back to article Stuxnet 'a game changer for malware defence'

The Stuxnet malware is a game changer for critical information infrastructure protection, an EU security agency has warned. ENISA (European Network and Information Security Agency) warns that a similar attack of malware capable of sabotaging industrial control systems as Stuxnet may occur in future. The worm, whose primary …


This topic is closed for new posts.
  1. PaulVD


    "helping to devise revised best practices for securing SCADA systems."

    It should be quite a short document:

    1. Do not connect any SCADA system to the internet.

    2. Do not connect any SCADA system to any computer running any version of Windows.

    3. Member States will impose the mandatory death penalty for anyone who violates rules 1 or 2.

    1. amanfromMars 1 Silver badge

      Let IT be .... and it is.

      How do you secure SCADA systems against Wireless and Satellite Beamed Intrusions which are Super IntelAIgently Designed to Engage and Enable/Actualise Executive Administrative Devices? And why would one wish to bother to deny oneself such Selfless Treasure and Fabulous Pleasure.

    2. Naughtyhorse
      Thumb Down


      should really STFU when it comes to anything to do with the real world.

      its just embarassing.

  2. Anonymous Coward

    Statements of the obvious?

    Among others:

    "ENISA (European Network and Information Security Agency) warns that a similar attack of malware capable of sabotaging industrial control systems as Stuxnet may occur in future."

    Which is another way of saying that the type of attack that already happened could happen again... Wow! Really - who knew?

    "Critical protection methodologies and best practices will have to be reassessed in the wake of Stuxnet, according to ENISA."

    I.E... slapping McAfee/SAV/etc on your Windows XP "critical infrastructure", strolling off and whistling might be inadequate?

    If "critical protection methodologies" of the type that I've heard of before, which include stateless operating systems and disabling of USB among a number of other best practices... had actually been followed they more than likely would not have seen this infection.

    I have yet to see any evidence that the "critical" machines in question were managed any differently than a standard desktop.

    1. The Other Steve

      Quite so

      "I have yet to see any evidence that the "critical" machines in question were managed any differently than a standard desktop."

      And in many cases, possibly even managed less/worse, as the presumption is that the air gap will save them. Whoops!

      "If "critical protection methodologies" of the type that I've heard of before, which include stateless operating systems and disabling of USB among a number of other best practices"

      High assurance measures, I think you mean. Often they end up at the bottom of the RA matrix because of the cost. The figure in the 'cost of failure to mitigate' column just had a rather hefty number of zeros postfixed, though, so this may change.

      1. Geoff Campbell Silver badge

        Cost is a relative thing.

        Paying to harden the operating system is one thing, but on a factory floor environment your solutions don't have to be pretty - fill the USB ports with a hot glue gun, and remove the CD and floppy disk drives. Sorted....


        1. The Other Steve

          Slight problem

          "Paying to harden the operating system is one thing, but on a factory floor environment your solutions don't have to be pretty - fill the USB ports with a hot glue gun, and remove the CD and floppy disk drives. Sorted...."

          Cool. Now how do I get my updated PLC code onto the machine ?

          1. Tom 13

            @The Other Steve

            That's what the punch card reader is for you idiot!

    2. Anonymous Coward
      Anonymous Coward

      If "critical protection methodologies

      Security always seems an after thought and only really taken seriously for a while when burnt

      The rush to web apps seems typical - people are starting to wake up to the idea that security needs to e take seriously and web apps it is far more complex than an application

  3. Peter Fox


    Look what happens when you use long words... incorrectly.

  4. Anonymous Coward


    - an intelligence agency from one of the G7 is most likely to have the means, the motive, and the capability

    - the pattern of infection - they are all Asian/Middle Eastern countries, or very close to it

    - the pattern of NON-infection - Europe, USA and China are currently not listed in the article as being infected - you probably wouldn't infect yourself, so this is the shortlist

    - the control centres - hmm, one in Asia, one in Europe.

    - the common element in the infection/non-infection/command centres is China.

    So that would be my prime suspect, if I was investigating, which of course I'm not.

  5. Tom 7

    Game Changer?

    I think not.

