Previous in Forum: ABB programmimg   Next in Forum: Barcoding Explained
Close
Close
Close
23 comments
Guru

Join Date: Sep 2007
Location: Defreestville, NY
Posts: 1072
Good Answers: 87

Stuxnet

09/23/2010 11:06 PM

As a controls system engineer this is a very troublesome development.
Now its one thing for your refrigerator to go online to get the latest prices for stuff you're running out of, get infected and shut down. It's quite another for your LNG processing plant to accept valve operating instructions from the internet when there are millions of cubic feet of natural gas on site. No controls engineer in his/her right mind would let critical control infrastructure even connect to the internet directly. (yes,yes,yes it's fine to report conditions over some VPN webpage, but CONTROL ??) Now this troubles me because 1) the internet is not required, 2) it infects PLC's, which, although simpler than personal computers, vastly outnumber them in machine control applications worldwide, 3) it may be exploiting several zero day vulns in WinCE , which is a very common OS for control systems that have never been exploited before , 4) it is a sophisticated worm capable of hiding itself from the PLC programmer 5) it might be propagating via PLC OS updates without anyone knowing 6) it probably has bugs which could wreak all kinds of havoc 7) My oncologist uses a 12MeV Siemens LINAC to give radiation treatments to a dozen people daily, the PLC controls beam intensity and duration and angle and linear position. How many of the safety interlocks are coded into the PLC me wonders as the HV supply contactor kicks in?

http://blogs.forbes.com/andygreenberg/2010/09/22/theories-mount-that-stuxnet-worm-sabotaged-iranian-nuke-facilities/?boxes=techchannelsections

http://news.yahoo.com/s/csm/327178

http://www.telegraph.co.uk/technology/news/8021102/Stuxnet-virus-worm-could-be-aimed-at-high-profile-Iranian-targets.html

http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices

http://www.bcs.org/server.php?show=conWebDoc.37297

Anyone familiar with this worm from hell?

__________________
Charlie don't surf.
Register to Reply
Pathfinder Tags: stuxnet worm PLC
Interested in this topic? By joining CR4 you can "subscribe" to
this discussion and receive notification when new comments are added.

Comments rated to be Good Answers:

These comments received enough positive ratings to make them "good answers".
Guru
United States - Member - New Member Engineering Fields - Control Engineering - New Member

Join Date: Mar 2006
Location: Washington USA
Posts: 566
Good Answers: 53
#1

Re: Stuxnet

09/24/2010 1:08 AM

You can never eliinate every vulnerability, but they should be mitigated to the extent that is within reason.

Register to Reply
Guru
Technical Fields - Technical Writing - New Member Engineering Fields - Piping Design Engineering - New Member

Join Date: May 2009
Location: Richland, WA, USA
Posts: 20964
Good Answers: 780
#2

Re: Stuxnet

09/24/2010 2:20 AM

Just put an emergency stop button on your Web-enabled pacemaker, and die be happy.

__________________
In vino veritas; in cervisia carmen; in aqua E. coli.
Register to Reply
Guru

Join Date: Jul 2010
Posts: 667
Good Answers: 175
#3

Re: Stuxnet

09/24/2010 2:57 PM

Here is Siemens' web page regarding Stuxnet

http://tinyurl.com/23zb62k


The interesting thing to me is that it was designed to hit a PC via a USB flash drive, probably with the knowledge that industrial network practice is to be isolated from the business side network(s) with the attendant issues of the hazards of internet connectivity on the business side.

Isolation from the internet is not a cure-all, by any means.

Register to Reply
Power-User
Hobbies - Automotive Performance - New Member Hobbies - CNC - New Member

Join Date: Jun 2008
Location: Long Island, NY
Posts: 322
Good Answers: 1
#4
In reply to #3

Re: Stuxnet

09/24/2010 3:44 PM

Isolation from the internet is not a cure-all, by any means. Absolutely.

