Stuxnet may be a binding precedent for the future if cyberattacks are a "casus belli".
http://en.wikipedia.org/wiki/Casus_belli

 

As an interesting aside, I heard a blurb reporting that Iran is claiming Stuxnet was targeting their "Nuclear Program" and put them back a few years. I could believe that it was targeting them, I can't see how it would delay them for years unless it trashed something irreplaceable. I didn't catch the source and you won't hear anything like that in the mainstream media. Googling for Iran and Stuxnet provided conspiracy rumors.

Regards
cww

 

>I didn't catch the source and you won't hear
>anything like that in the mainstream media.

I'd say the New York Times is pretty mainstream. There was a great article in Sunday's NYT:

http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

The article features some in-depth reporting about a joint American/Israeli effort to create Stuxnet, with the perhaps-unwitting cooperation of Siemens. There's a graphic accompanying the article indicating how the virus is spread. The article also discusses the extent to which the Iranian nuclear program was set back. An interesting read.

Ken Crater

 

Hmmm.... Someone must have found something more solid than the ravings I heard about. If the spooks did this, you wouldn't think they'd talk about it. I'll hafta see what the Times wants to look at it.

Regards
cww

 

According to a report on (mainstream) TV news here in New Zealand (a couple of days ago) it wrecked the centrifuges by continually speeding them up and slowing them down.

Bruce

 

I now believe my previous concerns about the security of our infrastructure and industrial systems that depend on Windows was understated. They will in no way withstand fanatic hackers. On the brighter side, a major industrial comms software house, Prosoft, is recruiting Linux firmware folks. Too bad it's in California. My guess would be someone thinks firewalls of various types will become a hot item.

Regards
cww

 

The link to that newspaper appears to want an account password, so I can't read it. However, I can see some commentary on the story in other sources and they categorize it as just more speculation. Equally convincing cases could be made for the Russians or the Chinese as the originators.

I've also not seen any evidence that the virus actually hit its (supposed) target. The fact that the Iranians have had problems with starting up their centrifuges isn't evidence for a virus. I've been involved in the start up of a number of production lines of various types, and I would be far more surprised if they *didn't* have some difficult mechanical problems than if they did.

In the 1990s I was involved in the start up of a new production line that did not go well (the line was late and then delivered without proper testing). Someone made a joke about a "PLC virus" causing the problems. Someone who didn't understand the problems heard it and a high level management crisis meeting began. Questions filtered down to the lower levels asking for more detail and it had to be explained to them that there was no virus, the problems were in the mechanical design and normal PLC program bugs.

I started this thread and I'm not trying to pour cold water over the whole idea. On the other hand, I don't want to speculate on what happened beyond what the evidence supports. As for this setting the Iranian project back "years" (which some people have claimed), that is not something that I find very plausible.

However, I think that whether or not Stuxnet has had more effect beyond the collateral damage to the hundreds of thousands of PCs around the world which it infected is really not that important to us here. It does show that the creation of a virus which targets industrial control systems is no longer just an alarmist prediction, it's something that we have to take seriously. The tens of thousands of successful MS Windows viruses which are circulating today prove that you don't need a particularly sophisticated virus to deliver a payload provided you are willing to be flexible in your choice of targets. The actual payload itself doesn't have to be very advanced to do something like sit in a SCADA system and trip a turbine or pump at a preset time.

I would say that speculation on Stuxnet's target is doing more harm than good. The more that people think "well, I'm not running a uranium centrifuge so I have nothing to worry about", the less likely they are to do anything to prevent it from happening to them. If someone wanted to shut down an electric power system for example they could use fairly simple techniques based on an off the shelf virus. There are black market virus organizations who will create a virus to order, so there is no problem about access to expertise. The real experts in this field can be hired by anyone who has the money.