    Same rules apply - if its worth more than 50p dont have Windows in the loop.

  6. n3td3v

    Lockerbie bomber release was motive for Stuxnet Worm

    "Motivation behind Stuxnet." BP lobbied for the release of the Lockerbie bomber, and the people responsible for Stuxnet wanted to make sure they paid. To make sure the oil deal from releasing the bomber, BP couldn't make a profit from. Stuxnet targeted the oil well. There were a lot of unhappy people after the release of Abdelbaset Ali al-Megrahi. Abdelbaset Ali al-Megrahi was convicted for blowing up Pan Am Flight 103 over Lockerbie, Scotland, on December, 21, 1988. He was freed on compassionate grounds by the Scottish government on August, 20, 2009. The claim was he had terminal prostate cancer and was expected to have less than three months to live. It was a lie and he is still alive living the life of riley in Libya. Originally posted by me at

    1. The Other Steve

      Originally posted

      And mocked

    2. Robert Carnegie Silver badge

      He is not living the life of riley.

      He is horribly ill.

      They probably had to cut bits out of his willy to keep him alive at all. When you do that to a willy, it doesn't work very well for any of the things you normally use it for.

      He's probably been irradiated.

      And he's slowly slowly dying.

      One plus: because of the terrible pain, they let you have as much heroin as you want. However, at a certain stage, the point of still feeling pain and the point of still remembering who you are cross over. And then you're a struldbrug, except that, unlike a struldbrug, you are, in fact, about to die.

  7. Chemist

    "essentially ignores vulnerable Windows boxes...

    This does rather give the impression that the Windows controllers/reporter computers are not involved. The systems wouldn't be in trouble if it wasn't for the vulnerabilities in Windows AND the criminal lax security of the Siemens systems.

    But let us be clear - the Windows PCs ARE infected.

  8. Anonymous Coward
    Anonymous Coward

    "No Member State ... can successfully mitigate on their own

    "No Member State, hardware/software vendor, CERT or law enforcement agency can successfully mitigate sophisticated attacks like Stuxnet on their own"

    Member states are in a better position to do something about this than the other parties on that list. The hardware/software vendors are in general clearly certified Microsoft dependent, directly or indirectly, and law enforcement agencies also are far too subject to generic MS lobbying at senior government level.

    Member states can set (or contribute to setting) nuclear regulatory policy, and iin general the input has to come from credible technical sources (not government officers). Regulatory policy could and probably should be worded such that known vulnerable MS products do not at any time cross the plant boundary. Known vulnerable MS products: Windows will do as a start.

    Anti-competitive? No more anti-competitive than tactics MS have used in the past? Now it's their turn to be on the receiving end.

    Not just nuclear either. In due course, see also: water, electricity, oil, gas, flight systems, etc. Oh, and maybe finance too. I want to be able to keep what's left of my pension.

    Where's Ross Anderson? What's he got to say about this, or is it of no interest because there's no money at stake?? Les Hatton, where are you?

    The engineers with clue on these projects likely *know* what they're doing is wrong but the PHBs in charge have, to date, left them little option but to continue down this road.

    It's time to stop pussyfooting around.

  9. Anonymous Coward

    Time to ditch windows, seriously

    For all serious business / commercial / industrial use winows really needs to be ditch, much as I like it and enjoy using it.

    One thing that puzzled me during the 80's and 90's was the massive adoption of what was to me, a user friendly home operating system, but across the business world. I simply did not "get it" that workers should be "allowed" to use a home system and play games at work, browse the web, etc. Now it cannot be really turned off without greeat pain and resistance, but it MUST be done.

    Businesses need business systems, probably based on linux or BSD, and not necessarily the newbie friendly Ubuntu which has also taken steps to simplify security but reduce it accordingly.

    IT Professionals need to stop being lazy and CIOs need to stop trying to be popular but have a serious discussion with the CFO and COO about the risks and cost of lax security and that it cannot really be fixed without major forget about allowing iphones or Android phones in with all their security ridden apps sending data to god know where!

    1. Eddie Johnson

      But... but... but....

