Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stuxnet Virus Now Biggest Threat To Industry

Posted by CmdrTaco on from the or-just-don't-click-attachments dept.

digitaldc writes "A malicious computer attack that appears to target Iran's nuclear plants can be modified to wreak havoc on industrial control systems around the world, and represents the most dire cyberthreat known to industry, government officials and experts said Wednesday. They warned that industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."

19 of 254 comments (clear)

  1. We should thank Israel, or whoever by elrous0 · · Score: 4, Insightful

    This is a wake-up call to a new vulnerability. There are a helluva lot worse ways to have found out about it than this relatively innocuous version. It also exposes stupid weaknesses like the fact that all Siemens PLC's (programmable logic controllers) have a hard-coded password that was never meant to be changed, and that all the obscure proprietary software in the world on PLC's doesn't mean jack for security--because they all still have to take their orders from a machine running it software on regular old Windows.

    We could have realized these vulnerabilities only after a bunch of stuff started exploding.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:We should thank Israel, or whoever by poetmatt · · Score: 3, Insightful

      this is a wake up call to a new "cyber-vulnerability"! Oh noes! I said the word cyber! It's not a threat, it's a cyberthreat!

      yes, this is the hype they want you to believe. Stuxnet is something to be concerned about, but adding the word cyber is just bullshit hype all around.

      the rest is just calling into play Siemens shitty programming ethics which are now going to bite them in the ass as businesses and government will probably shy away from business with them until this can be fixed.

    2. Re:We should thank Israel, or whoever by mevets · · Score: 5, Insightful

      We also could have foreseen these vulnerabilities.

      I used to work in industrial automation - in its pre-windows era, and people did put effort into isolation, access control and validation.

      After having made the bad decision to deploy on Windows, when years of evidence that it had a horrendous lack of access control, how did Siemens just continue on? What were they thinking?

    3. Re:We should thank Israel, or whoever by elrous0 · · Score: 3, Insightful

      No, the problem is that even if your PLC's aren't networked--the laptop that reprograms them may be at some point (and can be infected with a virus). Even if you pull your whole infrastructure off the network, it doesn't ensure security if Jim the IT guy is using the Step 7 laptop to surf the web, or if any yahoo can stick his thumb drive into said laptop and give it a digital STD.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    4. Re:We should thank Israel, or whoever by elrous0 · · Score: 3, Funny

      Those bender units are notoriously unreliable and surly.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    5. Re:We should thank Israel, or whoever by JWW · · Score: 3, Insightful

      Yep, you and the GGP post are correct, this was a foresight issue. I too was in a position where I was asked to replace reliable, effective, and secure Unix control systems with Windows based systems.

      It was a ridiculous play for the new eye-candy, and "usability" (why do you need general application usability on machines that should be running only ONE program?). Just the fact that there were now Windows machines on the production floor led to enormous headaches. All kinds of access controls and system policies and restrictions and processes needed to be put in place to keep these machines functioning even reasonably well, where the Unix boxes (and X-terminals) they replaced were ROCK SOLID.

      Now the industry will pay for using the quick and easy and VULNERABLE hardware to run their process control systems.

    6. Re:We should thank Israel, or whoever by lgw · · Score: 3, Insightful

      Everything, everything, is a reason for "new government controls" these days. If the TSA groping 3-year-old girls isn't a wakeup call to the gradual march of fascism we seem to embrace, I don't know what is.

      "Threat"? I don't care. "Cyber-threat"? I don't care. I don't care what the threat is any more. I have more than enough government, and I want less! The biggest threat by far is our government, and it's time to de-fund the whole stinking mess.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    7. Re:We should thank Israel, or whoever by Lumpy · · Score: 3, Insightful

      Wake up call? new?

      Lots of IT pros have been screaming for a DECADE that only complete fucking morons put a SCADA system on anything that is connected to an external network. Let me repeat that. ONLY A COMPLETE MORON will hook up a scada system to a pc that bridges the internet and the secured network, OR puts the whole damn thing on a unsecured network.

      Guess what, Complete morons are the managers of these places, these complete morons do not want to buy extra pc's so they have the employees check their email ON THE SCADA computers. OR they do something stupid and not lock them down and allow the users to install and run software on them.

      This is not a new problem. Those of us in IT have known about it and have been yelling at the idiots in charge for a long time now. IT's just this is the first real "BITE THEM IN THE ASS" that has happened and got a lot of publicity.

      --
      Do not look at laser with remaining good eye.
  2. The solution by Lord+Lode · · Score: 5, Insightful

    Don't use Windows for important industrial systems.

    1. Re:The solution by L4t3r4lu5 · · Score: 4, Funny

      More importantly, don't use control software from companies who mandate that passwords are hard-coded and cannot be changed.

      MS: "By the way, the Windows Server 2008 Domain Admin password is 12345. Be sure to write that down!"

      IT Industry: "Lolwut? GTFO."
      Nuclear Fuel Refinement Industry: "The same as my luggage! I like it!"

