More on Stuxnet – Some Views

 

Stunxnet is beyond imagination. Bloggers claim its targets are beyond process, power and nuclear plants. Siemens systems are also being used in Space as well as Traffic control systems like railways. If you have seen Die Hard 4.0 you can have your imagination rolling!  Now its clear why hackers targeted Siemens systems. But still I have my doubts.

One of the blogs claim it could have even attacked India’s INSAT-4B satellite. Jeffery Carr on his blog says “On July 7, 2010, a power glitch in the solar panels of India’s INSAT-4B satellite resulted in 12 of its 24 transponders shutting down. As a result, an estimated 70% of India’s Direct-To-Home (DTH) companies’ customers were without service. India’s DTH operators include Sun TV and state-run Doordarshan and data services of Tata VSNL.

What does this have to do with the Stuxnet worm that’s infected thousands of systems, mostly in India and Iran? India’s Space Research Organization is a Siemens customer. According to the resumes of two former engineers who worked at the ISRO’s Liquid Propulsion Systems Centre, the Siemens software in use is Siemens S7-400 PLC and SIMATIC WinCC, both of which will activate the Stuxnet worm.”

The blogger has indicated that the PLC’s were used in Liquid Propulsion Systems Centre. Might be that these PLC’s were used as safety systems for gas handling. Whether these PLC’s were used to control satellites is a real question.

 

And there has been lot of talk about SIL. SIL only represents reliability of the system and not security.

 

What is a SIL? (ref: http://www.dyadem.com/services/additional-engineering-services/sil/)

A SIL is a statistical representation of the reliability of the SIS when a process demand occurs. It is used in both ANSI/ISA-S84.01 and IEC 61508 to measure the reliability of SIS. Both ISA and IEC have agreed that there are three categories: SILs 1, 2 and 3. IEC also includes an additional level, SIL 4, that ISA does not. The higher the SIL is, the more reliable or effective the system is.

SILs are correlated to the probability of failure of demand (PFD), which is equivalent to the unavailability of a system at the time of a process demand.

 

There has also a lot of SIL4 discussed on these blogs.

What is SIL 4? (ref: http://www.gmigasandflame.com/sil_faqs.html#SIL4)

SIL 4 is the highest level of risk reduction that can be obtained through a Safety Instrumented System. However, in the process industry this is not a realistic level and currently there are few, if any, products / systems that support this safety integrity level.
SIL 4 systems are typically so complex and costly that they are not economically beneficial to implement. Additionally, if a process includes so much risk that a SIL 4 system is required to bring it to a safe state, then fundamentally there is a problem in the process design which needs to be addressed by a process change or other non-instrumented method.

Quotes one of my Colleagues who is Safety Systems professional “To attain SIL 4 the system has to be non micro processor based and hence more secure. It is true that it is more secure as there is no software involved. However practically SIL4 are not used currently”

This discussion on Siemens website supports it (http://www.automation.siemens.com/WW/forum/guests/PostShow.aspx?PageIndex=1&PostID=181715&Language=en)

However there has been some work on SIL using Linux (Ref: SIL4LINUX). And some claims on Software supporting SIL 4 (www.firmafrance.com/Documents_Produits/Produit3396.pdf)

 

To conclude the SIL standards really do not ensure how secure the system should be from hacking attempts.

 

One more question! How come Windows in Iran. Noted this on Microsoft’s Website (http://www.microsoft.com/exporting/faq.htm)

Are there certain countries you cannot ship Microsoft products to?

Yes.  In general, Microsoft products may not be exported to Cuba, Iran, North Korea, Sudan, or Syria.

 

For automation professionals who would like to know more on the infection process read Symantec’s Exploring Stuxnet’s PLC Infection Process

Share

Stuxnet – The New Generation Control Systems Computer Worm

Stuxnet is a Windows-specific computer worm first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus. It is the first discovered worm that spies on and reprograms industrial systems. It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes.Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes. (Ref: Wikipedia)

It is the first-ever computer worm to include a PLC rootkit.It is also believed to be the first worm to target critical industrial infrastructure. Furthermore the worm’s probable target has been said to have been high value infrastructures in Iran using Siemens control systems. It has also been said that the infestation by this worm might have delayed the start up of Iran’s Bushehr nuclear power plant. (Ref: Wikipedia)

As of end September 2010 the virus has widely affected Iran, Indonesia and India (Source: Stuxnet Under the Microscope)

image

(Image Source: Stuxnet Under the Microscope)

A high volume of detections in a single region may mean that it is the major target of attackers. However, multiple targets may exist, and the promiscuous nature of the infective mechanism is likely to targeting detail.

With its ability to attack industrial control systems, Stuxnet is the first computer virus that causes real-life harm.

