Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Worms Security Windows

Stuxnet Worm Infected Industrial Control Systems 167

Sooner Boomer writes "ComputerWorld has an article about the Stuxnet worm, which was apparently designed to steal industrial secrets and disrupt operations at industrial plants, according to Siemens. 'Stuxnet has infected systems in the UK, North America and Korea, however the largest number of infections, by far, have been in Iran. Once installed on a PC, Stuxnet uses Siemens' default passwords to seek out and try to gain access to systems that run the WinCC and PCS 7 programs — so-called PLC (programmable logic controller) programs that are used to manage large-scale industrial systems on factory floors and in military installations and chemical and power plants.' If the worm were to be used to disrupt systems at any of those locations, the results could be devastating."
This discussion has been archived. No new comments can be posted.

Stuxnet Worm Infected Industrial Control Systems

Comments Filter:
  • Re:Wow (Score:3, Informative)

    by Lunoria (1496339) on Friday September 17, 2010 @06:23PM (#33615944)
    People are lazy. Why change the password on these machines? You'd have to write it down somewhere because remembering things is tough.
  • Re:Wow (Score:5, Informative)

    by Mr. Sketch (111112) <.moc.liamg. .ta. .hcteks.retsim.> on Friday September 17, 2010 @06:38PM (#33616032)

    Having worked in that industry, it's very common for them to be on the same network as Windows PCs. As for the default passwords, that's their own fault.

    The reason they have to be on the same network as PCs is both:
    1) The software to program and monitor PLCs are on Windows (made by Siemens, Rockwell Software, WonderWare, were the big names when I was in the industry 10 years ago), so it makes sense to have them on the same network so they can communicate with the PLC while it's online and see the logic operations in real time.
    2) The biggest reason is that PLCs communicate with visualization software that runs on Windows (also made by the same companies as above), that can be viewed from a central location. This allows the production line manager to visually see the operations of the machines in a nicer format than looking at the raw logic bits. The visualization software can display shapes, colors, diagrams, animations, etc of the production line with real-time data about what's happening.

    So yes, these PLCs are usually on the same network as Windows PCs. Ideally it's a private network with just the PLCs and the visualization/programming/monitoring PCs, but many places are not that strict about the network separation.

  • Re:What the? (Score:5, Informative)

    by luca (6883) on Friday September 17, 2010 @06:49PM (#33616112) Homepage

    Do you know that when you set a password on a siemens plc, it isn't enforced by the plc itself but by the step 7 programming software?
    Use something else (e.g., libnodave) and access is wide open.

  • Re:Wow (Score:5, Informative)

    by jofny (540291) on Friday September 17, 2010 @06:53PM (#33616138) Homepage
    You can't change the Siemens passwords in this case (and have things keep working).
  • by jofny (540291) on Friday September 17, 2010 @06:56PM (#33616154) Homepage
    is here: http://www.us-cert.gov/control_systems/pdf/ICSA-10-238-01B%20-%20Stuxnet%20Mitigation.pdf [us-cert.gov] Probably a little more accurate than crappy media reporting.
  • Re:Wow (Score:3, Informative)

    by Relic of the Future (118669) <`gro.skaerflatigid' `ta' `selad'> on Friday September 17, 2010 @06:56PM (#33616156)
    From TFA: "spread [...] typically via USB sticks."

    Air gap will hopefully stop secrets from getting out (unless... is this thing smart enough to wait for another USB stick, copy its stolen data on to it, and wait to be plugged in to a networked PC to communicate out? That'd be snazzy!) but it won't stop a USB stick. And, since USB is how code and software updates are usually delivered to these devices (not to mention the mouse and keyboard for the PC hook up), you can't just turn USB off either. Hence this [slashdot.org].

  • Re:Wow (Score:3, Informative)

    by DarkKnightRadick (268025) <the_spoon.geo@yahoo.com> on Friday September 17, 2010 @07:01PM (#33616190) Homepage Journal

    Stop. The more I know the more I want to scream.

  • Re:Wow (Score:3, Informative)

    by MichaelSmith (789609) on Friday September 17, 2010 @07:05PM (#33616212) Homepage Journal

    Once again: Do not -ever- put mission-critical systems on the Internet.

    You will never win that game. Google has real time traffic info from traffic signal systems these days. How do you think the information gets through? I used to run a traffic signalling system. There was an indirect internet connection, but security was taken seriously by everybody, both working with the system and in management. I would be much more concerned about a totally airgapped system with poor internal security. Because these days you can't have a 100% air gap.

