There are infections in Step 7 showing up at what I'm guessing are either automation companies or companies with big in house automation support, given that they are known to Siemens.
You don't even know the difference between a SCADA system and the PLCs controlling the equipment, why should anyone take your industrial network security musings seriously?
Slashdot makes this same mistake every single time a story like this goes on the front page. Every time.
The report is from a marketing firm. Their audience is other marketing types who make reports to business types. That lot is concerned about growth because growth is where they can make money. Selling things in markets that are growing faster than competition can enter, which means profit margins can stay comfortably high.
Once growth falls off and capacity catches up, things get competitive. Margins dwindle and the kinds of companies that pay people to read marketing reports can no longer survive.
While you are largely correct in your assessment of leaders there you vastly oversimplfy the problem in the same way as those you criticize, in that all of you try to point one finger in one direction.
More interesting than the article is that I now know there is such a thing as a serpentarium. Everywhere I've lived, and in all the movies I've watched, they've just been called 'reptile zoo' or something similar.
I imagine people go into a serpentarium and the lights are low. Everyone sits down, reclines their seat back and stares upward. Then the lights come up to reveal thousands of serpents suspended from the ceiling, writhing around. People ooh and aah.
Last place on the planet I want to live, is in a decaying urban center.
As for buying an existing structure, my current home is a nearly 200 year old farmhouse, so I'm on board with that idea. But where I need a cabin, there are no existing structures to renovate.
I like how you saved that a in your first sentence though. You really minimized consumption of resources on that one.
How would the worm know if an input tied to turbine RPM or if it is some other device?
It wouldn't know that speficially, but it modifies a block that is used to control a process that requires a very fast response. There aren't very many applications that would require that block so most programmers wouldn't bother programming and tuning it and interrupting the normal logic scan unless they really needed it.
To me it seems that Stuxnet is trying to slow the response time of the block it modifies and of the PLC overall. If you were trying to control your oven's heating element by changing the current you allowed it to draw in response to input from a thermocouple, and I could slow down the calculation you were using to determine the current change, I could cause the oven to overrun the temp. If that were a turbine I could cause it to overspeed, or a pressure vessel to overpressure, etc etc. Just that one change would cause 'havoc' to whatever process it was controlling. The process is guaranteed to be time sensitive regardless of what it is.
Do specific inputs on a PLC got specific ports?
No. But a good programmer can often figure out details of the process just by watching the logic run. I can look at the constants used for a PID instruction and know whether it is controlling a heating element based on input from a Type J thermocouple...for instance.
Or do you just have generic A/D and GPIO ports?
Generally an input to a PLC will have an address like I:1.0/0. That would indicate a discrete input card was present in the first slot of the PLC's chassis and that the wires from this particular input landed on the first input point. Most are 16 bit IO so you'd have I:1.0/0 through I:1.0/15, then I:2.0/0 and so on.
A discrete output would be O:1.0/0. You'd regonize analog IO because it would be used in the logic at the bit level. IO for modern PLCs is typically modular and can be arranged in any order.
You wouldn't know what specifically the was at the end of the wires (a button or a 2 position switch or whatever) but you might be able to figure it out.
They probably are, but they rely on contractors to program them. Stuxnet arrives via the contractor's laptops, or USB drives, or wherever else, then persists on Iran's control network.
Windows AV software really isn't much help with malware that it doesn't already know.
You don't understand industrial control systems.
It isn't Windows that does any safety-critical controlling, it is a PLC, which is the target of Stuxnet's payload. Stuxnet just happens to use Windows to propagate, which is a good choice because nearly all PLC programming and interface software is Windows only.
Anyone this telented could have written a Linux worm that did the same thing, but it would have been ineffective because Linux is hardly ever connected to a Siemens PLC. Windows being a bottomless pit of zero days doesn't help, of course.
The specific are that it looks for S7-300 and S7-400 controllers and modifies OB35, which is usually used for safety circuit type monitoring of very high speed processes. It also inserts blocks all over the PLC, which I assume is a method to increase scan times.
