Stuxnet Virus Now Biggest Threat To Industry

digitaldc writes "A malicious computer attack that appears to target Iran's nuclear plants can be modified to wreak havoc on industrial control systems around the world, and represents the most dire cyberthreat known to industry, government officials and experts said Wednesday. They warned that industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."

We should thank Israel, or whoever

[elrous0]

This is a wake-up call to a new vulnerability. There are a helluva lot worse ways to have found out about it than this relatively innocuous version. It also exposes stupid weaknesses like the fact that all Siemens PLC's (programmable logic controllers) have a hard-coded password [wired.com] that was never meant to be changed, and that all the obscure proprietary software in the world on PLC's doesn't mean jack for security--because they all still have to take their orders from a machine running it software on regular old Windows.

We could have realized these vulnerabilities only after a bunch of stuff started exploding.

Re:We should thank Israel, or whoever

[poetmatt]

this is a wake up call to a new "cyber-vulnerability"! Oh noes! I said the word cyber! It's not a threat, it's a cyberthreat!

yes, this is the hype they want you to believe. Stuxnet is something to be concerned about, but adding the word cyber is just bullshit hype all around.

the rest is just calling into play Siemens shitty programming ethics which are now going to bite them in the ass as businesses and government will probably shy away from business with them until this can be fixed.

Re:

[lgw]

Everything, everything, is a reason for "new government controls" these days. If the TSA groping 3-year-old girls isn't a wakeup call to the gradual march of fascism we seem to embrace, I don't know what is.

"Threat"? I don't care. "Cyber-threat"? I don't care. I don't care what the threat is any more. I have more than enough government, and I want less! The biggest threat by far is our government, and it's time to de-fund the whole stinking mess.

Re:

[SuricouRaven]

By all means, stop paying taxes. Consider it a protest.

Re:

[lgw]

No, some retarded fringe protest is the opposite of what we need. What we do need is people to wake up to the gradual increase in totalitarianism, and stop being OK with it. We still have a functioning democracy, and any every intrusive government agency can be destroyed entirely with a stroke of a pen. Every single world event is an excuse to make out government stronger and more intrusive if we let it be so, but we can just as easily decide that enough is too much, and put and end to it.

Re:

[lgw]

All of the above. Less government funding. Less government taxing (except we can't in practice, but it's still desireable). Fewer government employees, especially at the federal level. But all of that is secondary: less government intrusiveness in my daily life is the main thing.

Here's a clue: roads and NASA and pretty much everything else that the feeral government does that's actually productive is down to less than 20% of the budget. The vast majority of the budget consists of money taxen from less-

Re:

[lgw]

Our science program and space program and, well, every program that produces something - roll all of them together and it's still peanuts. Social Security, Medicare, the precription drug progam, and government pensions will fail - it's not an "if" any more, but a "when". In order to meet the obligations we have made in these areas we would need to collect an additional one million dollars per taxpayer over current tax levels. It's not about whether you're for it or against it on principle, the money just

Re:We should thank Israel, or whoever

[mevets]

We also could have foreseen these vulnerabilities.

I used to work in industrial automation - in its pre-windows era, and people did put effort into isolation, access control and validation.

After having made the bad decision to deploy on Windows, when years of evidence that it had a horrendous lack of access control, how did Siemens just continue on? What were they thinking?

Re:

[elrous0]

Yes, according to Captain Hindsight [wikia.com], we should have secured our PLC's and SCADA infrastructure better years ago.

Re:

[squizzar]

Every time someone suggests a Windows based system in _any_ critical situation plenty of people come out shouting how it will undoubtedly lead to the end of the world. Hindsight doesn't even come into it - the possibility of these scenarios was predicted, brought to people's attention and dismissed.

'Captain Hindsight' parodies people who appear out of the woodwork to say what is now blindingly obvious, not people who had the foresight to predict these problems but were ignored.

Re:We should thank Israel, or whoever

[JWW]

Yep, you and the GGP post are correct, this was a foresight issue. I too was in a position where I was asked to replace reliable, effective, and secure Unix control systems with Windows based systems.

