PLC vulnerabilities (Stuxnet)

[dbuckley]

You've probably heard on the news that the Stuxnet computer worm is now believed to have been the product of America and Israel, targetting the PLC systems that operate Iran's nuclear enrichment programme.

Leaving all the international politics completely to one side, this is technically a very interesting and significant event, one that is becoming more understood, and is being capable of being replicated.

The Symantic folk have a presentation, a 64 page document, and a video on this, which any PLC folk ought to take an interest in, as the chances are that now that its happened once it'll happen again.

More info here.

 

[pfalcon]

Stuxnet certainly went deep. Had to read a lot of pages to find the actual PLC infection.

I suspect the next time you see something similar it will be much cruder. The PLC will probably not be infected per se but simply altered to do more immediate damage. PLCs typically have low memory and low flexibility for programming, therefore they serve as a poor vector for infections.

Later, more sophisticated PLC bombs will infect the PLC to do damage and then self-erase to hide their tracks on the PLC. Permanent infections will more likely reside on PCs used to control them.

Unfortunately in the "Age of Connectivity" we rely too much on virtual walls. Many computers interact with both secure and insecure domains.

 

[renosteinke]

My POE has a multitude of PLC's and VFD's. One of the challenges has been to keep the VFD parameters where we need them. Until this was posted, I had not thought to consider that the problems might originate in the PLC's - whether from malice, or a simple malfunction.

Interesting information.

 

[dbuckley]

Ignoring the virus aspects of infection, despite the fact an impressive arsenal of tricks has been brought together to achieve it, there are two really interesting PLC aspects to this.

The first is that the PLC loading and monitoring software (including SCADA!) on a PC can be compromised to the point where you cant tell that something isn't right, and the second is that you can intercept the PLC communications on the PLC to the point where an outside application that is honest still cant tell its being lied to.

The scary bit is that the PC end of this hack (for Siemens PLCs at least, and probably many others as well) is quite simple, and well within the capability of most programmers; intercepting a call to some library of code. We used to do this all the time on DOS PCs to add stuff in, it's rarer on Windows because generally the hooks you need are available and documented. But hooking calls is still possible and not that hard. An attacker has the problem of getting his dodgy code onto a SCADA or programmers PC, but that could be a very low tech delivery, a cleaner with a USB memory stick while the operator has popped out to the gents would be all it needed.

Such an attack would be comparatively crude, but a simple crude attack could have terrible consequences.