      The users will riot if we take away their access to Facebook! Accessing Facebook to carry out personal business while on the employer's clock is a fundamental human right and can not be infringed upon.

  10. OSC

    Bring back DEC, all is forgiven

    Many years ago I was running process control on a VAX 32 (single chip, 6U(?) 19" rack, not much in the way of magnetic storage (but on that at least, now we have no problem) using RSX11IIRC

    And there was XINU, now there is RTLinux.

    I understand that graphical interfaces used not to be a priority for NIX lovers, but that too has changed.

    I think I know what architecture I would want for my networked process control

  11. Anonymous Coward

    I've still never heard a good explanation

    On the infection pattern. Why India (86,258), Indonesia (34,138) and Iran (14,171) with such high infection numbers? (Figs from Kaspersky as of 9/28). The "next" highest on the list is roughly half of Iran's numbers.

    Seems to me to imply a lot of traffic between Iran, which is under all sorts of UN Sanctions, and India and Indonesia.

  12. The Other Steve

    1. Do not connect any SCADA system to the internet.

    Another person who has failed to read any of the analysis of the threat before flapping their fingers.

    1. Andraž 'ruskie' Levstik

      You failed to read the article as well...

      You see the C&C centers connect to this via the internet. Take that out and there is no way of controlling what happens. Of course someone could break something else but that would require a very specific targeted attack to work on a specific setup.

      So yes... internet is necessary if you want to actually control stuff. It isn't a complete solution but it's a start.

      1. The Other Steve

        No, I didn't

        "You failed to read the article as well."


        The problem is not that I didn't read the article, it's that you don't understand the threat.

    2. Anonymous Coward

      Why indeed

      I work with SCADA and PLCs in the water industry, we don't put them on the internet.

      Quite clever to rely on infected USBs. But why are people plugging USB sticks into SCADA systems?

      1. The Other Steve

        RE: Why indeed

        "But why are people plugging USB sticks into SCADA systems?"

        They aren't. They are/were plugging them into the windows host used to program PLCs, at which point stuxnet trojans your PLC programming software (WinCC in this case), and then next time you program a PLC, it actually writes custom code to the PLC. Code which is masked from the programming host.*

        Then you drop your PLC back in, and your plant go boom, or at least crunch, if it happens to match a certain configuration.

        That's why everyone's knickers are in a twist.

        *this is a gross simplification, if you work with SCADA, reading the actual analysis is an absolute must.

    3. Anonymous Coward
      Anonymous Coward


      At the weekend I was speaking to a friend of mine who is a process control engineer in a large foundry. I mentioned this worm to him and it's attack vector and he was totally staggered that anyone would attach their SCADA to any network which could be connected to the outside world in any way or allow anyone to attach external media to the systems. He also said that this is SCADA lesson one. After this he said that they ditched Siemens years ago due to unreliability...

      1. The Other Steve

        Last self reptition, honest. Please RTF Analysis

        "he was totally staggered that anyone would attach their SCADA to any network which could be connected to the outside world in any way"

        The (allegedly) effected SCADA systems were not connected to the outside world in any way.

        "or allow anyone to attach external media to the systems."

        No one attached external media to the SCADA systems.

        "He also said that this is SCADA lesson one.""

        Indeed it is. Which is why stuxnet was coded in order to jump over these limitations.

        Clearly none of the commentards can be arsed to RTFM, so in summary :

        Stuxnet arrives at your plant on a USB drive (say). It then compromises machines and spreads through your internal net via a combination of tricky exploits. It also continues to infect USB (or other removable media).

        At some point, someone takes a USB drive accross the air gap that separates the internal net from the PLKC development boxes and plugs it into the machine used for PLC software development, it spots the WinCC PLC development environment and trojans the fuck out of it, enabling it drop it's payload of malicious PLC code into any PLC projects that come along.

        At some point further along, someone tales this developed PLC code on (say) a USB stick, and crosses another air gap to the machine that is used to program the code onto the PLC. At which point, stuxnet trojans the fuck out of the PLC programming software as well.

        Now, at this point, when you take your PLC out of your SCADA gubbins to modify the process code on it, another air gap because no one attaches SCADA to anything, it rewrites the code on the PLC, only you can't see it, because stuxnet has trojaned the fuck out of the programming software, and it is now lying to you.

