Lock up your PLCs

08 February 2011

David Robinson, UK Country Manager for Norman Data Defense, says that Stuxnet should be a warning for industry to make security a priority to protect against its progeny

Stuxnet has become one of the most infamous names in the recent history of computer-dependent industry since this piece of malware was first found on computers in the Bushehr nuclear plant in Iran.

Stuxnet was the first major infiltration to target the factory floor. It had the potential to wreak havoc when unleashed within a system using a number of (now patched) security breaches in Microsoft Windows from XP upwards.

Once in, it is designed to reprogram whole systems. It uses default passwords to try to gain access to PLC programs. Apparently Stuxnet only affects platforms where access to data or to the operating system is possible via a USB interface, which underlines the imperative for company-wide automation systems security to be implemented at every level if potentially huge damage is to be prevented.

A weaknesses in computer security in this field is the mistaken belief that the IT department should be responsible for total network security, including that of the automation and control systems. In fact there are many differences between the issues that a corporate IT department should concentrate on, and the security priorities of automation systems. Software-based security, however well-intentioned, can interfere alarmingly with automated control systems.

Stuxnet is not the first high profile malware to be introduced by an outside user. The Slammer worm, which infected the safety monitoring system of the Davis-Besse nuclear power plant in the USA in 2003, bypassed the plant’s firewall via a contractor’s laptop. It spread from the business network to the plant network, where it found an unpatched Windows server and crashed the nuclear plant network in Ohio.

Firewalls do not always protect the factory floor. In 2001, an Australian man attacked the control system of a waste management system – not through the firewall, but through a wireless network used for SCADA control. His action caused millions of litres of raw sewage to spill out into local parks, rivers and the grounds of a Hyatt Regency hotel.

Stuxnet is certainly not the work of a mischievous hacker who just wants to be a nuisance. It is already generally accepted by experts the world over that Stuxnet was produced at a very high – possibly even government – level, by one nation to target another nation. Fortunately, when it infected the Bushehr nuclear power plant in Iran it didn’t gain entry to the large number of PLC terminals operating in the main plant. However, the code within Stuxnet was seeking specific configurations within the Siemens industrial control software – the danger being that once infiltrated, the Stuxnet code can reprogram PLC software to give attached industrial machinery new instructions, so the potential impact on an organisation or facility can be extremely dangerous.

Stuxnet has demonstrated how easy it is to introduce malware into the most sophisticated of control systems. Only last year the US government admitted that software had been found that could shut down the nation’s power grid. It is a new type of virus, which has a boot file built-in, and it activates as soon as the memory stick is powered up on insertion into a USB port.

There is a clear need for rules and protocols to make security a priority throughout an organisation. Norman Data Defense commissioned research recently among ordinary workers to assess their attitudes to and knowledge of security – and the results were worrying. The British Government is soon to deliver broadband to a further nine million users, many of whom may have little awareness of security risks. Their innocence could be as damaging as any intended harm.

The control engineering industry needs to be as vigilant and aware as any industry if Stuxnet and its inevitable successors aren’t to wreak havoc.

About the author: David Robinson spent over 15 years working for the automation companies, such as Rockwell Automation, Mitsubishi Electric, Intellution and GE Fanuc, and he has considerable experience of plant and process control systems.

Print this page | E-mail this page