It was a ridiculous play for the new eye-candy, and "usability" (why do you need general application usability on machines that should be running only ONE program?). Just the fact that there were now Windows machines on the production floor led to enormous headaches. All kinds of access controls and system policies and restrictions and processes needed to be put in place to keep these machines functioning even reasonably well, where the Unix boxes (and X-terminals) they replaced were ROCK SOLID.

Now the industry will pay for using the quick and easy and VULNERABLE hardware to run their process control systems.

Re:

[ColdWetDog]

You have paid the price for your lack of vision.

Re:

[dunezone]

What were they thinking?

The customer uses Windows, thus we need to make our solutions work on Windows.

Re:

[Lumpy]

Because the customer is too stupid to use a different OS for the single application that needs to run on that?

If you think that you need to run Office on the SCADA computer, please throw yourself from the nearest building as people who think the way you do are the cause of this problem.

"Hey dave, the nuclear reactor computer, you think it will run Netflix?" Yup: you're the problem.

Re:

[Thomas Charron]

Security? If I have a physical piece of hardware that could cut someones head off, why exactly would I have it connected to a network?

These PLC's operate with a swarm sort of mentality. The network is merely a method for them to communicate. Kind of like how your light switch authenticates you to turn on and off a light.

Oh wait, it doesn't... OMFGz0rs, someone could cause a fire by turning on the light without authentication!

Re:We should thank Israel, or whoever

[elrous0]

No, the problem is that even if your PLC's aren't networked--the laptop that reprograms them may be at some point (and can be infected with a virus). Even if you pull your whole infrastructure off the network, it doesn't ensure security if Jim the IT guy is using the Step 7 laptop to surf the web, or if any yahoo can stick his thumb drive into said laptop and give it a digital STD.

Re:

[Lumpy]

What idiot would program the system with a general purpose laptop? All parts of a SCADA system are supposed to be seperated including the programming pc. you sneaker-net the sourcecode to the programming pc, you compile it there. Only infection vector is to infect the sourcecode in a way that makes the compiler execute the virus. reduces the infection vector to that of military top secret levels.

Re:

[SuricouRaven]

An idiot who has the choice between wipeing a laptop and reinstalling the OS, or actually getting home on time tonight.

Re:

[Schadrach]

I have a piece of hardware that could potentially bludgeon someone or knock them into other equipment that could cut something off (it's a pipe bender, to be specific), and it's connected to a network because our management decided that the operator shouldn't need to be able to read blueprints, but rather a different personnel will read blueprints and create part files that instruct it what to bend, which will be moved to that machine over the network. /sigh

Re:We should thank Israel, or whoever

[elrous0]

Those bender units are notoriously unreliable and surly.

Re:

[should_be_linear]

This is not new vulnerability, this is old vulnerability called "security through obscurity". Designs of nulclear power plants are not open for review, which leads to these kind of flows quite naturally.

Re:

[Anonymous Coward]

all Siemens PLC's (programmable logic controllers) have a hard-coded password

A Siemens PLC has no such hard coded password. In fact, if the plants in question had activated the write protection options provided by Siemens PLC's, then there would have been no way for the worm to change the PLC code (without the worm knowing the plants' password). Any manufacturer's PLC would have been vulnerable in the same way, if the customer didn't make use of the security features provided.

The password confusion is related to a vulnerability in the WinCC visualization/operator software, which r

Re:We should thank Israel, or whoever

[Lumpy]

Wake up call? new?

Lots of IT pros have been screaming for a DECADE that only complete fucking morons put a SCADA system on anything that is connected to an external network. Let me repeat that. ONLY A COMPLETE MORON will hook up a scada system to a pc that bridges the internet and the secured network, OR puts the whole damn thing on a unsecured network.

Guess what, Complete morons are the managers of these places, these complete morons do not want to buy extra pc's so they have the employees check their email ON THE SCADA computers. OR they do something stupid and not lock them down and allow the users to install and run software on them.

This is not a new problem. Those of us in IT have known about it and have been yelling at the idiots in charge for a long time now. IT's just this is the first real "BITE THEM IN THE ASS" that has happened and got a lot of publicity.