__________________
It is better to fail in originality than to succeed in imitation.
Register to Reply
Guru
United States - Member - New Member Engineering Fields - Mechanical Engineering - New Member Engineering Fields - Petroleum Engineering - New Member Hobbies - Target Shooting - New Member

Join Date: Jan 2008
Location: Spring, Texas
Posts: 3403
Good Answers: 149
#5

Re: Stuxnet

09/24/2010 10:54 PM

Could you imagine the devastation if one or more of the refineries/petrochemical plants on the banks of the Houston Ship Channel were to go up because of this? we have something like 40% of the nation's petrochem and refining capacity in that one small area. They might as well have set off a nuke there. Not just blast damage and poison gas clouds up-wind of 5 million people, but what about the economic devastation nationwide as a result? This is one heluva potential terrorist weapon.

All that said, there is some speculation that this was the product of a nation state (ours? Israel's?)and the target was Iran's nuclear reactor and HEU refining systems.

__________________
Who is John Galt?
Register to Reply
Guru

Join Date: Dec 2006
Location: Germany 49° 26' N, 7° 46' O
Posts: 1950
Good Answers: 109
#6

Re: Stuxnet

09/25/2010 1:09 PM

Hi,

there is a rumor around that Stuxnet is targeting the Iranian nuclear facilities.

Busher nuclear power plant seems to have problems with startup and from the centrifuge unit there was reported (but not confirmed) an accident or malfunctioning of centrifuges.

It would make sense that one or more secret services acted with sufficient money and expert power to create this demon.

But if so, why did the programmers let it infect other computers and thus be vulnerable to antivirus software? Impact would have been much more devastating if there would be a self limiting action.

It would be easy to include a self delete if not installed at the targeted computers.

This story is without any doubt an early warning about coming times of cyber war!

RHABE

Register to Reply
Guru
United States - Member - New Member Engineering Fields - Mechanical Engineering - New Member Engineering Fields - Petroleum Engineering - New Member Hobbies - Target Shooting - New Member

Join Date: Jan 2008
Location: Spring, Texas
Posts: 3403
Good Answers: 149
#7
In reply to #6

Re: Stuxnet

09/26/2010 3:08 PM

Two words:

plausible deniability. By making it more or less widespread, it obfuscates it's origin and target.

Further it punishes Germany for selling it's equipment to known terrorist sponsors. If Seimens hardware gets a reputation as being unsecure, then the terrorists will be forced to try to buy control systems elsewhere and that may make it easier to track the sales.

Further, there could have been other installations that they were unaware of that utilized similar system designs, so this way they find out about those too.

__________________
Who is John Galt?
Register to Reply
Guru

Join Date: Dec 2006
Location: Germany 49° 26' N, 7° 46' O
Posts: 1950
Good Answers: 109
#8
In reply to #7

Re: Stuxnet

09/26/2010 4:23 PM

Multilevel arguments, I agree!

Except: selling to terrorists, this Busher is a pretty old activity starting in 1971!

It was another world at that time!

RHABE

Register to Reply
Guru
United States - Member - New Member Engineering Fields - Mechanical Engineering - New Member Engineering Fields - Petroleum Engineering - New Member Hobbies - Target Shooting - New Member

Join Date: Jan 2008
Location: Spring, Texas
Posts: 3403
Good Answers: 149
#9
In reply to #8

Re: Stuxnet

09/26/2010 5:20 PM

Sorry Rhabe, that argument doesn't hold water. none of this hardware or software even existed in 1971. And the reactor in question was built in the last 2 years by the Russians and the Iranians using German control software and hardware. It was fuelled last month for the first time. It has not entered service yet.

__________________
Who is John Galt?
Register to Reply
Guru

Join Date: Dec 2006
Location: Germany 49° 26' N, 7° 46' O
Posts: 1950
Good Answers: 109
#10
In reply to #9

Re: Stuxnet

09/26/2010 5:57 PM

You are right, but I don't know if and how they got the software - if they did.

We are forced by law (and severe punishment) not to export sensitive equipment,

except we get a permit.

So if anybody is to blame it is our government and the export control regulations.

