Stuxnet Worm Infected Industrial Control Systems

Sooner Boomer writes "ComputerWorld has an article about the Stuxnet worm, which was apparently designed to steal industrial secrets and disrupt operations at industrial plants, according to Siemens. 'Stuxnet has infected systems in the UK, North America and Korea, however the largest number of infections, by far, have been in Iran. Once installed on a PC, Stuxnet uses Siemens' default passwords to seek out and try to gain access to systems that run the WinCC and PCS 7 programs — so-called PLC (programmable logic controller) programs that are used to manage large-scale industrial systems on factory floors and in military installations and chemical and power plants.' If the worm were to be used to disrupt systems at any of those locations, the results could be devastating."

Wow

[0123456]

So people not only leave the default password on their industrial controllers, they put them on the same network as Windows PCs... Wow.

Re:Suxnet

[Wyatt Earp]

Israel, not American.

Israel has always been an industrial spy on the US and Western Europe, but their big focus is Iran right now, so they test it on the US, UK and Korea but the main focus is Iran.

Wouldn't be surprised to find it in Saudi systems too

What the?

[Mashiki]

Who is programming their PLC's? And why aren't they put into 'lock' mode(AKA ROM) when they're put into production machinery so the EEPROM can't be affected? I used to write programs for PLC's(generally Mitsubishi and Siemens), and you always locked the device or update when you were finished, so things like this can't happen.

Re:Wow

[The Master Control P]

The problem isn't that they're on the same network as Windows machines, it's that they're on any kind of network whatsoever that's not insulated from machines connected to the public Internet by an air gap.

Once again: Do not -ever- put mission-critical systems on the Internet.

Re:Why is there even a default password?

[geekoid]

At the very least generate a unique default password during install.

The SCADA system where I work require a specific USB key to be plugged in. While I'm not a fan of dongles in general, for critical system they can be worth the pain.

And this is on top of physical separation and a good password scheme. And strong passwords are easy to cerate an remember.

Re:Wow

[MichaelSmith]

As for the default passwords, that's their own fault.

I remember, back in the day, DEC had an account called FIELD on all the VMS systems they maintained. The DEC support guy would always grumble when we disabled that account, or changed the password. Its more trouble for them, you see.

Re:Wow

[Sylak]

the problem lies ONLY in being on a network with Windows PCs. Simens more often than not specifically designs their products to NOT be networked OR have any default passwords changed, like on a JR Clancy Rigging System for theatres. Many of these appliances you can't change the passwords on without violating your service warranty, so complaining about passwords is really a bad assessment.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Wow

[Jurily]

People are lazy. Why change the password on these machines? You'd have to write it down somewhere because remembering things is tough.

I blame management. With all the chaos around a factory (at least the ones I've worked in), the default password is more reliable than the people who are supposed to know them when they're needed.

Add in the fact that factory workers don't really get paid enough to care about anything, and you have to start wondering why this this kind of attack isn't more common. Hell, we've played Minesweeper on the monitoring terminal of a >$100M production line :)

Not about "default passwords. Worse.

[Animats]

This has nothing to do with "default passwords". It's worse than that. The Windows-level part of the attack was signed code signed with a Microsoft-issued key. The signing keys involved has been revoked. US-CERT isn't saying who had them.

At the controller level, Siemens has issued a bulletin: [siemens.com] Previously analyzed properties and the behavior of the virus in the software environment of the test system suggest that we are not dealing with the random development of one hacker, but with the product of a team of experts who must have IT expertise as well as specific know-how about industrial controls, their deployment in industrial production processes and corresponding engineering knowledge. ... The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks. This means that Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications.

So this is an attack on a specific industrial plant. But whose? Neither Seimens nor US-CERT is saying.

This is cyber-warfare. Someone is trying to sabotage a specific plant somewhere.

Re:Wow

[Anonymous Coward]

I know of several factories that have epoxied all the USB ports on machines on the production LAN. It kinda diminishes the worry about a USB stick attack when it won't fit in any of the machines.

Re:Not about "default passwords. Worse.

[sapphire wyvern]

There are indications that the target may have been the Bushehr nuclear power plant in Iran [langner.com], with the Russian contractor's USB drives being the attack vector into the plant's control systems. (Which are not on the Internet, despite the smug assumptions of so many posters earlier in this comments section.) There's enough information out in the wild now that anyone with access to the target's PLC code could verify the target. Obviously this means the attack targets will be able to prove that the trojan was targeting them, but I doubt they'll be announcing the fact to the world - unless they can trace the attackers and gain political advantage through an announcement.

It seems the evidence currently leans towards a probably Israeli or possibly US cyberwarfare attack on Iran.

Re:Wow

[Rich0]

Now, is the door more secure or less secure than it would have been if you had run a card lock without the special conduit?

Regular wire for the card lock would have been more vulnerable to sniffing or replay attacks, but that is a vulnerability the RFID cards probably have as well. On the other hand, an old fashioned key lock is vulnerable to extra keys floating around that aren't tied to a specific person so they can't be disabled as people change jobs/etc.

I've seen this problem at work - anybody can point out a problem, and when something goes wrong claim "see, I told you so." The problem with this logic is that if EVERY problem like this were completely risk-mitigated we couldn't do anything without spending a million dollars. That usually means that we end up using archaic processes (since this logic seems to only be employed when changes are made - you can keep running an old insecure or problematic process for as long as you want without complaint), and usually that means even more problems and certainly less efficiency.

Security in most corporate settings will always be a compromise. Sure, we have to do due diligence. Yes, we ought to secure things as best we can when it is practical to do so. Yes, sometimes we need to spend more and REALLY secure things. However, if you want to turn your factory into a hardened military facility be prepared to spend money more on the lines of the US defense budget. Indeed, I doubt that most munitions facilities incorporate all the security features the latest security consultant to come by would advocate.