Re:

[NewbieProgrammerMan]

ONLY A COMPLETE MORON will hook up a scada system to a pc that bridges the internet and the secured network, OR puts the whole damn thing on a unsecured network.

As someone that worked on SCADA software for about a decade, I wholeheartedly approve this message. With very few exceptions, every bit of SCADA code I saw makes [insert favorite insecure software target here] look like Fort Knox. You do NOT want the internet getting anywhere near that code.

P.S. Thanks, Slashdot, for making me log in to IE to post. I still can't copy/paste in Chrome.

Idea

[Haedrian]

They should run Mac software on PLCs. Macs don't get viruses!

</satire>

Re:

[transporter_ii]

Yeah, if they were really serious about ending terror, they should nuke Redmond

Re:

[commodore64_love]

If I said something like that, I'd get modded troll.
(hugs his Mac G6... like a G6...)

Re:

[elrous0]

They also make you morally superior to and smarter than anyone using a Windows machine. It's common knowledge in any coffee shop or arthouse theater.

Re:

[Haedrian]

Uh no. Apple products just make you cool and artistic.

Its Linux which makes you smarter.

Re:

[elrous0]

And I only eat whole foods and organically grown vegetables. Between that, my hemp clothing, and my new solar panels; I'm superior to 99.9% of the population now.

The solution

[Lord Lode]

Don't use Windows for important industrial systems.

Re:The solution

[L4t3r4lu5]

More importantly, don't use control software from companies who mandate that passwords are hard-coded and cannot be changed.

MS: "By the way, the Windows Server 2008 Domain Admin password is 12345. Be sure to write that down!"

IT Industry: "Lolwut? GTFO."
Nuclear Fuel Refinement Industry: "The same as my luggage! I like it!"

Re:

[Is0m0rph]

Of course but unfortunately Windows is everywhere in industrial systems. To truly be isolated they should be running dedicated HMIs connected to the PLC with no computer at all. But modern automated facilities want to be able to monitor everything from a SECS/GEM host, be able to remotely look and control HMIs, etc. I bet the companies that spent extra for Rockwell Automation PLCs over Siemens are happy with there choice now. How idiot to hard code a password like that. Not sure why we need legislation

Re:

[sapphire wyvern]

And how would the non-computer HMI be configured and updated when the plant needs to change the calibration on a pressure meter, or similar? Presumably by some kind of PC or engineering workstation with an "HMI Configuration" package on it? Gee, that sounds rather a lot like the kind of "PLC configuration" workstations that were the attack vector for getting into the PLCs!

It's turtles all the way down, I'm afraid. You can't implement a programmable control system without a general-purpose, insecure, infecta

Re:

[LWATCDR]

Simple answer for a not so simple problem.
Back in the old days people used systems like the PDP-11 and VAX for things like this. Problem was they cost a lot of money and someday the are out of production.
A good while back people started to use PCs and DOS. That was cheaper but even those are not out of prodcution. Believe it or not there are companies still making PDP-11, VAX, and even DOS/ISA bussed systems today!
Your company may depend on using a very expensive machine that uses and ISA buss card to inter

Re:

[Lumpy]

Why?

I solved this a decade ago when I was into SCADA programming Entire SCADA system is isolated NO connection to outside network, no apps other than the Control software.

Need to have data go to the administrator for stupid reports? easy solution.

Rs232. Rs232 TX and Gnd only hooked to the Scada system and set to output all stats in a streaming basis. Supervisors PC hooked to that RS232 to monitor all he likes. Infect his pc with nasty kil lyou all virus and it CAN NOT infect the SCADA system unless

Re:

[Joce640k]

"expand government controls and set requirements to make systems safer"

I'm sure we'll be safe after they make Norton Antivirus mandatory on all machines (which is about as much as I expect from Government...)

Re:

[Simon80]

You say that as if it would be challenging to make an exception to this for these security-critical systems. It's not as if random individuals like me are successfully running something else on their home computers..