I've not seen anything to suggest that is looks for anything more specific than that and there are tons of S7-300/400s out there. It wouldn't likely cause 'havoc' in very many applications since OB35 isn't needed in very many generic industrial processes. Only place I've seen it needed was in a polymer reactor, but I haven't been everywhere.
Most of the articles say it attacks SCADA systems, but that is typical uninformed reporting. It uses Windows based SCADA system to propagate, but the attack is deliver to a PLC. To me that suggests the intent is exclusively to damage industrial equipment. These days most of the 'secrets' would be housed on the SCADA side and the PLC just does the actual direct controlling of the hardware.
So they should have built their own software to run on S7 PLCs? What country that you know of does that? Do you know of any country that does? If so name them, because I've been to dozens and never seen anything of the sort.
They could have probably run a lot of their automation with relay logic, but at a significantly increased cost.
The 'mission critical control system' in this case is a PLC, which directly controls the equipment. It doesn't even require that any consumer computer be involved for that to happen, although they often are to provide for data collection or operator interfaces or the like.
But to get the PLC to control the hardware a person has to write logic for it, which was probably done in this case with Simatic S7, which is Windows only. The bulk of the above mentioned interface and data collection packages are Windows only as well.
With a good design an industrial control system, because it is the PLC that does the work, will run along just fine even if PC based nodes crash. The new development with Stuxnet is that the virus is running on the PLC itself.
Slashdot Mirror
If you don't see any difference between gmail and every other 'online email system' that came before it, you are in way over your head.
How do you describe the connections you sell for $80/month?
It is using them to propagate, which is more than nothing.
It isn't breaking any hardware given its enormously specific payload, but that can be remotely updated.
http://www.zdnetasia.com/stuxnet-infections-continue-to-rise-62201930.htm
There are infections in Step 7 showing up at what I'm guessing are either automation companies or companies with big in house automation support, given that they are known to Siemens.
Other than Siemens controllers being less common in the US, why wouldn't it?
You don't even know the difference between a SCADA system and the PLCs controlling the equipment, why should anyone take your industrial network security musings seriously?
Slashdot makes this same mistake every single time a story like this goes on the front page. Every time.
The report is from a marketing firm. Their audience is other marketing types who make reports to business types. That lot is concerned about growth because growth is where they can make money. Selling things in markets that are growing faster than competition can enter, which means profit margins can stay comfortably high.
Once growth falls off and capacity catches up, things get competitive. Margins dwindle and the kinds of companies that pay people to read marketing reports can no longer survive.
I think the music industry handed Apple lock-in on a silver platter.
They demanded DRM. iTunes was the only good consumer oriented digital music store at the time and only iPods could play the DRM'd AAC files it sold.
The light bill doesn't pay itself.
Taco at least meters them in as opposed to flooding the front page. Unless a new iPod comes out or the like, then all bets are off.
Trust logged in users implicitly though.
I lived there for more than 16 years.
While you are largely correct in your assessment of leaders there you vastly oversimplfy the problem in the same way as those you criticize, in that all of you try to point one finger in one direction.
More interesting than the article is that I now know there is such a thing as a serpentarium. Everywhere I've lived, and in all the movies I've watched, they've just been called 'reptile zoo' or something similar.
I imagine people go into a serpentarium and the lights are low. Everyone sits down, reclines their seat back and stares upward. Then the lights come up to reveal thousands of serpents suspended from the ceiling, writhing around. People ooh and aah.
Sounds awesome.
Last place on the planet I want to live, is in a decaying urban center.
As for buying an existing structure, my current home is a nearly 200 year old farmhouse, so I'm on board with that idea. But where I need a cabin, there are no existing structures to renovate.
I like how you saved that a in your first sentence though. You really minimized consumption of resources on that one.
Where do you propose people build houses? Only on naturally level ground, on which no vegetation is growing?
My hunting cabin is making LEED Silver, despite my having to 'clear away for forest' and 'level a hilltop'.
You seem to be trying to direct suspicion away from yourself....
I wrote a comment last week that these days Taco amuses himself by trolling the blocks off Slashdotters.
He is starting early today. I expect good things to come.
All of the things Taco is not. So he is the perfect target for trolling, which Taco has just masterfully done.
