
If you want a good example of a scenario, consider the following. There are many, many gas turbine generating plants in the world that all have very similar control systems. Find out who the engineering or maintenance staff are at one or more of these plants, and send them an e-mail with a virus labeled "click here for deals on re-built Moog servo valves". Now, if any of those people have their PC come in contact with the GTG control system (perhaps they're already networked directly to the HMI so they can keep track of it?) you have your "in". If your virus can cause difficult to troubleshoot trips, you can create a shortage of electric power in that area. If that plant supplies a de-regulated electricity market, a speculator who knew this was going to happen could have bet on the price of electric power going up. Somebody could make a *lot* of money this way. The same concept can be applied to oil or gas pipelines, large refineries, certain metals mines, etc.
What I find surprising is that this isn't happening all the time right now. Focusing on what was special about Stuxnet is a red herring. What people should be focusing on is how easily much less sophisticated efforts could cause disruption done for profit.
There is an entire industry dedicated to creating and selling MS Windows viruses to people who want them. If you want a zero-day MS Windows exploit (one that has never been used before), you can buy those too, they just cost more money (I think the going rate is around $10,000). Some virus authors offer support contracts to their customers. Getting an MS Window virus is not a problem.
As for creating the virus payload (the part that would affect the control system), that doesn't look to be that difficult either. You could use the vendor's own programming software to create your PLC changes, record a download to the PLC, and then figure out how to "re-play" that back again later. If you target an MS Windows SCADA or HMI system instead of a PLC, the job would be even easier as the virus could do the job directly via the OPC server. Since a lot of the more lucrative potential targets have SCADA systems, that's a good target to look for.
There's really only two things which have prevented this problem from occurring so far. One is that the automation control industry is so technologically backwards that it has been difficult to apply current common virus techniques to it. For example, modern viruses normally depend on a network to spread, and networks have only recently become common on the plant floor. Indeed, some of the techniques used by Stuxnet should be quite familiar to anyone who recalls the days before PC networks became common and viruses were usually spread by infected floppy disks.
The other thing which had prevented this from happening is that the people who make money from viruses simply weren't aware of the potential market. Now that Stuxnet has happened, their thoughts will be turning to the automation market and what can be done there. Now someone just has to use their imagination to figure out how to make money by knowing that a generating plant, pipeline, or mine will be knocked out during a certain time window. I'm sure that a commodities speculator could handle that end of things.
If you want a good example of a scenario, consider the following. There are many, many gas turbine generating plants in the world that all have very similar control systems. Find out who the engineering or maintenance staff are at one or more of these plants, and send them an e-mail with a virus labeled "click here for deals on re-built Moog servo valves". Now, if any of those people have their PC come in contact with the GTG control system (perhaps they're already networked directly to the HMI so they can keep track of it?) you have your "in". If your virus can cause difficult to troubleshoot trips, you can create a shortage of electric power in that area. If that plant supplies a de-regulated electricity market, a speculator who knew this was going to happen could have bet on the price of electric power going up. Somebody could make a *lot* of money this way. The same concept can be applied to oil or gas pipelines, large refineries, certain metals mines, etc.
What I find surprising is that this isn't happening all the time right now. Focusing on what was special about Stuxnet is a red herring. What people should be focusing on is how easily much less sophisticated efforts could cause disruption done for profit.