Re:

[Nethemas the Great]

This is true. But tell me, how do you propose to get said worm onto a Linux system?

Cut the hardlines

[commodore64_love]

There's no reason why these machines should be connected to the internet. Maybe some of the top-level communication computers to coordinate between plants, but certainly not the local-area computers/machines.

Re:Cut the hardlines

[keean]

Actually Stuxnet does not require the machines to be connected to the Internet. In infests the machines used by the designers of these systems, and piggy backs on update PLDs (programmable logic devices) for the production machinery. It does not even rely on the PLD programming machines being connected, as it infests the PLD design files. It infests the PLD design engineers workstations when someone plugs an infected laptop into the private network that all the design computers are on.

Re:

[commodore64_love]

Oh so it's just like when Windows XP(?) shipped with a virus on-board. That should make it easier to control, simply by virus protecting the Engineers desktops.

Re:

[sapphire wyvern]

Yeah, AV on the laptops does help - but as usual, only against known threats. When a nation state decides to gin up some custom sabotage-ware to take out your specific factory, you can count on it bypassing any and all AV until its dirty work is done.

I think it's difficult to ever be truly secure against an attack with this level of dedication. Stuxnet targeted air-gapped facilities, and appears to have succeeded in its primary mission. If anything, the failure of Stuxnet was that it spread *too much*. It's

Re:

[master0ne]

The problem was not that the targeted machines were connected to the internet, they wern't. If you have RTFA's the targeted machines were supposed to be infected by USB sticks transfered between infected machines and the mission critical systems. Thats why the Stuxnet worm did its best to hide very discreetly on a USB stick, so that it could be transfered from internet connected systems to the mission critical systems without being noticed. Hell, you probably could have picked up on this if you had even RTF

Re:

[Inda]

Not strictly true.

I'm sat here at head office, and I can measure 30,000 sensors on over a dozen power stations. There is a link over the internet.

At the power stations, I can walk into the control room with anything I choose. Getting onto the power station site would be more difficult.

But you are right, the control room is not connected to the internet.

Re:

[keean]

I said stuxnet does not _need_ the PLC (PLD) containing machines to be connected. In reality they may be connected, but disconnecting them will not stop Stuxnet infecting them as it gets in when the PLC programming is updated.

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf [symantec.com]

For reference a "Field PG" is a machine used to program the PLCs not the actual target of the infection.

Quote:
"Once Stuxnet had infected a computer within the organizati

Re:

[L4t3r4lu5]

How do you scan the proprietary upgrade boards used within the control machines themselves? 'Cause that's the method of infection; Infect the engineer's network, get written onto the upgrade software supplied by the engineer, get installed by an engineer.

Funny how the answer is always more government

[fotbr]

Do you really want the idiots in D.C. telling you how your computer must work? Ask anyone doing IT related stuff under the DoD -- their own security policies cause more outages and problems than anything else. Those policies are from people who supposedly know what's what. Now put clueless politicians in charge.

You DON'T want this, no matter how much you like government control of your lives.

Re:

[ewieling]

I do not mind the government telling industry that they must secure their systems. Who else is going to do that? Customers?

Re:Funny how the answer is always more government

[Wonko the Sane]

When the last time the government solved the problem that it told you it was trying to solve?

Re:

[SatanicPuppy]

I am two minds about this: one, it's definitely time for someone to put down standards. But two, the government has consistently failed to get its own shit in order, which can only be attributed to crappy bureaucracy.

It's pretty much all of a piece, I suppose.

A simple fix would be to pass a law that lets people sue companies more easily for problems related to their crappy computer infrastructure...Let the market take care of the rest.

Re:

[Attila Dimedici]

Except that the government won't settle for telling industry that they must secure their systems. Government will tell industry how to secure their systems and if industry follows government standards they will be protected from lawsuits...even if everyone knows that meeting government standards will do nothing to actually secure industry's systems.

Even liberals agree, this is dumb.

[RingDev]

A fair number of people have labeled me a socialist, and even I can see that this is nothing more than a blatent attempt at a power grab by the federal government, and profiteering by Symantec.

Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the Senate Homeland Security and Governmental Affairs Committee that the "real-world implications of Stuxnet are beyond any threat we have seen in the past."

So we're having people who stand to gain more power over their country men making a decision about taking that power, receiving testimony about the threat from the company that stands to profit the most by their decision to take the power. Yeah, that's not a recipe for a horrendous outcome.

-Rick

Re:

[AnonymousClown]

Paranoia and its associated billions and billions spent because of it is how the US will be weakened.

It's been said that one of the (many) reasons the Soviet Union collapsed was because of the spending on military hardware to keep up with the US - their economy just couldn't support it.

The US has no real reason, at least at this time, to spend billions and billions of hardware BUT security is another matter.

We're so paranoid, that we're searching each other to make sure that our neighbors aren't a threat -

Legislation?

[TD-Linux]

I would think that the risk of prolonged downtime in a factory that plows through millions of dollars a day would be enough of an incentive for any manager to tighten their security.

Re:

[Ryanrule]

But you see, that is the fault of some IT guy they can just fire. But a VP would have to submit outrageous expenses for such security, and that would hurt his bonus.

Re:Legislation?

[Tom]

No, it isn't. Humans in general and managers in particular are famously bad at correctly estimating the factors of low-probability/high-impact risks. Not always in the same direction - we vastly overestimate the risk of some stuff, and vastly underestimate others. But we're almost always off, and by several orders of magnitude.

And don't forget the human factor - the risk for the manager is not millions of dollars of company assets, that is an abstract figure at best. The risk to him is the loss of his job, which is lower in both value and likelihood than the event itself. However, spending money on security is a 100% loss of profit which will impact the bottom line, profit, quarterly report, etc. with a very high probability of negative impact on his bonus or raise.

Unfortunately, almost everything you learn about management or governance acts as if "the company" would make decisions, and not humans. And ignores that humans have a more personal context that also influences their decisions, and routinely overrides even those cases where the optimal decision can be clearly demonstrated.

Re:

[SatanicPuppy]

As long as it doesn't break, then they're not going to sink a lot of money into security and contingency. Hard for management to justify a big expenditure without any obvious problem.

When it does break, then you'll see some meaningful change.

Do i get this right?

[durrr]

So first the goverment makes the most malicious worm possible to do their bidding in wiping out the enemy, and then the goverment figure they can use this worm as an argument for imposing more restrictions and expanding their power.

Next up: the police starts killing people so they can use the higher homicide rates to motivate expansion.

Re:

[Issarlk]

My though exactly. Kill two birds with one stone.
But at least the government is becoming more efficient.

Re:

[mcvos]

You mean the only way the government can get it right, is when they intend to fuck things up?

Re:

[digitaldc]

Sounds like the ultimate cyber conspiracy.

Re:

[Haedrian]

I find the US government to be a bit weird.

It tries to impose regulations in places where they probably shouldn't, and leave it as a free-for-all on places where it should.

And before someone mentions "Socialism", you should probably google what that word means.

Stupidity is the problem, training the solution.

[SuricouRaven]

As sophisticated as Stuxnet is, it still relies on people doing Very Stupid Things. The solution isn't government intervention to control how everyone designs their networks (They'd be perpetually ten years behind current technology anyway), but to just weather the current panic, learn from it, and remember CHANGE THE DEFAULT PASSWORDS and USE A FIREWALL! The only reason this has been such a problem is that industrial control networks are designed by people with insufficient training in IT security, so often even the most common-sense measures are neglected.

This isn't a 'vulnerability'

[Thomas Charron]

Don't exaggerate the issue. The exploitation of PLC's by Stuxnet is akin to a device on your car vehicles CAN bus issueing commands across the network. Does your cars radio require authentication? Newp. How about your speedometer? Newp.

    What StuxNet *does* emphasize is why it's a very, VERY dumb idea to have a network with PLCs connected to an external network of any kind.

    "OMFG, I can't believe my cancer test came up negative because some hax0r compromised it. What kind of suck software was RUNNING on that device?"

    OOOOOOoorrrrrrr..