RHABE

Register to Reply
Guru
United States - Member - New Member Engineering Fields - Mechanical Engineering - New Member Engineering Fields - Petroleum Engineering - New Member Hobbies - Target Shooting - New Member

Join Date: Jan 2008
Location: Spring, Texas
Posts: 3403
Good Answers: 149
#11
In reply to #10

Re: Stuxnet

09/26/2010 6:07 PM

It all depends on how you define the terms "sensitive" and "export". If you sell it to Russia with the knowledge that it is going to Iran, is that not the same thing as selling it to Iran directly? under your country's rules, no it isn't. And what constitutes "sensitive" anyway? Is a PLC "sensitive" technology?

__________________
Who is John Galt?
Register to Reply
Guru

Join Date: Dec 2006
Location: Germany 49° 26' N, 7° 46' O
Posts: 1950
Good Answers: 109
#13
In reply to #11

Re: Stuxnet

09/27/2010 4:50 AM

I am not involved in these rules. So I cannot comment if something like an end-user certificate has to be existing.

There is an other possibility that this system was chosen by consent of some secret services knowing about manipulation possibilities.

RHABE

Register to Reply
Guru
United States - Member - New Member Engineering Fields - Mechanical Engineering - New Member Engineering Fields - Petroleum Engineering - New Member Hobbies - Target Shooting - New Member

Join Date: Jan 2008
Location: Spring, Texas
Posts: 3403
Good Answers: 149
#15
In reply to #13

Re: Stuxnet

09/27/2010 8:02 AM

I understand that you had nothing to do with it Rhabe, I'm not pointing fingers at you.

And you are also correct that the control system may have either been selected up front for it's vulnerabilities, OR once the control system was known, the worm crafted for this specific purpose.

__________________
Who is John Galt?
Register to Reply
3
Power-User
Engineering Fields - Petroleum Engineering - Rig Electrician United States - Member - the Oil Patch Engineering Fields - Power Engineering - Drives & Gen's Engineering Fields - Instrumentation Engineering - Drive Control Popular Science - Cosmology -

Join Date: Jan 2010
Location: Houston off/on-shore @ Oil Patch
Posts: 225
Good Answers: 2
#12

Re: Stuxnet

09/27/2010 12:11 AM

German IACS security researcher Ralph Langner has successfully analyzed the Stuxnet malware that appeared to be a miracle. Stuxnet is a directed attack against a specific control system installation. Langner will disclose details, including forensic evidence, next week at Joe Weiss' conference in Rockville.

Stuxnet logbook, Sep 16 2010, 1200 hours MESZ

With the forensics we now have it is evident and provable that Stuxnet is a directed sabotage attack involving heavy insider knowledge. Here is what everybody needs to know right now.

Fact: As we have published earlier, Stuxnet is fingerprinting its target by checking data block 890. This occurs periodically every five seconds out of the WinCC environment. Based on the conditional check in code that you can see above, information in DB 890 is manipulated by Stuxnet.

Interpretation: We assume that DB 890 is part of the original attacked application. We assume that the second DWORD of 890 points to a process variable. We assume that this process variable belongs to a slow running process because it is checked by Stuxnet only every five seconds.

Fact: Another fingerprint is DB 8062. Check for the presence of DB 8062 in your project.

Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet).

From here http://powerandcontrol.blogspot.com/2010/09/plant-breakdown.html he's shy a fry for his happy meal on some other things but good on this, Langner is the one on top who's talking. Go here http://www.langner.com/en/

Everyone is saying that the cleaning instructions from Siemens won't work, EVEN if you re-write and re-compile all the code, it's a root-kit that stays on the EPROM and RAM in the PLC. http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view Changing the processor might work IF you have it all cleaned out of you Factory Link or WonderWare or Sinatic Manager because it can't be cleaned from WinCC.

This may be a BIG DEAL later or it's all over and the worm has done its job a year ago when the Iranian's had all the failures. The big deal is it waiting to do more havoc later on command, could be if the DWORD of 890 and DB8062 is specific enough to limit the damage to the Middle East, otherwise it's like acoustic weapons, as likely to damage you as the target.

