Thursday, 23 September 2010

From the MailBag - StuxNet

From a comment in my last blog post:
"Completely off-topic, but I thought you might want to see this and, perhaps, weigh in. Scary stuff."

Yes it is scary. And it has nothing to do with the virus itself. I'll tell you why it's scary.

Most, if not all, of the PLCs (Programmable Logic Controllers) that are on manufacturing lines or other industrial facilities have no security in them whatsoever. Modern plants use these programmable devices to control all aspects of manufacturing. They are miniature computers that you hook up to drives, motors, hell almost anything. You program the computer to perform a repetitive action, and you have an automated assembly line. To program these things, all you need is a telnet client (which every computer has). You connect to the PLC from that client and presto! you see all the result codes that PLC is measuring. No username, no password no nothing. Just by connecting, you're in. For instance, say you have a PLC that monitors and controls a motor. Just by making a telnet connection you see the RPMs of the motor scrolling on your screen. Randomly type some characters on your keyboard long enough, and you'll tell the motor to stop, slow down, speed up whatever. Given that most manufacturing lines run on very tight tolerances, any random changes will at least ruin the product or blow up the entire goddamned plant.  And you can do it by just monkeying around on the keyboard.

Which is why it is a bad idea to connect these fucking disasters waiting to happen to a public network. To secure them, you have to use physical control measures. One computer per PLC within a "secured" facility (usually by a $7.50/hour security guard sleeping at his desk). So by hook or by crook you either insert a USB key with a program and take over the computer yourself, or you convince the engineer in charge of the line to do it. Bundle it with a "fix" for the PLC software and the hapless engineer will not know what happened.

My point is, it is childs play to take over a PLC and blow up a plant. And you thought Windows was full of security holes, it's frakkin' Fort Knox compared to a PLC. Good luck sleeping tonight!


Christopher Parsons said...

Bruce Schneier has a good post on this with links to good technical evaluations of the significance of the worm plus considerations of the likely target. Link:

Catelli said...

I gotta admit, it is a confusing story. Since PLC devices can be hooked up to almost anything, its impossible to predict which ones should be targeted and how they should be targeted. You have to have a knowledge of the facility and how it is run to be truly effective. So deploying a virus widely doesn't make sense, especially as it gets detected (which this one has).

This virus exploits windows vulnerabilities to spread itself, well gee that's nothing new. But most control networks are firewalled/disconnected from main networks thus limiting the spread of the virus to its target infrastructure. It's more likely the office computers not on the line are infected first, and the computers on the line aren't touched.

If I had to guess as to the purpose, this was a field test to determine what was possible, how far will it spread, how successful is it etc. If it were designed to target Iran, then letting it spread to any computer is just dumb. Increases chance of detection doing it that way.

Ken Breadner said...

This sort of malware does have the potential to revolutionize warfare. Security will have to evolve, no? Which means prices will go up.
If you specifically target Iran, and the targetting is linked to you, that's an act of war. Better for a first attempt to generalize, I think.

Catelli said...

No one knows what this thing does, or who made it. It is all speculation, which is running a bit wild. Based on how this thing works, I would say it was third party, not government, and Iran was not the target. My bullshit meter is on high alert. That's my professional opinion. (It would have been easy to make the virus look like it came from China for instance, Iran is a paranoid state with lots of enemies.)

Anyway, my main point is, we in the West are just as vulnerable. These things are wide open and can be hacked by any 10 year old with a computer, and no training. It is that easy. And I've been making this point to mostly deaf ears for the last decade. Because I have some of them I have to protect.

That's why when you read the forums, those that have experience with PLCs are saying collectively, well DUH, we've been harping on that issue forever!

So expect criminal organizations to start holding companies hostage because they've taken over production lines. Warfare shmarfare, someone will figure out how to make money from this. The impact to society will be huge.

Catelli said...

Correlation is not causation:

Langner suspected Stuxnet's target was the Bushehr nuclear facility in Iran. Unspecified problems have been blamed for a delay in getting the facility fully operational

New virus, trouble at the Nuclear facility. Langner thinks .25+.25=1