For much of the past decade, security has been a major
topic discussed at nearly every automation and controls-focused event I have
attended. However, since the names of the companies and details of security
breaches were rarely revealed in much detail, the specter of cyber attacks on
automation systems always seemed to be more of a potential threat lurking in
the shadows than an active menace upon which systems designers needed to act
changed this summer.
July 14, 2010, Siemens was notified about a Trojan malware program affecting
the company's Simatic WinCC and PCS 7 software. The virus has since been
identified as Stuxnet. Investigations into the virus indicate that Stuxnet was
specifically written to attack SCADA systems used to control and monitor
industrial processes. Stuxnet reportedly has the capability to reprogram PLCs
and hide the changes it makes.
to Byres Security Inc., a company that provides industrial network and SCADA
security products, Stuxnet is "one of the most complex and carefully engineered
worms ever seen. It takes advantage of at least four zero-day vulnerabilities,
has seven different propagation processes, and shows considerable
sophistication in its exploitation of the Windows operating system and Siemens
Simatic WinCC, PCS 7 and S7 product lines."
Siemens reacted to the threat very quickly. On July 22, the
company provided its customers with a tool to detect and remove the virus
without influencing plant operations. By August 8, Microsoft reported that it
had closed the security breach in the operating system. All major virus
scanners can also now detect Stuxnet.
Another recent news development concerning Stuxnet is that
an industrial control security researcher in Germany is speculating that it may
have been created to sabotage a nuclear plant in Iran. The researcher reached
this conclusion largely because the majority of infected systems are in Iran.
According to a report by Reuters, a Symantec study on August 6 showed that Iran
had 62,867 computers infected with Stuxnet; Indonesia had 13,336; India 6,552;
the U.S. 2,913; Australia 2,436; Britain 1,038; Malaysia 1,013; and Pakistan 993.
reports that, from mid-July to late August, a total of 15 cases were reported
to the company where the Stuxnet virus was detected in various plants, roughly
one-third of those cases were in Germany. Siemens says it is "not aware of any
instances where production operations have been influenced or where a plant has
failed; the virus has been removed in all cases known to Siemens."
Stuxnet may now be largely contained, the prospects for these types of attacks
are not. For insight into current political activities about which it would not
be far-fetched to say might have ties to the Stuxnet case, read this recent
article in The Atlantic.
Regardless of Stuxnet developers' intent, its
emergence has helped concentrate the industrial systems security issue. With
industrial control systems at the heart of the global economic engine - as well
as any state-controlled industrial activities - systems security must now be as
much a central focus for automation and control systems designers as operations
speed and throughput, energy use, scalability and maintenance.