        Then you put the PLC back across the air gap and start up your plant. Then your plant go boom.

        Stuxnet was specifically designed to work around the fact that no one is dumb enough to connect SCADA kit to external networks, and to exploit the - now thoroughly debunked - belief that this is sufficient to protect them from remote malfeasance.

        Now can we all please stop with the "shouldn't connect SCADA to teh internets" cockwaffle ?

        1. Anonymous Coward
          Anonymous Coward


          Steve - What is attaching a USB drive to the SCADA systems, if it's not attaching external/removable media?

          Like I said, there are basically two ways that computers can become infected - via a network connection or via external media. I can't think of another way to get software onto a computer, short of typing it in.

          1. The Other Steve


            Utterly hopeless.

        2. Eddie Johnson

          Yes, but....

          Really, none of this matters if you don't connect your SCADA to the Internet.

          I jest but I'm working on a PLC that is, wait for it, connected to and programmable over the Internet. Its not exactly critical infrastructure and the worst someone could do is burn out a couple pumps and spill a bit of poo, but I've still been appalled at how every company involved depends only upon the obscurity of the hardware for security. Much like Siemens they all advise against changing default passwords or ports. And one of the passwords is 12345. Consider this my grey hat disclosure to encourage better security.

  13. Anonymous Coward
    Anonymous Coward


    I wonder how many of those systems were considered 'closed' as a justification for not having any virus/malware scanning

    1. Anonymous Coward
      Anonymous Coward

      Re: "not having any virus/malware scanning"

      Not that malware scanning would have thwarted a well financed team of black-hats anyway.

  14. Anonymous Coward

    @Simple PaulVD

    Paul forgot another rule, before his rule 3:

    3) Do not allow "critical Windows systems" [1] ever to interchange programs or data with any other computer systems, as the transfer of files can expose as-yet-unknown vulnerabilities, as happened with Stuxnet and with many others before and with many others still to come.

    Once PaulVD and others acknowledge this simple truth, one which is so impractical as to be unimplementable, the futility and risk of using Windows for this kind of critical application becomes very clear.

    [1] ok it's an oxymoron but there are a lot of morons in this picture

    [submitted Sun 8:30 pm ish BST]

  15. Skymonrie

    Please oh please

    Will the powers upon high, gaze down at the brick and mortar that builds the hills through which the skills of business supposedly rise feeding their pockets. Without surprise, and in only one breath surmise that the protective guise of Microsoft as secure is seen through like manure. Pure and secure by nature is the world of open source (surprise, surprise). Of course though, this side of the world that glides by doesn't have so many people who pull out their horse tackle and shackle such critical systems to their grin for it is a world where people actually look within to see sense and make decisions based on precision and principle. Stuxnet is not new just as the sky is blue, what is new is the rain that forces people to look up without an umbrella :p

    *whistles innocently* ahhhh, sunday poetreats :p

  16. Will Godfrey Silver badge

    Not Simple

    The entire system software (PLCs and computers) should run from Read-Only devices. No executable code in RAM. Nothing in data store should be capable of being executed. No general purpose libraries. No external devices should be able to directly write to the data but must go though a locked-down IO system. Whatever BIOS that's there (and it should be really minimal) should only be able to read program from one source specific and should not be software reconfigurable.

    This will never happen of course as while Devs would love it the bean counters would veto it as not being 'cost effective'.

    1. Naughtyhorse
      Thumb Down



  17. Paul Crawford Silver badge
    Paris Hilton

    No sh*t Sherlock

    "protection methodologies and best practices will have to be reassessed"

    Start by firing all of the muppets who were responsible for the lamentable security of the Siemens system perhaps (remember the 'un-changeable passwords')?

    Then make insurance of said devices mandatory, and allow the financial penalties of using Windows with its impressive history of exploitation become a financial factor in deciding what OS(s) to use.

    Now please note that I have said before, and will repeat again it for hard of thinking, there is no perfect OS from a security point of view, and if said muppets can be persuaded to install something with more holes than Swiss cheese you are facing game over irrespective of the OS choice.