Internet retailers and entertainment companies have been dealing with attacks for years. Some companies routinely pay protection money to extortionists to avoid being knocked off the internet at critical times of the year. All that has been protecting manufacturing, process, and utility industries from facing the same problems has been lack of motivation on the part of potential attackers. I'm not sure how much longer we can continue to rely on that as protection.

 

What i don't understand is how it is possible to have such equipment without proper electro-mechanical protection. I have done several small turbines as well as centrifuges. ALL these units were with vibration protection, set by manufacturer (and tested by our team of course) with no any single connection to PLC or DCS. Pure E/M protection is the best and only protection for such equipment, in case something go wrong. Assuming the centrifuges are expensive equipment and huge amount (i read in article near 1K OOS) maybe the bad design is a main cause of failure.

 

Try PVbrowser's link!

Phil Corso

 

I've just seen a new article on this from Kaspersky Labs (a well known PC security company). It makes for a rather interesting read,
https://threatpost.com/en_us/blogs/stuxnet-authors-made-several-basic-errors-011811

Security researchers compared Stuxnet to other viruses and said that:

- "the code was fairly low quality"

- "the command-and-control mechanism is poorly done"

- "the Stuxnet authors were very naive in the methods they used to cloak the payload and target of the malware"

- "the authors should be embarrassed at their amateur approach to hiding the payload"

- (the techniques compare unfavourable to) "what Bulgarian teenagers did back in the early 90′s"

From this point of view, one wonders what could have been accomplished if the virus had been written by someone who had a better idea of what he was doing.

 

Excellent question, if we view these centrifuges as normal industrial equipment. However one theory of Stuxnet has the OEMs involved, so maybe the hardwired interlocks were omitted intentionally?

 

I tend to disagree; a fully isolated control network has no vectors for attack, making OS choice irrelevant. If the control network needs external connectivity, it can be done safely with fairly standard IT industry practices, or at worst by passing data over a non-TCP/IP protocol like serial modbus. The only significant risk is when users bypass the isolation, and that too can be controlled with policy settings on PCs and employee training.

IMO, For a fully featured DCS, the slight and manageable risk of running Windows is more than offset by the richness of features of Windows based software.

 

In reply to Demigrog: Stuxnet did not rely on a network connection to spread. It would take advantage of one if it were present, but that wasn't the primary means of propagation. Also, the original PC viruses back in the days of MS-DOS did not rely on network connections either. The spreading of viruses via networks is something that came much later long after viruses (and the anti-virus industry) were well established.

In cases where network connections are used, if "standard IT industry practices" are adequate for dealing with viruses, then why are viruses such a problem in an office environment? Large multi-national companies with professional IT staffs, "locked down" workstations, anti-virus scanners on each PC, anti-virus scanners on all incoming mail, deep packet inspection on all incoming and outgoing traffic, and everything else that has ever been thought of have virus problems to this day.

As for the security of serial (RS-232) connections, they are no more secure than Ethernet. All you need is one exploitable bug in the application program, serial library, or other third party library and a virus can worm its way in through a serial connection just as easily as through Ethernet. Indeed given the fact that serial communications receives a lot less attention than Ethernet, I would not be surprised if serial links were less secure.

The only advantage that a serial link gives you is that current off the shelf commercial viruses do not target them. If someone were to design a virus specifically to attack a specific industrial control system (which is what this discussion is all about), then a serial library would certainly be another potential attack vector.

 

That's my point and i just want to get separate taught like yours . For me that's clear example of sabotage. Without insiders no any damage can be done in such scale. Another bad thing about the case is that usually most of the operations personnel of a plant from that side of the globe are light years in everything, including industry. I got several projects in ME and i can clarify that the engineers and technicians have limited theoretical skills and no any practical experience. So with such kind of team is not possible to run any plant.