    "OMFG, you idiots, WTF would you connect a device which is going to tell me if I'm *DYING* to the MTF internet?!?!"

Re:

[dbIII]

We all know this, but the stupidity arises from having an interface that requires change to be done by connecting via something that has previously been connected to the outside world. An isolated network isn't isolated anymore once somebody connects their malware ridden laptop to it.

Blowback

[srussia]

Ain't it a biatch.

Stuxnet is only a threat to Seimens

[kurt555gs]

There are lots of choices. Just avoid using Seimens controllers. Problem solved!

Missing in the summary

[gmuslera]

"Think of the children!"

lol the irony

[Anonymous Coward]

Its probably American dollars that paid for stuxnet in the first place (by way of "Aid" to certain countries)

just deserts come to mind

Nuclear Plant Security

[should_be_linear]

Obviously, this virus showed that nuclear security is much harder problem then anyone realised before. Nuclear plants are using on unsecure closed-source programs. It is unlikely that anyone competent reviewd sources of these programs. It should be remebered that all arguments on how "new reactors" are now safe, as opose to Chernobil, are invalid, all of a sudden and there is little Nuclear Lobby can do in short term to restore safety argument.

Re:

[khallow]

It should be remebered that all arguments on how "new reactors" are now safe, as opose to Chernobil, are invalid, all of a sudden and there is little Nuclear Lobby can do in short term to restore safety argument.

And why are those arguments invalid? Keep in mind that some reactor designs, such as pebble bed, are sufficiently safe no matter what the computer systems are doing.

Re:

[should_be_linear]

Well, if there is mechanical "switch" independant of what any microcontroller says (like: mechanical switch connected to microcontroller in cars. You can "push breaks" in SW, albait it is mechanical part), then I am accepting your argument. For this however, design of nuclear power plants should be open for review.

Re:

[Wonko the Sane]

Well, if there is mechanical "switch" independant of what any microcontroller says (like: mechanical switch connected to microcontroller in cars. You can "push breaks" in SW, albait it is mechanical part), then I am accepting your argument.

Besides this there are reactor designs that are prevented from exploding or melting down by the laws of physics, regardless of any control system tries to do be it a mechanical switch or a microcontroller.

The Interent is not the only WAN

[blind biker]

Seriously, who TF came to the idea that all WANs are to be extinguished and only the Internet can be used for site-to-site networks? Maybe I'm showing my age, but I don't care: when I was working in IT (before returning to academia), private WANs were the norm, and nobody even dreamt of connecting any part of a company network, no matter how unimportant, to the Internet. Somehow, common sense wasn't snuffed entirely. Oh, and we did have e-mail, shockingly enough, which was nicely routed to the Interent (if the e-mail address was an Internet e-mail address).

Re:

[sapphire wyvern]

What makes you (and half of Slashdot) think that Stuxnet was designed to primarily attack systems that are connected to the Internet?

It's not. It's designed to use multiple propagation strategies to get over air-gaps, helpfully transported by people who need to use both a) internet connected resources and b) private network resources. Once it's over the air-gap, it then spreads just fine within the private internal network. But it *does not* require sensitive assets to be on the public internet to be a genu

Didn't our government launch that virus?

[HangingChad]

So the US government launches a cyber attack aimed at Iran's nuclear production and now the government wants to protect us from cyberthreats?

Where have I heard that before? Oh, yeah! We woulds hate to see bad tings happen to yas.

Besides taking naked pictures of you at the airport, now the government will be infiltrating your office network to protect you. Boy, I feel so much safer now.

Stop using Windows98

[Culture20]

Stop running your robots with a computer running windows 98 (or winxp that auto-logs-in to admin on bootup). Stop putting those same computers on the Internet because Jim the Operator needed to read his email. Buy a dedicated computer for that, and remove/disable the NIC on the controller computer.

Is this a script?

[gambit3]

Why does it always follow the outline:

[INSERT REAL OR IMAGINED DANGER HERE], so the only solution is for [INSERT GOV'T BRANCH HERE] to [INSERT DESIRED ACTION HERE].