    But really, given Windows' legacy of exploits, and the established expertise in black-hat circles for penetrating it from all manner of orifices, only Paris would think it a smart move for critical infrastructure.

    1. Robert Carnegie Silver badge

      " a game changer for critical information infrastructure protection"

      in that if your criticial information infrastructure DOESN'T LET YOU CHANGE THE FACTORY DEFAULT PASSWORD then SOMEBODY NEEDS TO BE FIRED.

      New rule. ;-)

      Having said that, if the target of the worm was Iranian atomic energy generation, then the vulnerability may have been put in place on purpose.

      And of course nobody is allowed to sell nice stuff to Iran anyway - so they probably have trouble using the customer support line.

      How dare they try to enter the twentieth century.

  18. Ol'Peculier

    Back doors

    What the back door password was doing there in the first place is the thing that gets me.

    Can anybody shed any light on wether this is industry practice for this kind of equipment?

  19. Anonymous Coward

    One question that yet isn't answered...

    I wonder. The worm exclusively targets systems made by Siemens.

    Who are Siemens' main competitors for those contracts? It doesn't (by it's spread geographically) seem targeted at any one country, but it is provably targeted at one single supplier's systems. Who stands to gain, should this worm tarnish Siemens' reputation in the industry?

  20. frank ly


    "..was granted a five-year extenuation to its responsibilities last month. .."

    extenuation: noun - 1.the act of extenuating. 2.the state of being extenuated.

    extenuate: verb - represent (a fault, offense, etc.) as less serious.

    2. to serve to make (a fault, offense, etc.) seem less serious. underestimate, underrate, or make light of.

    I don't get it.

  21. Anonymous Coward


    with the continual de-skilling and down sizing of factory staff; OEM support is moving more and more into remote access. This after spending years telling clients that no sane Engineer would put a process network anywhere near the inter/intranet; hell we don't even want our friends from IT having access. But now we have to link (mostly via a good solid firewall) to the factory IT infrastructure & then out either by VPN/HTTS or dedicated adsl link.

    So now I sit somewhere in the UK accessing factories all over the world. Some of them even want me to have access to their Process Control systems so I can modify/improve it - when it is running. And I can do this from the office or from home.

    It is quite sobering; I know more about some plants that I have never been to than the people 'running' them. AND; if I so wished I could do all sorts of interesting things; some of which could cause things to go bang - or even B A N G ! And no one would be able to find out who caused the bang....

    Stuxnet is what we spent years defending against. - and a lot of people (IT and Management) thought we were being stupid. Now when it becomes imperative that we have remote access; oops - there it is; only Siemens at the moment; Honeywell; Emerson; Rockwell; Wonderware etc can't be far behind. And thats when it gets really frightening; when the DCS systems are targeted; little PLCs aren't to much problem; but corrupt a DCS and then you will have BIG trouble. (So what idiots 'forced' COTS crap -AKA Windows- onto the process world ?). Think of all those BIG refineries/dangerous chemical plants they use DCS to control the PLCs & monitor what's going on...

    The only solution is to train more engineers; pay them more than bankers, and have enough in plant to keep each plant safe. At least that way there are only a small number of people who would be in a position to commit sabotage.

    AC - you think I'm as stupid ?

    1. The Other Steve

      Sobering ?

      I'm finding it has the opposite effect, viz it makes me want to get very drunk indeed. That is by far the most frightening thing I have read for a long time.

  22. Anonymous Coward
    Anonymous Coward

    "very specific targeted attack to work on a specific setup."

    "the C&C centers connect to this via the internet. Take that out and there is no way of controlling what happens. Of course someone could break something else but that would require a very specific targeted attack to work on a specific setup"

    You're the one who needs to understand.

    The Stuxnet payload already is very specifically targeted. The payload is already perfectly capable of "controlling what happens". If you want botnet-style remote control to allow changes of behaviour, then yes that works best with an Internet connection. But if the desired behaviour is already coded into the Stuxnet (or similar) payload, there is absolutely no need for any Internet connection in this picture.

