Following this with interest, as I work in the field of industrial controllers. One of the strong selling points of PLCs vs. general purpose computers is that they have never been the target of malware…until now. In the last decade or so Windows has become reliable enough to use as a human-machine interface (HMI) to these systems. Most still don’t trust it with the actual control, but providing the operators with a spiffy looking graphical interface has been deemed worth the risk, especially if the process can keep running while the HMI is rebooted. It sounds like this was targeted at SCADA computers which are typically yet another layer removed from the actual control system, often only used in monitoring capacity.
And yes, you could really do some serious physical damage from the control system. Not all that uncommon for something to get broken during test/debug phase of commissioning a control system…Typically have someone with their finger on the E-stop and still shit happens.
No critical system should be installed without a means of restoring to a proper working state. I don’t contend that this simple method of protection against malware is employed everywhere it should be, but it is very simple. It’s just code. Any system where this can’t be done is as susceptible to bugs and glitchs as it is to malware.
There’s a certain strategic logic to this, as well: the US really, really doesn’t want Israel bombing Bushehr, but Israel is (understandably) very nervous about the prospect of a nuclear Iran. “Hold off on the air raid, and we’ll help you do this the sneaky way,” might not have been a bad option for the US.
The problem with this strategy is starting a cyber-war. And we are the most vulnerable to the attacks. It doesn’t take enormous resources to create cyber weapons, which will exceed simple software vandalism.
I’m not sure if we’re talking past each other somehow or if I’m not being clear here. If I’m writing malware to target your nuclear reactor, and it’s written in such a way that it interacts with critical reactor systems that causes you to suffer a nuclear meltdown before you realize that you’re infected, I really don’t care that you can restore the control software from backup later–your reactor is a pile of glowing slag.
Yes, I see, you were only commenting on my last post which was based on the first post above which assumed the malware had been detected, prior to significant damage. Obviously, detection after the horses have left the barn and eaten your children is of little use (unless you have more children).
“The wars of the future will not be fought on the battlefield or at sea. They will be fought in space, or possibly on top of a very tall mountain. In either case, most of the actual fighting will be done by small robots. And as you go forth today remember always your duty is clear: To build and maintain those robots.”
Protecting against known vulnerabilities would be a first step. This wasn’t an attack that came “from the sky.” We knew about it for half a year. Patches can present vulnerabilities, too.
Wikipedia has a page up with footnotes to what is probably all the info available so far. They say stuxnet was first reported mid-June but one part contains a build time stamp from February, so it’s likely they were working on it for a while. It also says it was 4 zero day exploits, but who knows if that will hold up. Not sure why it’s important, a single 0-day is pretty boring, using any more than one for nothing but delivery just shows that some pretty slick guys were working on it.
This isn’t malware attacking the PLC CPUs, it was a targeted, custom attack. The virus on the programming terminals was injecting user-level code into the programs and data blocks downloaded to the physical PLC processor. The processor would then run checking code every 100ms (the ‘user’ OB35 standard timer program block) and look for specific data in data tables, as well as communicate back up to the supervisory system.
The attack wasn’t generic at all. The same deployment wouldn’t do anything to any of the hundreds of PLCs or HMI’s. at the site I work at.
Surprisingly, several news stories have said that this virus sends information to the originators. That doesn’t seem possible, as it seems that the power plant computers would have no way to contact the outside world.
Also, from what I read, although the virus can and does propagate to other machines it does not do anything if they are not the power plant. How then do all these other people know that they are infected?
It wasn’t the power plant that was targeted, according to most independent news agencies it was the centrifuges which process yellow cake (Uranium ore) into “Uranium” (weapons grade, refined uranium).
I recognize that “cyberterror” may well lead to rounds of retaliation with everyone coming out the worse for wear. Still, I have to admit that I’m full of admiration for the Israelis; they seem to have pulled off quite the coup. What a brilliant way to prevent a nuclear-armed Iran.
