Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stuxnet Worm Infected Industrial Control Systems

Posted by Soulskill on from the going-for-the-gusto dept.

Sooner Boomer writes "ComputerWorld has an article about the Stuxnet worm, which was apparently designed to steal industrial secrets and disrupt operations at industrial plants, according to Siemens. 'Stuxnet has infected systems in the UK, North America and Korea, however the largest number of infections, by far, have been in Iran. Once installed on a PC, Stuxnet uses Siemens' default passwords to seek out and try to gain access to systems that run the WinCC and PCS 7 programs — so-called PLC (programmable logic controller) programs that are used to manage large-scale industrial systems on factory floors and in military installations and chemical and power plants.' If the worm were to be used to disrupt systems at any of those locations, the results could be devastating."

7 of 167 comments (clear)

  1. Wow by 0123456 · · Score: 5, Interesting

    So people not only leave the default password on their industrial controllers, they put them on the same network as Windows PCs... Wow.

    1. Re:Wow by Mr.+Sketch · · Score: 5, Informative

      Having worked in that industry, it's very common for them to be on the same network as Windows PCs. As for the default passwords, that's their own fault.

      The reason they have to be on the same network as PCs is both:
      1) The software to program and monitor PLCs are on Windows (made by Siemens, Rockwell Software, WonderWare, were the big names when I was in the industry 10 years ago), so it makes sense to have them on the same network so they can communicate with the PLC while it's online and see the logic operations in real time.
      2) The biggest reason is that PLCs communicate with visualization software that runs on Windows (also made by the same companies as above), that can be viewed from a central location. This allows the production line manager to visually see the operations of the machines in a nicer format than looking at the raw logic bits. The visualization software can display shapes, colors, diagrams, animations, etc of the production line with real-time data about what's happening.

      So yes, these PLCs are usually on the same network as Windows PCs. Ideally it's a private network with just the PLCs and the visualization/programming/monitoring PCs, but many places are not that strict about the network separation.

      --
      Things you think are in the Constitution, but are not.
  2. Re:Suxnet by Wyatt+Earp · · Score: 5, Interesting

    Israel, not American.

    Israel has always been an industrial spy on the US and Western Europe, but their big focus is Iran right now, so they test it on the US, UK and Korea but the main focus is Iran.

    Wouldn't be surprised to find it in Saudi systems too

  3. Re:What the? by luca · · Score: 5, Informative

    Do you know that when you set a password on a siemens plc, it isn't enforced by the plc itself but by the step 7 programming software?
    Use something else (e.g., libnodave) and access is wide open.

  4. Not about "default passwords. Worse. by Animats · · Score: 5, Interesting

    This has nothing to do with "default passwords". It's worse than that. The Windows-level part of the attack was signed code signed with a Microsoft-issued key. The signing keys involved has been revoked. US-CERT isn't saying who had them.

    At the controller level, Siemens has issued a bulletin: Previously analyzed properties and the behavior of the virus in the software environment of the test system suggest that we are not dealing with the random development of one hacker, but with the product of a team of experts who must have IT expertise as well as specific know-how about industrial controls, their deployment in industrial production processes and corresponding engineering knowledge. ... The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks. This means that Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications.

    So this is an attack on a specific industrial plant. But whose? Neither Seimens nor US-CERT is saying.

    This is cyber-warfare. Someone is trying to sabotage a specific plant somewhere.

  5. Re:deserved by thegarbz · · Score: 5, Informative

    If they still use default password,

    Having experience with a few of these systems from various vendors I say it would be great to have a choice in the matter. The is a lot of investment in the configuration of a large logic controller and vendors often provide themselves a back door such as a hidden admin password to come in and fix things when the system goes tits up. On top of that they often recommend not changing the default passwords of systems that are hooked directly to process control because the machines themselves are often under lock and key and behind firewalls and thus presumed to be "safe".

    We were infected with the Stuxnet worm at our plant, and it spread all around the machines on the business network but never made it to the process control systems. Although it was still disruptive. The firewall was shutdown and the control network isolated for days so they could do a complete virus scan. A little network management and physical security can go a long way. Frankly if any virus gets onto the process machines, default password or not, and not even targeting the software for the control systems there's potential for a real "game over" event.

  6. Re:Not about "default passwords. Worse. by sapphire+wyvern · · Score: 5, Interesting

    There are indications that the target may have been the Bushehr nuclear power plant in Iran, with the Russian contractor's USB drives being the attack vector into the plant's control systems. (Which are not on the Internet, despite the smug assumptions of so many posters earlier in this comments section.) There's enough information out in the wild now that anyone with access to the target's PLC code could verify the target. Obviously this means the attack targets will be able to prove that the trojan was targeting them, but I doubt they'll be announcing the fact to the world - unless they can trace the attackers and gain political advantage through an announcement.

    It seems the evidence currently leans towards a probably Israeli or possibly US cyberwarfare attack on Iran.