"The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."

GOOD!

[WindBourne]

This is a wake-up call. It is one that has been missing for a long time. Thankfully, it is not damaging to ANYTHING. The ONLY downfall is that if you are running the German designed centrifuges, then it will only mix Uranium with a tolerance that is acceptable for Nuke Plants. Basically, it does not have high enough tolerance for bombs. The problem for Iran is that they obviously have ZERO intentions of doing this work for nuke plants like they claim. It is all for bombs.

Good thing the cylons aren't attacking.

[gblackwo]

The only reason we survived the cylons was by not having our computers networked for "increased efficiency". We are doomed.

Proof of Concept?

[rakuen]

If foo works on one system, and foo is adaptable, then foo + bar might work on another system.

We can make jokes about the Windows OS and giving vital machines an active presence on the Internet all day long (and it seems we have), but that would be missing the point. What we have here is a virus which has been proven to work, and which like many viruses, can be altered to infect other systems. People who say these organizations should run OSX or Linux, who's to say this virus can't be recoded to work o

Government controls???

[ZenDragon]

"The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."

Uh NO... it makes it imperative that security folks get better training! Why does this government think they can fix everything by expanding government controls???

Re:

[Attila Dimedici]

Government doesn't think it can fix anything by expanding government controls, it just thinks it can get people to accept government controls if it claims they are going to fix problems.

Air Gap

[PhilHibbs]

Anyone involved in industrial control systems - especially nuclear fuel refinement, for Bob's sake - needs to look up "air gap" in a dictionary. It's not a guarantee of security, but it's a start.

undoing mis-moderation

[Sloppy]

Get the dropdown right on the first try. No submit button for you!

AJAX isn't necessarily a bad thing, but incompetent web developers replacing good interfaces with bad ones, sure is.

Learn A Little About Stuxnet Before Commenting

[Fantom42]

Many of the comments here seem to be unaware of what Stuxnet actually is or how it works. Symantec has a great whitepaper on it that is updated as they learn more. 50 pages of technical detail. Of course you can read the executive summary and at least avoid making the kinds of uniformed comments I'm seeing here.

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf [symantec.com]

Just a Few:

1. "People are so stupid to connect their industrial control system to the internet!"

Stuxnet does not require internet access. It delivers its payload in various ways, and in particular, if an infected USB stick is inserted into a susceptible machine, it will find a machine on that network with the Siemens PLC development environment and infect it in such a way to insert hidden malicious code into the PLC.

2. "Just don't run Windows"

There is some validity to this idea. But the payload was not delievered to a Windows machine, just via one. How many embedded controller development environments require a Windows machine? Try coding a Xilinx FPGA without a Windows box, or just about anything out there without one.

3. "We could have seen this coming"

Most people did see this coming. But they didn't think it was actually plausible to defend against. The Stuxnet worm required a huge amount of resources and detailed knowledge to pull off. Everything from the payload to the infection method. Someone really thought this through. It is a proof of concept of what people generally believed to be only possible in theory.

The fact that government is getting involved here is a bit worrisome. I hope they at least pay attention to the existing specifications already out there to help mitigate some of these threats. NIST 800-82 is a decent read that is free (final public draft) and there are other pay ones out there as well.

The reason why I am kindof annoyed about people's ignorance about Stuxnet is because the biggest lesson learned from it is largely being ignored. 1. That "air gap" protection you think you have is not as good as you think it is. 2. The "insider threat" is worth thinking about, even if you trust your insiders. They may not know they are a threat.

Re:

[should_be_linear]

And what if I pay some random employee of nuclear plant $1 million to run .exe from USB key? Then I possibly can create another Chernobyl. In case of Nuclear plants only solution is to stay with pure electrical control systems and not moving it towards electronical programmable (computer) control systems. If there is no SW, there is no possibility of infection.

Re:

[Anonymous Coward]

For the love of god! You cannot create another Chernobyl, it had ZERO core containment. US reactors have 12 feet thick concrete surrounding the core! It *may* melt down, but then it's entombed in tons of concrete, so there isn't much to worry about! Equating a meltdown to Chernobyl is naive.