Taco made major modification to the entire Karma system mostly to frustrate a couple of users. Taco loves to troll folks.
How would the worm know if an input tied to turbine RPM or if it is some other device?
It wouldn't know that speficially, but it modifies a block that is used to control a process that requires a very fast response. There aren't very many applications that would require that block so most programmers wouldn't bother programming and tuning it and interrupting the normal logic scan unless they really needed it.
To me it seems that Stuxnet is trying to slow the response time of the block it modifies and of the PLC overall. If you were trying to control your oven's heating element by changing the current you allowed it to draw in response to input from a thermocouple, and I could slow down the calculation you were using to determine the current change, I could cause the oven to overrun the temp. If that were a turbine I could cause it to overspeed, or a pressure vessel to overpressure, etc etc. Just that one change would cause 'havoc' to whatever process it was controlling. The process is guaranteed to be time sensitive regardless of what it is.
Do specific inputs on a PLC got specific ports?
No. But a good programmer can often figure out details of the process just by watching the logic run. I can look at the constants used for a PID instruction and know whether it is controlling a heating element based on input from a Type J thermocouple...for instance.
Or do you just have generic A/D and GPIO ports?
Generally an input to a PLC will have an address like I:1.0/0. That would indicate a discrete input card was present in the first slot of the PLC's chassis and that the wires from this particular input landed on the first input point. Most are 16 bit IO so you'd have I:1.0/0 through I:1.0/15, then I:2.0/0 and so on.
A discrete output would be O:1.0/0. You'd regonize analog IO because it would be used in the logic at the bit level. IO for modern PLCs is typically modular and can be arranged in any order.
You wouldn't know what specifically the was at the end of the wires (a button or a 2 position switch or whatever) but you might be able to figure it out.
They probably are, but they rely on contractors to program them. Stuxnet arrives via the contractor's laptops, or USB drives, or wherever else, then persists on Iran's control network.
Windows AV software really isn't much help with malware that it doesn't already know.
You don't understand industrial control systems. It isn't Windows that does any safety-critical controlling, it is a PLC, which is the target of Stuxnet's payload. Stuxnet just happens to use Windows to propagate, which is a good choice because nearly all PLC programming and interface software is Windows only. Anyone this telented could have written a Linux worm that did the same thing, but it would have been ineffective because Linux is hardly ever connected to a Siemens PLC. Windows being a bottomless pit of zero days doesn't help, of course.
The specific are that it looks for S7-300 and S7-400 controllers and modifies OB35, which is usually used for safety circuit type monitoring of very high speed processes. It also inserts blocks all over the PLC, which I assume is a method to increase scan times.
I've not seen anything to suggest that is looks for anything more specific than that and there are tons of S7-300/400s out there. It wouldn't likely cause 'havoc' in very many applications since OB35 isn't needed in very many generic industrial processes. Only place I've seen it needed was in a polymer reactor, but I haven't been everywhere.
Most of the articles say it attacks SCADA systems, but that is typical uninformed reporting. It uses Windows based SCADA system to propagate, but the attack is deliver to a PLC. To me that suggests the intent is exclusively to damage industrial equipment. These days most of the 'secrets' would be housed on the SCADA side and the PLC just does the actual direct controlling of the hardware.
So they should have built their own software to run on S7 PLCs? What country that you know of does that? Do you know of any country that does? If so name them, because I've been to dozens and never seen anything of the sort.
They could have probably run a lot of their automation with relay logic, but at a significantly increased cost.
So you're saying this whole thing might be A Ridiculous Liberal Myth?
It is the developer's tools available.
The 'mission critical control system' in this case is a PLC, which directly controls the equipment. It doesn't even require that any consumer computer be involved for that to happen, although they often are to provide for data collection or operator interfaces or the like.
But to get the PLC to control the hardware a person has to write logic for it, which was probably done in this case with Simatic S7, which is Windows only. The bulk of the above mentioned interface and data collection packages are Windows only as well.
With a good design an industrial control system, because it is the PLC that does the work, will run along just fine even if PC based nodes crash. The new development with Stuxnet is that the virus is running on the PLC itself.
So why bother with the ban?