So far no verifiable damage has been done, who REALLY knows what's going on in Iran. And Siemens could be hiding what's going on with systems that have legal Step 7 licenses and their support they are involved in, nothing has blown up yet, but they say "we know of 15 systems infected worldwide", I think there is more to come.

I'm in Houston Rorschach and do PLC & VFD on Drilling rigs, all the Deepwater rigs were Step7, talk all ready about it causing the BOP not to close BUT that was the only PLC that wasn't Siemens, it was a GE like the VFD'S

__________________
Why do they make manhole covers round? so they won't fall in [before asking "Who is John Galt?"]
Register to Reply Good Answer (Score 3)
Guru
United States - Member - New Member Engineering Fields - Mechanical Engineering - New Member Engineering Fields - Petroleum Engineering - New Member Hobbies - Target Shooting - New Member

Join Date: Jan 2008
Location: Spring, Texas
Posts: 3403
Good Answers: 149
#14
In reply to #12

Re: Stuxnet

09/27/2010 7:58 AM

I'm almost certain that the BOP control pod failure was a simple systems failure (bad umbilical, or a leaking cable gland that flooded the control pod. something simple like that. the BOP failure was a result of somebody being in a hurry and not tightening all the hydraulic connections before the BOP was deployed. when it all comes out I'd be willing to bet that the common theme is Hurry Up! We gotta make hole! This project is WAY overdue!

But that analysis of the code seems pretty specific. I know this was the only Transocean deepwater series rig that had a Cameron BOP stack. all the rest have Hydril/GE. Hydril couldn't deliver in Transocean's time frame so they went with Cameron for the first one. I don't know anything about the control PLC's though.

__________________
Who is John Galt?
Register to Reply
Power-User
Engineering Fields - Petroleum Engineering - Rig Electrician United States - Member - the Oil Patch Engineering Fields - Power Engineering - Drives & Gen's Engineering Fields - Instrumentation Engineering - Drive Control Popular Science - Cosmology -

Join Date: Jan 2010
Location: Houston off/on-shore @ Oil Patch
Posts: 225
Good Answers: 2
#16
In reply to #14

Re: Stuxnet

09/27/2010 10:24 AM

Yes, isn't it ironic the most 'suspect' PLC's on the Millennium were a GE Fanuc in the BOP and the Engine control, some hybrid Woodward thing. Of course the BIG bunch of PLC that are maybe infected is the Cyber Chairs with their notorious blue screen of death, we were always working to keep anything dangerous from happening when the Factory Link (in windows) crashed, Driller always had control of the Hook even if he couldn't see WOB screen. Oh yes that's why all the rigs had an old fashion WOB gage outside the window hooked to the Dead Man just in case, also why there were two or three Cyber Chairs, figured he could always take the other one. We never thought about something getting from the SCADA windows system into the PLC, HiTech just didn't think about, neither did I doing the GE VFD's.

I thought all 4 Deepwater's had Cameron's Rorschach, know/think the Nautalus did, that's how they were able to use its hot stab when the one for the DWM went down with the rig, but not sure, BOP was a long way from my drive room. Do remember them wanting a Hydril but couldn't get them, talk back then of GE getting them.

__________________
Why do they make manhole covers round? so they won't fall in [before asking "Who is John Galt?"]
Register to Reply
Power-User
Engineering Fields - Petroleum Engineering - Rig Electrician United States - Member - the Oil Patch Engineering Fields - Power Engineering - Drives & Gen's Engineering Fields - Instrumentation Engineering - Drive Control Popular Science - Cosmology -

Join Date: Jan 2010
Location: Houston off/on-shore @ Oil Patch
Posts: 225
Good Answers: 2
#17
In reply to #14

Re: Stuxnet

09/27/2010 12:49 PM

I'm sure it was the cables too, BUT there was that minute or two that the Driller was at the Drilling Cabin BOP Panel while the AD was on the phone to the Toolpusher in his bedroom when the well was blowing through the slips but before it caught fire. Why didn't it close then, hanger or pipe joint in the shear rams? Could be, everyone still quite about what they found in the recovered BOP.

Or was the logic changed in the PLC, per BP's instructions, to make it less likely to accidently close the shear rams or disconnect from the Drill Floor?