As an AC this post will never see the light of day, but I really wish people would stop being so afraid of nuclear power, it's really our only hope to get off fossil fuels any time soon.

Re:

[mcvos]

Yeah, but then how would they check facebook?

Re:

[Spad]

Mac users shouldn't get too cocky about it [sophos.com].

Re:

[0123456]

The virus was written for windows because that's what the system runs. If it ran Linux it would have been a Linux virus.

Meanwhile, back in the real world, much of the most important Internet infrastructure runs on Linux and yet it seems remarkably lacking in virus infections.

Re:

[StuartHankins]

So what's your solution to salespeople who have to use Windows and need the ability to install printers on the road? You can't do that in Windows without admin rights.

Or what about the people who rely on UPS software? Also requires admin rights.

But I'm sure you have it all down pat, in your little limited environment, and none of the Windows viruses / worms affect your company at all. Right. Because it's gotten to the point that a simple Google search can get you infected if you run IE -- even IE 8 and 9.

Re:

[0123456]

and in other news this virus had an industrial target. It wasn't simply looking to disrupt internet traffic. Once a malware writer decides they want to disrupt internet traffic in general I'm sure we'll see things written to affect those linux machines.

You're right: owning a DNS server, or amazon.com, or google would be of no value whatsoever to a bad guy. That's obviously why they haven't hacked those servers, not because they're vastly more secure than Windows.

This whole 'no OS is any more secure than any other' nonsense is one of the reasons why we see these kind of problems.

Re:

[WindBourne]

I wish that I had not replied on this article. I would have modded you down. Obviously you are neither a cracker, a virus writer, or logical.

Ppl target Windows not do to number of systems, but number of openings. If a system had 99% penetration of desktop markets, but had ZERO opening, or even limited openings, then the crackers/virus writers/etc would then target the 1%. Why? BECAUSE IT IS EFFECTIVE.

Hell, just look at 7-11 vs. banks. Once upon a time, banks were the favorite targets. Then along came 7

Re:

[sapphire wyvern]

No. Stuxnet targeted Windows because the _specific plant that Stuxnet was designed to sabotage_ used Siemens WinCC, which is a Windows-only application.

If Stuxnet was a piece of general purpose malware written for economic or general purpose espionage reasons (like the Russian Business Network's systems or Ghostnet) then your argument would make sense. In the case of Stuxnet, which is one of the most specialized pieces of malware ever made, it targets *whatever platforms are necessary* to get at the 33+ Var

Re:

[mcgrew]

Popularity is one reason MS is targeted, but the way Windows is designed is the primary factor in its proliferation of malware.

An example: making a program executable by changing the extension, and then hiding that extension by default. That JPG file can be an executable in Windows, but not in Mac or Linux.

Another example: software repositories. It's as easy to install a Linux program from a repository as it is to install a Windows program in Windows, but probably too hard for Joe Sixpack to install a progr

Re:

[99BottlesOfBeerInMyF]

and if macOS were ever to become popular enough that malware writers decide to target it? Just because something is too obscure to be targeted does not mean it's totally secure. The virus was written for windows because that's what the system runs. If it ran Linux it would have been a Linux virus.

If OS X ever became popular enough that it had 40% of the market not only would it be much more resistant to malware than Windows is now, Windows would adapt and become much more resistant to malware. Here's the thing that people don't seem to get. Windows isn't built on an inherently insecure foundation that can never be fixed. It's not insecure because it is built by Microsoft. It's insecure because it has monopoly influence on the market so competitive forces that would normally drive real, functional se

Re:

[Low Ranked Craig]

...imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer.

From the same legislative body that brought you a series of tubes not serviced by dump trucks.

Be afraid. Be very afraid. 10 to 1 they bring in experts from Microsoft to help craft the legislation...

Re:

[KarmaMB84]

They also brought us "Guam could tip over and capsize".

http://washingtonscene.thehill.com/in-the-know/36-news/3169-rep-hank-johnson-guam-could-tip-over-and-capsize [thehill.com]