    And anybody who thinks it is practical to implement systems like this without transferring data to/from other systems (no network, no removable media, ever) needs their head examining. As does anybody who still tries to claim that Windows is appropriate in this kind of setup.

  23. 0laf

    Not difficult to control

    Not difficult to control as long as the meatbags do as they are told.

    Take the SCADA machines off network and put in an airgap.

    Have good quality AV/Malware scanning on a sheep-dip machine and have workers scan USB/CD media before it goes on the SCADA machines.

    Of course the meatbags won't want to do this extra step because they are lazy so the first person caught not following the procedure will have to be very publicly flogged and sacked.

    Devices should be restricted to authorised devices only if poss.

  24. Anonymous Coward

    "airgap ... scan USB/CD media before it goes on the SCADA machines."

    Engage brain before operating keyboard. Understand what you're posting about before you post.

    Stuxnet included several "zero day" vulnerabilities. It wasn't the first zero day vuln in the wild, and won't be the last.

    Does 0laf know what a "zero day" vuln is, and what it means? It means...

    "zero day" vulnerabilities are by definition not detected by malware scanners. "Good quality" is irrelevant.

    So having an airgap and passing files through a "sheep dip" virus scanner is pointless, because the AV folks don't have a signature for the zero-day stuff.

    There is a fix, 0laf and many others know what it is, but 0laf and many others seem reluctant to accept it. Why so? [there are some obvious Microsoft-dependency answers]

    I see Fraser's been back, and not surprisingly is among the clueless (or deliberately misleading) who think "disconnecting from the Internet" is relevant here.


    I like the "sheep dip" term, but the sheep in this picture are the mystifyingly monominded "there is no OS but Windows" sheeple, especially those who think "good quality" AV scanners are of any serious help.

    1. Anonymous Coward
      Anonymous Coward


      Name calling aside: How do you think that a computer can become infected if it's not connected to the Internet or to a corporate LAN which has a proxy/NAT onto the internet? Accepting that it also has no method of inserting removeable media (CDs/USB memory sticks/USB HDDs etc)

      I would also presume that development is carried out in a secure network.

      The only way that I can think is if the updates servers host infected packages.

      1. Anonymous Coward
        Anonymous Coward

        Presume whatever you want

        Please re re re read Steve's writeups.

        Some data *needs* to be exchanged between the SCADA boxes and the rest of the world. Not all the time, not with the Internet, but from time to time. Sooner or later an infected file or device will infect a Window box which will later connect to the SCADA network. No malwate scanner will detect it if it's a zero-day exploit, so the infection is invisible, and can lie un-noticed for months.

        The only alternative to that data exchange process is, as you have already suggested elsewhere in this thread, re-keying any data which needs to be transferred to or from the "secure" SCADA network. I presume you worked out that's not really practical, right?

        Have a nice day.

  25. Aggellos

    It is not the father that scares me , it is the son of........

    Wether it be nublets like 4chan or nation states like Israel, Stuxnet was a targeted attack and that is the worrying thing in this whole saga is the ability to target aspects of a nations infrastructure.

    The reason behind the "it must have been a nation state is" this attack required forward intel before stuxnet was primed, zero day babies are nothing new and can be bought on the open market or sold on to the very target they are designed to exploit.

    Stuxnet was different in that it required a very intimate knowledge of the Iranian infrastructure on various levels not just SCADA systems.

    And if you think this was passed on by infected USB sticks then your as gulible as the media who swallowed Iranian state press releases.

    Stuxnet looked like a live test for something bigger and that is what has peoples knickers in a twist.. "What's Next"

  26. Anonymous Coward
    Big Brother

    "if you think this was passed on by infected USB sticks ..."

    Expand, please. Or links to supporting matter.

    I can see where you might be coming from, in that using the Internet for the initial delivery seems a bit improbable, but once the malware's on the target site LAN (hand delivered by an agent with an email account or a stick) and there are airgaps what other options are there? Telepathy?

    1. Aggellos

      come on , show yourself what are you scared of Mr AC

      As of now it is in China, India, Pakistan measures where taken in several of the 17 or so infected plants to remove CD and USB infections from the equation yet they where still infected the commonality is the infrastuce used in all plants coming from a certain "soviet design".