Being a control systems professional I can imagine how much damage these little piece of software can create. It is beyond the imagination of Hollywood movies. With its ability to modify the engineering done in Control or Safety systems it can defeat the very purpose it was built for by turning the Plant to a potential weapon of Mass Destruction (WMD). The disaster may not be a boom & fire as shown in movies. A poisonous gas leak or nuclear spill can be more dangerous, Bhopal Gas tragedy an example of it. Oops! this is more threatening than the Google Threat discussed in my earlier blog. And yes, there are new themes available for Die Hard, War Games, Enemy of State, Eagle Eye……

This also calls for nations to strengthen their Cyber Security. And soon cyber security will become a multi bullion dollar industry, multiple times its current volume. I feel the control systems should move back to proprietary operating systems. Gone are the days when these systems were designed and considered to be more secure. With these systems getting more open day by day with insecure implementation of Microsoft dominated OPC (OLE for Process Control) and integration with upper level solutions like ERP the probability of risk is even higher. The strength of the chain is as strong as the weakest link. With new versions of Windows coming up there has been no increased security. A better solution may be to design Windows operating systems catering to automation platforms.

While it is being claimed that there is remedy for Stuxnet, we really need to wait and see if it is yet to unfold. While this worm has been discovered for Siemens systems and if it is true that it is a nation state sponsored project there are many to come targeting all platforms taking a nation’s defense and economy to its control.

Share

The Google Threat

image

If you have watched movies like Die Hard 4.0 or War Games you can potentially know how much can be done with information on centralized systems. Though the themes of these movies are fiction, reality is quite close or even worse.

Consider the amount of information Google has. They have an awful lot of data. They record everything. They have your IP address, your search requests, the contents of every e-mail you’ve ever sent or received. They know the news you read, the places you go.  They’re even collecting real-time GPS location and DNS look-ups. They cache web pages, have history of pages that don’t even exist currently. They know who you friends are, where you live, where you work, where you are spending your free time. They know about your health, your love life, your political leanings. ‘They even know what you are thinking about’ – quotes Marlinspike

While it is being claimed that IP addresses is kept for 18 months and anonymized immediately, privacy experts have alleged that even with anonymized user data, where bits of the IP address are changed or deleted, it is still relatively easy to correlate those addresses with user cookies to get a lock on a search engine query author’s identity.

I was myself surprised to see that Google web history not only records what I search but also what I browse. With it wide rage of services and rising popularity Google will be set to have more information about the whole world than sum of other organizations put together. While Google is an organization people trust, security of its systems especially from Chinese hackers is a big question?

Ref: http://www.zdnet.com/blog/security/google-even-knows-what-youre-thinking/6291

 

Share

Lost in the Clouds!

image

When I first heard about cloud computing I was wondering if it was really worth the fancy terminology. To me it was just a marketing term for hosted applications. My first experience started three years ago when I moved my Website’s email from my hosting provider to Google Apps. At that point of time I never knew it was Cloud computing or specifically SaaS I was moving too. To me Google Apps was much better than my hoster’s email due to reduced downtime.

As usual it requires media hype for me to look back what things actually are. One’s own knowledge is the hurdle to learn new things. Over confident of knowing what it is I didn’t really track the developments though I keep hearing people discuss. But that’s also the problem with SaaS, it is difficult to see any difference.

It was Google App Engine that made me rethink. Though I registered my first application long back, only recently did I try to deploy my first application (‘Hello World’ of course). A small program but it still brought me a lot of insight to what things are. As a solution provider I wonder how this technology is going to change the world of computing. Though there is a big crowd out there harping on security issues on the cloud I don’t really see them as issues. It is only for the cloud consultants and the security companies to market their businesses.

I really admire the PaaS of Cloud Computing. My library application was on the shelves for a long time due to lack of time and build custom application accessible from the internet and also integrating it to my drupal powered website. With Zoho creator it is just a few clicks and four hours (to upload data) on a weekend, Wow! the application is up online. Integration with drupal? don’t worry la! Embedding the form on a drupal page is just that simple (http://www.shankarananth.com/site/index.php?q=node/49)

The biggest thing that would change the way people think at cloud computing is the time one spends on hardware and software maintenance. A chemical engineer and a solution provider I feel annoyed on more of my time being spent on fixing these issues rather than focus on my core competence.

Cloud computing is the definitely next big thing!

Share

Analysis Paralysis

I was wondering how helpful is ‘blinking’ (http://blog.shankarananth.com/?p=208) a few weeks back. Now when I have take crucial decisions I really find value to blinking. Too many facts and figures are only confusing as much as not allowing to take a decision at all. I wonder about the equilibrium that exists in this universe that does not give a distinct advantage to a particular option for final decision. This phenomenon can be explained mathematically too. When the degrees of freedom are positive we try to arrive at best possible solutions. However when the degrees of freedom is negative (too many information) it only leads to finding which of the available information is faulty (data reconciliation). Thinking at the next level makes it too philosophical and leads to rethink the validity of known facts.

Follow your heart, they mean much more than facts and figures.

Share