

From the man who discovered Stuxnet, dire warnings one year later - tokenadult
http://www.csmonitor.com/USA/2011/0922/From-the-man-who-discovered-Stuxnet-dire-warnings-one-year-later

======
pnathan
SCADA (Supervisory Control and Data Acquisitions, the usual term for
industrial control) systems until, at the _least_ , 9/11/01, were not
typically designed with security in mind.

Symptoms of problems include the ability to DOS a SCADA network simply by
flooding it with packets and the lack of authentication/ encryption embedded
in protocols such as IEC 61850 (an increasingly popular SCADA standard).

There are two halves to the problem of hacking a SCADA system.

First, you must be able to exploit the software. E.g., Siemens Step 7. That is
standard IT hacking. Not a "problem".

Second, you must be able to exploit the installation. Let me explain a bit
more.

In software terms, what you are given to work with is a list of hex values
denoting inputs, and then a list of hex values denoting outputs.

So - without knowledge - what you will see is _conceptually_ like this:

    
    
        READ 0x1
    
        READ 0x2
    
        IF 0x1 + 0x2 > 314159 THEN
    
          WRITE 0xA, 100
    
        ENDIF
    

What do those numbers mean? There's no context until you know what those
read/write registers are plugged into. And those could be different for each
installation.

The second part isn't always brought out in the Stuxnet discussions. Part of
the search for understanding for Stuxnet was decoding how the registers mapped
to the installation.

For the interested reader, I refer you to the Symantec white paper. It is of
quite high quality and good technical detail. The SCADASEC mailing list
contains useful discussion by people involved in the industry, and they really
bring out the differences between SCADA security and IT security. And for the
really interested reader, I recommend reading up on PLC programming and
digging up protocol standards for MODBUS and DNP3.

------
bx_lr
The article might tout the idea of cyberweapons slightly too much, but I think
Stuxnet indeed qualifies as one.

I'm somewhat worried about these things. The problem I see is that we are
becoming even more and more leveraged/dependent on technology. And these
technologies are increasingly interdependent. A successful attack on one
technology can potentially bring down entire systems down in unanticipated
ways.

The recent power outage in San Diego and nearby areas serves as a good
reminder. You don't actively think about power, it is something you take for
granted. Only when the power is lost, then you realize how dependent
everything is on it; traffic lights stopped, ATMs didn't work, credit and
debit cards didn't work, freezers and fridges stopped, and so forth. From
modern times to the dark ages in an eye-blink, instant paralysis.

I don't think nuclear power plants as targets are that interesting. Just
turning off traffic light system would be enough to bring down and entire US
urban area down to its knees.

New networks of complex dependencies are being created all the time. The
smartphone boom is going to create one, and people will start relying on the
existence of it. If iPhone and Android keep dominating the market it will
create more homogenous mass of devices, providing a more consistent attack
surface and more potential for widespread damage. I don't see how smartphones
could avoid the same problems PCs were/are experiencing. Waiting for the first
smartphone "UNIX worm".

Wireless features are getting added to cars. Yet another potential complex
network. War-driving could soon get completely new meanings.

------
sandroyong
Regardless of whether copies of Stuxnet or variants of it can be used
successfully in the future by "any dumb hacker", Pandora's box has been open,
the code and concepts are out there, and it only takes one (dumb hacker(s) -
competent or not). The threat is real! even if some believe the author might
be "drumming up biz" or there is an 'overdramatization of
cyberweapons/cyberwarfare. What gets me is the following: Regardless of
Stuxnet in this article or any other past article that has discussed network
security, what rings true here and will continue in the foreseeable future is
this - "Most engineers are aware of the problem, it's just that they don't get
the budget to fix the problem. The risk is just discounted. As long as
management doesn't see an immediate threat, there is a tendency to ignore it
because it costs money to fix." So, even if there was a holy grail of a
security measure, I fear that it will have to take real cyberterrorist attack
of some sort to really implement it. There is a measure of complacency by
government and businesses regardless of whether copies of Stuxnet is out there
or not.

------
snowwindwaves
Some siemens PLCs have a default superuser password hard coded in to the
firmware. Siemens hasn't released an update to remove it.

Control systems should be on separate networks, but even those networks are
susceptible to wandering USB keys and contractor laptops.

------
viscanti
A better title would have been "Computer consultant will say anything to stay
relevant and drum up business".

------
tristion
I remember reading about how stuxnet works a while ago, and it didn't sound
like the kind of thing you could 'drag and drop'. Whoever made it had to know
specific things about the hardware being used in Iran, the network there, and
machine code for the motors that were affected. Then they had to hide the
whole thing in a virus in such a way that it took a while for the experts to
figure out what was actually happening and where.

