Stuxnet Investigations Continue

Not long ago, I wrote a blog entry on automation systems security, focusing on the increased interest in the issue in the years since 9/11 and new developments surrounding OPC security software (you can access the blog by clicking here). That blog principally focused on the steps that can be taken to prevent an unwanted incursion on an automation system. In this blog, the focus is on what’s being done about real incursions that have taken place in the past few months.

On July 14, 2010, Siemens was notified about a Trojan malware program affecting the company’s Simatic WinCC and PCS 7 software. The virus has since been identified as Stuxnet. Investigations into the virus indicate that Stuxnet was specifically written to attack SCADA systems used to control and monitor industrial processes. Reportedly, Stuxnet includes the capability to reprogram PLCs and hide the changes.

On July 22, Siemens provided its customers with a tool to detect and remove the virus without influencing plant operations. By August 8, Microsoft reported that it had closed the security breach in the operating system. All major virus scanners can also now detect Stuxnet.

The most disturbing development in this case has been the announcement from Siemens that, based on analyses of the virus and its behavior in the software environment of a test system, the Stuxnet virus “does not appear to be the random development of one hacker, but the product of a team of experts.” Siemens believes the team behind Stuxnet is comprised of IT experts with knowledge of industrial controls.

Another recent news development on Stuxnet is that an industrial control security researcher in Germany is speculating that it may have been created to sabotage a nuclear plant in Iran. The researcher reached this conclusion largely because the majority of infected systems are in Iran. According to a report by Reuters, a Symantec study on August 6 showed that Iran had 62,867 computers infected with Stuxnet; Indonesia had 13,336; India 6,552; United States 2,913; Australia 2,436; Britain 1,038; Malaysia 1,013; and Pakistan 993.

Siemens reports that, from mid-July to late August, a total of 15 cases were reported to the company where the Stuxnet virus was detected in various plants, roughly one third of those cases were in Germany. Siemens says it is “not aware of any instances where production operations have been influenced or where a plant has failed; the virus has been removed in all cases known to Siemens.”

While Stuxnet may now be largely contained, the prospects for these types of attacks are not. In fact, this period may soon be looked on as the relative calm before the storm. For insight into current political activities about which it would not be far-fetched to say might have ties to the Stuxnet case, read this recent article in The Atlantic.

Regardless of Stuxnet developers’ intent, its emergence has helped concentrate the industrial systems security issue. With industrial control systems at the heart of the global economic engine–as well as any state-controlled industrial activities–systems security must now be as much a central focus for automation and control systems designers as operations speed and throughput, energy use, scalability, and maintenance.