After being big news in the automation sector for months, the Stuxnet virus hit mainstream consciousness late in 2010 with a series of articles by The New York Times and The Atlantic, among others. After all, how could a computer virus that many initially thought would only be a concern to manufacturing engineers morph into a tool of international nuclear sabotage and not be a hit in the general press as well?
If only the end of the story were known, I’m sure a slew of scriptwriters would be working on drafts as we speak.
But since the end of the story is not known, new developments surrounding the virus and associated industrial security themes continue to appear in my inbox regularly.
The most interesting of the releases I have seen recently involves a new white paper that promises to detail how Stuxnet is able to infect a control system protected by a high security architecture using modern, vendor-recommended best practices. The paper follows the progress of the worm as it moves through a hypothetical control system, which has been configured according to vendor-recommended security best practices. Despite these strong security measures, the worm is able to compromise a sequence of machines, eventually leading to the compromise of the PLC devices which directly control the physical process.
While it is presumed that Stuxnet was designed to target Siemens’ WinCC and PCS7 systems used at Iran’s uranium enrichment plants, don’t think that if you design for or use other industrial platforms that you’re in the clear. After all, Siemens considers Stunext to be a Windows problem, not a Siemens issue … and, to be fair, Stuxnet did exploit four different security vulnerabilities to access and spread around Microsoft’s Windows operating system in order to gain access to the Siemens’ systems.
The new bottom line is that industrial systems will increasingly be a target of hackers for a variety of reasons. Very few of them will have the exciting underpinning of international sabotage — it’ll most likely be the work of ticked off ex-employees — but the result will be the same. Your system won’t be functioning and it will be costing the company using it tons of money in lost revenues.
To see the details in this paper about how current security best practices are insufficient to block advanced threats like Stuxnet, visit http://www.tofinosecurity.com/how-stuxnet-spreads.