And how it will end up being blamed on Halliburton because that's who has it coming to the people who have shutdown most ALL the drilling in the GoM.

BP is already off the hook for paying ANY the oil workers who have lost their jobs and everyone is still talking about only a few million gallons being spilled by BP, which will work out to a fine of about the 20B that they have already given the "community organizers" to distribute.

OK, enough on the DWH blowout I'm sure had nothing to do with the Stuxnet worm. I'll go back to gCaptain and the Drillers Club to make posts like this.

BACK ON TOPIC:

My wife posted in her blog, http://ponderingpenguin.blogspot.com/ about the Stuxnet worm, and got this comment from what 'looks' like a non government computer in Virginia:

Anonymous said...The Pentagon is probably just envious:P
And you know the attack was really, really bad when the Iranians try to downplay the Israeli aggression. They must have gotten whacked hard.
They will try to save some space (think Anonymous meant Face here) by using the rest of their bomb fuel to get the plant up and running, but they are set back many years and their reputation of invincibility severely damaged.

Has anyone else about them having to use the fuel from the centrifuges to fuel the reactor?

If the centrifuges are scrap now (as the 100ms delay would cause) this is big news and a real delay to when they can nuke someone.

That would be assuring, Stuxnet did its job over a year ago and there is no need to use it again for another attack that might effect a lot of other PLC's considering how far it's spread now.

__________________
Why do they make manhole covers round? so they won't fall in [before asking "Who is John Galt?"]
Register to Reply Off Topic (Score 5)
Guru
United States - Member - New Member Engineering Fields - Mechanical Engineering - New Member Engineering Fields - Petroleum Engineering - New Member Hobbies - Target Shooting - New Member

Join Date: Jan 2008
Location: Spring, Texas
Posts: 3403
Good Answers: 149
#19
In reply to #17

Re: Stuxnet

09/27/2010 1:14 PM

Small world, I've run across Pondering Penguin a few times myself....

The reactor was fueled by Russia already. But yes, it is HEU (Highly Enriched Uranium), not LEU like most power plants use. HEU is almost exclusively used for breeder type reactors which are used to generate Plutonium. Plutonium has only two uses that I am aware of: bombs, and Nuclear Thermo-electric generators.

And yes I do suspect that the logic was altered to prevent inadvertent and premature disconnects, and given how rushed and poorly executed/documented the test ram conversion on the BOP was, I'd be willing to bet the logic had not been fully tested and debugged either.

But it is my understanding that a section of the casing was ejected from the bottom of the well during the blowout and the casing hanger was lodged in the BOP which would have prevented the rams from closing even if the rams had full hyd. pressure which they did not due to hydraulic leaks from poorly made-up connections. but even so, one side of the rams DID fully extend and lock, the other side however did not.

__________________
Who is John Galt?
Register to Reply Off Topic (Score 5)
Guru

Join Date: Dec 2006
Location: Germany 49° 26' N, 7° 46' O
Posts: 1950
Good Answers: 109
#20
In reply to #19

Re: Stuxnet

09/27/2010 4:09 PM

Why on Earth should Russia help them to get the bomb?

Very unlikely that they changed their politic guideline that is now valid since the early 60ies when the quarrel between Russia and China started about nuclear weapons technology and the Russians declining any information. The Russians would gain nothing in helping them with this stuff. They signed the non-proliferation treaty.

So why?

So I expect another reasoning behind the HEU. (Speculation only).

What about adding a few % of non-weapons grade Pu? This would spoil the produced Pu in the first cycle of reprocessing. If reprocessing in short intervals takes place this will be known from the exhausted gases. Maybe they added some specific tracer to the HEU to get better monitoring data?

Is there anything known about how many loads the Russians supplied?

Pu for weapons has to be extracted after irradiating a few weeks only (other newspaper said a few days?). These articles also said that the Busher reactor is not well suited for producing Pu, they have a heavy water reactor that would be suited much better. Maybe Busher is camouflage only?