 

I did register to read the article, at the risk of being spammed to death. And there is a lot more grist there than idle speculation would uncover. Someone with pretty detailed knowledge on the issues wanted credit to be given to the Israelis and there would be no shortage of peace loving people willing to help. All with plausible deniability, of course. It does remind one of past Israeli pragmatic solutions to doomsday situations. And the damage done is probably compounded by the intense scrutiny and sanctions that would make centrifuge parts difficult to obtain without discovery. And with Al Jazeera's concern for integrity and truth, the US will be in the crosshairs regardless of what really happened.

My concern is for more ubiquitous targets that are cookie cutter similar. Substitute turbine generator for centrifuge, or any big ticket critical infrastructure item that has been produced in quantity. Not so much fixed plants because they are pretty site specific. Taking out one power plant, for example, is a headache. Blow all the peaking plants off line during a heat wave and you have a shot at crashing the whole grid. I agree with Michael that all infrastructure people should be carefully assessing their vulnerabilities and, more importantly acting on them.

Regards
cww

 

Or as is somewhat implied, this is sort of an underground business where shortcuts might have been the rule and "if you're buying uranium gas centrifuges, you probably know what to do with them". After all, I doubt the secret nuclear weapons effort has a Siemens support contract and a friendly local VAR who shows up with donuts. I don't know about you, but if a guy with an AK47 shows up and wants me to consult on centrifuge modifications, I'd be a little suspicious and hesitant. It's probably an "anything that works, no questions asked" type sale. I suppose they could complain to OSHA or the Consumer Products Safety Commission about the lack of interlocks, etc. :^) Maybe the Israelis would consult?

Regards
cww

 

I'm sure that's what the Iranians thought.

Regards
cww

 

Stuxnet and attacks specifically targeting a particular site are in their own category, one where running linux instead of Windows would not have helped anyway--Stuxnet used the DCS engineering tool itself as a vector, which could have been done on any OS. Plus, Linux and other non-Windows OSes have their own zero-day exploits. At least some of the Stuxnet infections took place at suppliers rather than the site, so it is hard to imagine anything that could have prevented it. In the end, running a non-Windows OS is really only protection against generic malware and viruses.

Also, you're making my point for me on isolation. The only way for a non-networked computer or isolated network to be infected is by a user doing something unsafe--namely things they might do on an office network. Control networks are not office networks--there is no reason for users to be doing anything on an HMI or control network that isn't part of an approved procedure. If you don't allow any external network access, devices, or software, you are as secure as any digital control system is ever going to be. That is exactly what critical infrastructure sites should be doing.

Once you let external devices in, say a USB drive with application code updates from a vendor, even an approved procedure can be exploited. The LNK exploit Stuxnet used is a good example of one that could have tripped up many sites--but again, in a targeted attack your OS choice may not help much, as every OS has vulnerabilities.

As for security of non-TCP/IP networks and serial links--sure you might be able to attack them with a specifically targeted exploit. However, there are a lot less potential ways to do the exploit, especially on a well defined serial protocol. It is like comparing a text file to a binary file (or linux to Windows)--hardening is a lot easier. Often serial protocols start out hardened, as they have to handle randomly corrupted data, unlike protocols where the physical layer handles error correction for them.

 

Mostly true, nothing can absolutely prevent a determined attack by a sufficiently skilled person. But you can make it far more difficult and you can seriously cut down on the number of sufficiently skilled people. But it's splitting hairs to say a 99% solution is not a solution, and I would think the improvement would be on that order at least. If you just get rid of the glaring faults it will go a long ways. It's safe to say the easily available exploits are for Windows. And only Windows will automatically exec binaries on a USB stick. And workers are much more likely to mess with Windows than something they don't know. And not knowing exactly what the target is running would pose problems. It's really a case of hacker hostile vs hacker friendly. And if rather than OTS Linux, you go to a version secured by experts at the vendor, rather than Windows installed by just anyone, to say the OS doesn't matter is pretty weak. Taking out all the non-automation related crap and enabling SELinux at high security would be just about as bulletproof as you can achieve practically and vastly more secure than user installed Windows.

Regards
cww