The idea could be used, sure: find some important place that you want to
damage in some way. Find out if it has computers that hook into some kind of
specialized hardware. Work out how that hardware can be damaged via those
computers. Find out how those computers are vulnerable. Write an overly-
complicated virus that hides what it's really doing, and set it loose, and
hope it makes it all way to those specific computers, and delivers its
payload. ...it kinda sounds like a single-use case, really.

More likely, stuxnet is just encouraging people (governments, whatever) to
consider attacks that target non-computer run systems. The motors being
damaged in Iran, if I understood it correctly, weren't being run by computers,
just programmed by them. (I'd be surprised to learn that no one had thought of
that before.)

------
zobzu
Ts ts. Those people who think because they uncovered an _idea_ (which wasnt
even their) they also uncovered the possibility for the whole humanity to do a
whole new range of stuff. It's not even research material, its idea and
concepts. And it's not concepts about physics, its pure 1+1 logic, no magic,
no extremely hard to think of ideas. In fact, having read stuxnet I just
wondered "wah, wasnt this done since ages anyway"? And most knowledgeable
people probably though that too.

~~~
pyre
Attacking industrial systems is not something that 'just any' hacker can do.
Not necessarily due to the skill involved, but just because getting access to
a system or the software that runs on the system may not be trivial (unlike,
say, getting a pirated -- or legit -- copy of Windows).

The gist of this guy's argument seems to be that industrial systems aren't
being patched fast enough to plug the holes that stuxnet used. Until these
systems are all fully patched, anyone looking at stuxnet can exploit those
holes without needing to gain access to the software these systems are running
(to find new exploits).

------
danilocampos
> With Stuxnet as a "blueprint" downloadable from the Internet, he says, "any
> dumb hacker" can now figure out how to build and sell cyberweapons to any
> hacktivist or terrorist who wants "to put the lights out" in a US city or
> "release a toxic gas cloud."

Is this really the case? I'm nothing close to a security specialist, so maybe
I'm talking out of my ass. Still, everything I read on the subject said that
Stuxnet was especially impressive in that it exploited not one but _several_
previously-unknown OS-level exploits, on top of the embedded systems attacks
it used. With these zero-days now discovered and hopefully patched, how much
more value does Stuxnet offer?

(Neither of these questions are rhetorical — hopeful that one of our resident
experts can fill me in.)

~~~
rcthompson
To answer that, ask yourself this. If you somehow got access to the root
account on the central control computer of a nuclear power plant, could you
cause a meltdown? Most likely, the answer is no, because you don't know how to
control a nuclear power plant. You can run any command, but you have no idea
which command would cause any real-world damage. If you're just doing it for
the lulz, you could go for the ever-popular "rm -rf *" and cross your fingers,
but if you want to be sure to cause damage, you're going to need some domain-
specific knowledge. Not just knowledge about nuclear power plants in general,
but also knowledge about how to manipulate the control systems at your
specific target nuclear power plant.

In other words, even if you have an easily-exploited attack vector available
to you, you still need to know a lot about your target in order to cause
damage. Contrast this to guided missiles, which don't really need to know
anything about the building that they are blowing up other than its GPS
coordinates.

For this reason, I'm skeptical that "any dumb hacker" will ever be capable of
causing something like a nuclear meltdown via virus infection.

~~~
cperciva
On modern reactors, it would be hard even for the plant operators to cause a
meltdown -- there's just too many _passive_ measures in place. You'd probably
need to start by walking around the reactor smashing bits of machinery first.

On the other hand, triggering the reactor to automatically shut down would be
pretty easy -- and if you shut down all the nuclear reactors in the US for a
few weeks, you'll certainly have made a significant impact.

~~~
pasbesoin
I'm reminded of a fairly recent -- or recently released -- demonstration where
researchers (in Idaho, IIRC) programmed a large engine/generator to self-
destruct. It was then pointed out that latent inventory on such items is
practically non-existent and replacement time is several months. I believe
that replacement is also increasingly dependent upon China; North America
essentially doesn't make the item, or critical components, any more.

Knock out several of those in critical locations, and you start to grind the
U.S. economy to a halt.

You don't need to go nuclear. And destroying the engine was a fairly simple
task of pushing it well outside its performance envelope.

EDIT: Looks like pnathan already cited this event -- see the last link in this
comment:

<http://news.ycombinator.com/item?id=3035909>

It's a bit older than I remembered. The article is dated September, 2007.

I note incidentally that for one "catastrophic" scenario they describe, with
an estimated "cost" of $700 billion, the damages figure now pales in
comparison to what the U.S. economy has been through in the last few years. A
bit of a lesson of its own regarding the rhetoric that surrounds the actual
topic.

------
ChristianMarks
Security professionals habitually grossly underestimate the negative
externalities they wish to impose on others.