RHABE

Register to Reply Off Topic (Score 5)
Guru
United States - Member - New Member Engineering Fields - Mechanical Engineering - New Member Engineering Fields - Petroleum Engineering - New Member Hobbies - Target Shooting - New Member

Join Date: Jan 2008
Location: Spring, Texas
Posts: 3403
Good Answers: 149
#21
In reply to #20

Re: Stuxnet

09/27/2010 4:23 PM

Rhabe, I have no clue what is going through Russia's collective mind. They tend to play both ends towards the middle. They have as much to fear from a nuclear iran as anyone, but yet they are assisting them in it.

makes absolutely no sense to me at all.

__________________
Who is John Galt?
Register to Reply Off Topic (Score 5)
Guru

Join Date: Feb 2007
Location: Israel
Posts: 2923
Good Answers: 24
#23
In reply to #20

Re: Stuxnet

10/10/2010 6:11 AM

"...Maybe Busher is camouflage only?..."

I think the Iranian effort is active on many parallel levels and alternative venues.

Their strategy to develop nukes was decided in contradiction to the view of Ayatollah Khomeini, the "father" of the Islamic revolution in Iran.

Following the Iran-Iraq war during the nineteen-eighties, a strategy was agreed upon the by the ruling class, to develop a strong rocket-branch in the army and defense industries, and for the coordinated effort to strive for a military nuke capability.

Their strive for achieving nukes was driven by their crisis in that war, threatening to topple the Islamic regime, by the (then) secular Iraqi regime, and fear of Nuclear Israel and Saudia.

Saudia is currently thought to posses pre-made tactical nukes sold to the by Brazil.

The Iranian drive to race for nukes, was lessened by the toppling of Saddam's Iraqi regime, but augmented by the rumors of possible Saudi nukes.

They view (Wahabi Islamic) Saudia their main rivalry in an ancient religious dispute, since they view themselves as the leader of the Shiite Islamic sphere of influence.

For them, nukes are essential for the projection of power in the Islamic world mainly, visa-vie Saudia, Pakistan and Malaysia, not so much for defence, as their original thought was, in the eighties and nineties.

I think their strive for fission devices is more as a paveway for achieving fusion, not yet achieved by an Islamic state or organisation.

Eventually, it's inevitable, unless a radical change of mind is due, in the Arab and Islamic world, about their geopolitical relations with the rest of the world.

It's a deep, disturbing question, about the future of civilised relations between states and religions on earth.

Register to Reply Off Topic (Score 5)
Power-User
Engineering Fields - Petroleum Engineering - Rig Electrician United States - Member - the Oil Patch Engineering Fields - Power Engineering - Drives & Gen's Engineering Fields - Instrumentation Engineering - Drive Control Popular Science - Cosmology -

Join Date: Jan 2010
Location: Houston off/on-shore @ Oil Patch
Posts: 225
Good Answers: 2
#18

Re: Stuxnet

09/27/2010 12:54 PM

double post, sorry

__________________
Why do they make manhole covers round? so they won't fall in [before asking "Who is John Galt?"]
Register to Reply Off Topic (Score 5)
Power-User
Engineering Fields - Petroleum Engineering - Rig Electrician United States - Member - the Oil Patch Engineering Fields - Power Engineering - Drives & Gen's Engineering Fields - Instrumentation Engineering - Drive Control Popular Science - Cosmology -

Join Date: Jan 2010
Location: Houston off/on-shore @ Oil Patch
Posts: 225
Good Answers: 2
#22

Re: Stuxnet

09/28/2010 1:20 PM
__________________
Why do they make manhole covers round? so they won't fall in [before asking "Who is John Galt?"]
Register to Reply
Register to Reply 23 comments
Interested in this topic? By joining CR4 you can "subscribe" to
this discussion and receive notification when new comments are added.

Comments rated to be Good Answers:

These comments received enough positive ratings to make them "good answers".
Copy to Clipboard

Users who posted comments:

Ace Boeringa (1); Economist (1); Iris (1); kwcharlie (5); RHABE (5); Rorschach (8); Tornado (1); Yuval (1)

Previous in Forum: ABB programmimg   Next in Forum: Barcoding Explained

Advertisement