      Stuxnet is the most complicated piece of malware to date and it is by no means finished, no one yet truly knows how SCADA systems where infected in all plants or if Stuxnet actually trying to re-code anything.

      We now know several methods of how it infected other pc's on it's network , but as of yet no one is really sure how the SCADA systems in certain plants got infected.

      There the truth they Don't really know ....unless you do ,then prey tell.

      1. The Other Steve

        No, you're wrong.

        "no one yet truly knows ... if Stuxnet actually trying to re-code anything."

        No. We do, in fact, know that Stuxnet will inject Step7 code into PLCs. The rest of your comment is pure speculation.

        1. Aggellos

          fresh air injection

          And prey tell Steve what did the injection do ?....what was the effect of the cause other than a proof of concept.

          Speculation is you're game.

          1. The Other Steve

            Ass monkey


            "Fact: Stuxnet intercepts code from Simatic Manager that is loaded to the PLC. Based on a conditional check, original code for OB 35 is manipulated during the transmission. If the condition matches, Stuxnet injects Step7 code into OB 35 that is executed on the PLC every time that OB 35 is called. OB 35 is the 100 ms timer in the S7 operating environment. The Step7 code that Stuxnet injects calls FC 1874. Depending on the return code of FC 1874, original code is either called or skipped. The return code for this condition is DEADF007 (see code snipplet)."

            Are we learning yet ?

            1. Aggellos

              cut and paste does not make one right or smart steve.

              Lets break it down for the less techie out there steve what is the result of said code change .

              Sitting in on a DFID meeting last month as an advisor i bet i know more then you ....and we are learning all the time.

              1. The Other Steve

                Sitting in on a DFID meeting last month as an advisor

                Ah, that explains it.

  27. Anonymous Coward

    @TheOtherSteve 12:53

    "Last self reptition, honest. Please RTF Analysis "

    No need to apologise (not for me anyway), that was a *very* nice writeup, please spread it far and wide, and thank you for your continued contributions.

    There seem to be some people who think they're smart round here posting rubbish (about Internet and Admin and Autorun and blocking removeable media) on Stuxnet threads. All these people are doing is showing their cluelessness. Some of them, bless their little Microsoft-certified hearts, might actually believe the bollocks they are spouting.

    But anyone with eyes and intelligence who isn't surgically attached to Redmond knows that this should be treated as a wake-up moment for the SCADA industry and for many many others.

    1. Anonymous Coward

      The original AC here

      I never said Windows is OK, just that given Windows as a constraint, and - as Steve replied - using high assurance measures of the type that they use (from what I hear) in classified DoD environments would have gone a long way towards minimizing the impact. In fairness, I might have overstated somewhat but the point remains - were they really even trying?

      Could an alternate OS be better? Definitely! Would it be bullet proof? Probably not. As an IT guy, faced with a situation where the application in question apparently only runs on Windows, I'm used to playing the hand that's dealt. That's different, IMO at least, than saying Windows is the right platform for the job.

  28. Anonymous Coward

    Seven upvotes for PaulVD 13:47?

    There really are a lot of people around who need to read TheOtherSteve's posts here till they get with the program, and ideally attempt also to read and understand the definitive sources elsewhere.

    You don't want to treat MS-dependent PC anti-virus companies as definitive. Although some of them may be experts on PC virus propagation, they are clueless about industrial automation (SCADA etc).

    You do want to treat as definitive stuff from someone who understands both PC security *and* industrial automation.

    Best Stuxnet-specific source to date:

    Yes I know he's got an interest to declare. But read his analysis anyway. There's a little bit of OTT in there, but really not very much at all, in the circumstances. And I say this as someone with a couple of decades of experience of the interface between computers and the shop floor, in sites from power stations to factories to water companies, you name it, I've seen it all. Till Stuxnet (which, in hindsight, should have been expected).

    Today's open letter from Herr Langner to Symantec in response to Symantec's ridiculously PC-centric analysis and non-existent "solutions" seems particularly appropriate.

    The next incarnation of Stuxnet will not have the advantage of total surprise in the same way that Stuxnet had.