      --
      Finally had enough. Come see us over at https://soylentnews.org/
  3. Cut the hardlines by commodore64_love · · Score: 3, Insightful

    There's no reason why these machines should be connected to the internet. Maybe some of the top-level communication computers to coordinate between plants, but certainly not the local-area computers/machines.

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    1. Re:Cut the hardlines by keean · · Score: 5, Informative

      Actually Stuxnet does not require the machines to be connected to the Internet. In infests the machines used by the designers of these systems, and piggy backs on update PLDs (programmable logic devices) for the production machinery. It does not even rely on the PLD programming machines being connected, as it infests the PLD design files. It infests the PLD design engineers workstations when someone plugs an infected laptop into the private network that all the design computers are on.

  4. Legislation? by TD-Linux · · Score: 4, Insightful

    I would think that the risk of prolonged downtime in a factory that plows through millions of dollars a day would be enough of an incentive for any manager to tighten their security.

    1. Re:Legislation? by Ryanrule · · Score: 3, Insightful

      But you see, that is the fault of some IT guy they can just fire. But a VP would have to submit outrageous expenses for such security, and that would hurt his bonus.

    2. Re:Legislation? by Tom · · Score: 4, Insightful

      No, it isn't. Humans in general and managers in particular are famously bad at correctly estimating the factors of low-probability/high-impact risks. Not always in the same direction - we vastly overestimate the risk of some stuff, and vastly underestimate others. But we're almost always off, and by several orders of magnitude.

      And don't forget the human factor - the risk for the manager is not millions of dollars of company assets, that is an abstract figure at best. The risk to him is the loss of his job, which is lower in both value and likelihood than the event itself. However, spending money on security is a 100% loss of profit which will impact the bottom line, profit, quarterly report, etc. with a very high probability of negative impact on his bonus or raise.

      Unfortunately, almost everything you learn about management or governance acts as if "the company" would make decisions, and not humans. And ignores that humans have a more personal context that also influences their decisions, and routinely overrides even those cases where the optimal decision can be clearly demonstrated.

      --
      Assorted stuff I do sometimes: Lemuria.org
  5. Even liberals agree, this is dumb. by RingDev · · Score: 4, Interesting

    A fair number of people have labeled me a socialist, and even I can see that this is nothing more than a blatent attempt at a power grab by the federal government, and profiteering by Symantec.

    Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the Senate Homeland Security and Governmental Affairs Committee that the "real-world implications of Stuxnet are beyond any threat we have seen in the past."

    So we're having people who stand to gain more power over their country men making a decision about taking that power, receiving testimony about the threat from the company that stands to profit the most by their decision to take the power. Yeah, that's not a recipe for a horrendous outcome.

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  6. Re:Funny how the answer is always more government by Wonko+the+Sane · · Score: 3, Insightful

    When the last time the government solved the problem that it told you it was trying to solve?

  7. Re:industrial control systems? by Anonymous Coward · · Score: 3, Insightful

    For the love of god! You cannot create another Chernobyl, it had ZERO core containment. US reactors have 12 feet thick concrete surrounding the core! It *may* melt down, but then it's entombed in tons of concrete, so there isn't much to worry about! Equating a meltdown to Chernobyl is naive.

    As an AC this post will never see the light of day, but I really wish people would stop being so afraid of nuclear power, it's really our only hope to get off fossil fuels any time soon.

  8. Learn A Little About Stuxnet Before Commenting by Fantom42 · · Score: 4, Informative

    Many of the comments here seem to be unaware of what Stuxnet actually is or how it works. Symantec has a great whitepaper on it that is updated as they learn more. 50 pages of technical detail. Of course you can read the executive summary and at least avoid making the kinds of uniformed comments I'm seeing here.

    http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

    Just a Few:

    1. "People are so stupid to connect their industrial control system to the internet!"

    Stuxnet does not require internet access. It delivers its payload in various ways, and in particular, if an infected USB stick is inserted into a susceptible machine, it will find a machine on that network with the Siemens PLC development environment and infect it in such a way to insert hidden malicious code into the PLC.

    2. "Just don't run Windows"

    There is some validity to this idea. But the payload was not delievered to a Windows machine, just via one. How many embedded controller development environments require a Windows machine? Try coding a Xilinx FPGA without a Windows box, or just about anything out there without one.

    3. "We could have seen this coming"

    Most people did see this coming. But they didn't think it was actually plausible to defend against. The Stuxnet worm required a huge amount of resources and detailed knowledge to pull off. Everything from the payload to the infection method. Someone really thought this through. It is a proof of concept of what people generally believed to be only possible in theory.

    The fact that government is getting involved here is a bit worrisome. I hope they at least pay attention to the existing specifications already out there to help mitigate some of these threats. NIST 800-82 is a decent read that is free (final public draft) and there are other pay ones out there as well.

    The reason why I am kindof annoyed about people's ignorance about Stuxnet is because the biggest lesson learned from it is largely being ignored. 1. That "air gap" protection you think you have is not as good as you think it is. 2. The "insider threat" is worth thinking about, even if you trust your insiders. They may not know they are a threat.