  • Re:Wow (Score:4, Informative)

    by DNS-and-BIND (461968) on Friday September 17, 2010 @07:21PM (#33616300) Homepage
    You do know that factories are staffed by engineers and workers, not IT pros? I doubt if they're even aware that passwords exist on their equipment. When they set up the factory, they just called some people to get all the machines to talk to the computers properly. Then, the contract is finished and the IT people only get a call if there's anything wrong or new equipment is added.
  • Re:deserved (Score:5, Informative)

    by thegarbz (1787294) on Friday September 17, 2010 @08:53PM (#33616792)

    If they still use default password,

    Having experience with a few of these systems from various vendors I say it would be great to have a choice in the matter. The is a lot of investment in the configuration of a large logic controller and vendors often provide themselves a back door such as a hidden admin password to come in and fix things when the system goes tits up. On top of that they often recommend not changing the default passwords of systems that are hooked directly to process control because the machines themselves are often under lock and key and behind firewalls and thus presumed to be "safe".

    We were infected with the Stuxnet worm at our plant, and it spread all around the machines on the business network but never made it to the process control systems. Although it was still disruptive. The firewall was shutdown and the control network isolated for days so they could do a complete virus scan. A little network management and physical security can go a long way. Frankly if any virus gets onto the process machines, default password or not, and not even targeting the software for the control systems there's potential for a real "game over" event.

  • by networkBoy (774728) on Friday September 17, 2010 @08:58PM (#33616818) Homepage Journal

    yes.
    Our CNC uses an on-line DRM.
    We have it on its own network behind a proxy server that only allows it to connect to the manufacturer's URL, and at that only to the authentication server address.

    Fortunately the manufacturer uses SOAP on port 80, so that makes the filtering easier.
    -nB

  • Re:What the? (Score:3, Informative)

    by Mashiki (184564) <mashiki@@@gmail...com> on Friday September 17, 2010 @09:01PM (#33616838) Homepage

    Yeah it's a common issue with a bunch of different models of PLC's however there is a psychical write lock on the controller that can be engaged. Well that's as long as you're not stupid enough to buy PLC's without it, and that means you're spending an extra $4/unit. In the end it means that you have to either physically pull the PLC, memory card, or controller card to be able to allow writing to the unit.

  • Re:Wow (Score:5, Informative)

    by thegarbz (1787294) on Friday September 17, 2010 @09:14PM (#33616898)
    You clearly don't work in the process industry, nor have an idea of just how bullet proof a proper setup actually is despite there not being an airgap.

    The ability to quickly and easily read values from the PLC remotely (one way only is the key) is paramount to not only the efficiency of running the plant, but sometimes the safety of the plant itself. Sometimes it goes a step further to even be a legal requirement. If a plant is levelled by a huge explosion you don't want to be the one standing in front of congress telling the people that the reason you have no idea what happened is that you didn't log every process value on a computer offsite in realtime.

    Air-gaps are like the idiots guide to security. Yeah it helps, but it's impractical and there's so many other ways a competent person can secure a process network from the outside world. If you actually worked in the industry the lengths you see many companies go to will blow you away.
  • Re:deserved (Score:2, Informative)

    by Anonymous Coward on Friday September 17, 2010 @10:28PM (#33617190)

    This.

    I can confirm the existence of at least one such backdoor. I did tech support for a company that sold cellular connectivity devices through which automation systems could report to a remote server, or be remotely administered.

    It was just a Busybox machine with a bunch of services, but we had an insecured telnet (as in, port 23, ALL PLAINTEXT) master login that gave root privileges, and we used it for advanced troubleshooting. It was the same user account for all products across all firmware, and even though we never shared it with the customers, anyone calling us to help them do the initial configuration over Ethernet could've set up a packet sniffer and got it.

    Military and police customers tended to use private networks (thankfully) but I'd estimate 90% of those devices were directly facing the internet, including many used for the administration of governmental utilities. In the wrong hands, this not only provided access to all the transmitted data, but was a non-noticeable attack vector on all the equipment on the LAN, since those tend to not have intrusion detection systems.

  • by Anonymous Coward on Saturday September 18, 2010 @12:29AM (#33617650)
    I've seen that on point of sales machines and the server for those POS machines - change the default password and they stop working. To make things worse the password was written on the things, the manufacturers name! Anyone with physical access could have embezzled huge amounts by changing totals and the only thing anyone else would notice is that sales are lower on one day than another. Physical access to the servers is often available to just about any employee or visitor, and because they were sold to a lot of places the "inside job" factor applies to anyone that has used those machines anywhere.
    There are a lot of systems where security is nothing but an afterthought to tick a box, in that case the box was "password protected" but it's just like the missile systems that had 0000 as a password.
  • Re:Wow (Score:2, Informative)

    by Anonymous Coward on Saturday September 18, 2010 @12:40AM (#33617682)

    You do know that factories are staffed by engineers and workers, not IT pros?

    In this particular case it doesn't matter if there's a factory full of IT pros (as, in fact, we do) or not. First of all you can't change the WinCC password. Second of all, if you don't do precisily as Siemens says Siemens raises hands and says "we can't support your non-standard environment".

    As my coworker said, Siemens should burn in heck for its sins.

    Posting anonymously, just in case.

FORTUNE'S FUN FACTS TO KNOW AND TELL: #44 Zebras are colored with dark stripes on a light background.

Working...