    That being said, so long as we allow critical systems to rely on Windows, Stuxnet 2 will still be able to use zero-day (unpublicised, unpatched, unchecked-for) vulnerabilities to bypass malware scanners. Whether it uses LANs or USB sticks to propagate is irrelevant.

    Stuxnet 2 will still be able to use rootkits to hide its presence on the infected systems. Stuxnet 2 will still be able to interrupt whatever the infected PC systems are supposed to be doing. More troublingly, Stuxnet 2 will still be able to disrupt whatever those infected PCs are controlling.

    E.g. purely random example, would have been implausible 3 months ago, not looking so implausible now: anybody know what's in the next generation of SCADA for the Thames Flood Barrier (£400k contract, awarded recently to Adsyst in Reading). If it's got Windows in it, the City boys better get on the blower.

    This is not a drill. This is a warning. Pay attention now, or get burned (or flooded) later.

    1. Charles 9

      No OS is safe.

      "That being said, so long as we allow critical systems to rely on Windows, Stuxnet 2 will still be able to use zero-day (unpublicised, unpatched, unchecked-for) vulnerabilities to bypass malware scanners. Whether it uses LANs or USB sticks to propagate is irrelevant."

      Forgoing Windows in a situation such as this may only provide an ILLUSION of increased security. This Stuxnet is clearly the work of intense research into novel vulnerabilities. It even had SIGNED code (so private keys were retrieved--there goes the signature defense). This same degree of research can likely be applied to any mass-released operating system in existence to find the proper privilege escalations, faults, etc. to achieve the desired ends (there was a Linux privilege escalation reported just this week; shock, not even Linux is immune, and forget patching in an embedded or industrial setting with lots of red tape).

      Any computer system (or any SYSTEM, for that matter) is kinda like a castle. If someone REALLY determined wanted to have at it, they could, because they have the advantage of a stationary target. And trying to move the target has the potential to cause undetected faults similar to what the adversaries are trying to achieve; talk about an "own goal".

  29. Anonymous Coward
    Thumb Up

    @The Original AC 14:47

    With the greatest possible respect, you sound like a sensible chap (unlike some here).

    What would happen if you pointed out to your bosses that their current behaviour is comparable to asking a domestic electrician (Part P Certified if you wish) to do three phase (or even 11kV) wiring on the factory floor, and possibly without something akin to a Permit to Work?

    Because that's the kind of silliness there is inevitably going to be when, with the best will in the world, someone from planet Symantec is transported to planet SIMATIC (or vice versa) and just left to get on with it.

    [submitted 17:55ish BST]

  30. Anonymous Coward
    Anonymous Coward

    2 real world cases with SCADA

    Observed during a career in process control:

    1. A programmer person is remotely connected to a factory on other side of globe. Sets fire to a machine by accidentally setting it to full on (by assuming power was off setting a single bit to 'true').

    2. Famous brand SCADA monitoring system that is used in UK nuclear plants had a bug: 1st 255 measurement points are fine but ones after that 'freeze' thus showing perfectly plausible but false values. SCADA over-threshold alarm fails for same reason.

    Who needs viruses?

  31. Anonymous Coward
    Gates Halo

    @agellos 11:19: DFID ? Or typoo for RFID?

    Still waiting for your suggestion as to how Stuxnet was propogated from site to site (the on-site stuff is easy), if not USB sticks or telepathy. Symantec's dossier puts together a fairly convincing story. Which bits of it do you feel aren't right, and why? Same goes for Langner re the PLC stuff (which Symantec don't really understand).

    Meanwhile, can you name a complex software project that went exactly right on its first substantive V1 rollout? The Stuxnet team did very very nicely to get as far as they did. The fact that nothing's gone bang (as far as we know) doesn't mean the team haven't achieved much of their objective. They managed to get unauthorised code in a PLC in a site they shouldn't ever have been able to get near (or are you trying to persuade us that's all smoke and mirrors?).

    The next attempt may be better tested, better informed, whatever. Software's like that.

    Now, remind me, what were you trying to tell us?

This topic is closed for new posts.

Other stories you might like