More on Stuxnet – Some Views

 

Stunxnet is beyond imagination. Bloggers claim its targets are beyond process, power and nuclear plants. Siemens systems are also being used in Space as well as Traffic control systems like railways. If you have seen Die Hard 4.0 you can have your imagination rolling!  Now its clear why hackers targeted Siemens systems. But still I have my doubts.

One of the blogs claim it could have even attacked India’s INSAT-4B satellite. Jeffery Carr on his blog says “On July 7, 2010, a power glitch in the solar panels of India’s INSAT-4B satellite resulted in 12 of its 24 transponders shutting down. As a result, an estimated 70% of India’s Direct-To-Home (DTH) companies’ customers were without service. India’s DTH operators include Sun TV and state-run Doordarshan and data services of Tata VSNL.

What does this have to do with the Stuxnet worm that’s infected thousands of systems, mostly in India and Iran? India’s Space Research Organization is a Siemens customer. According to the resumes of two former engineers who worked at the ISRO’s Liquid Propulsion Systems Centre, the Siemens software in use is Siemens S7-400 PLC and SIMATIC WinCC, both of which will activate the Stuxnet worm.”

The blogger has indicated that the PLC’s were used in Liquid Propulsion Systems Centre. Might be that these PLC’s were used as safety systems for gas handling. Whether these PLC’s were used to control satellites is a real question.

 

And there has been lot of talk about SIL. SIL only represents reliability of the system and not security.

 

What is a SIL? (ref: http://www.dyadem.com/services/additional-engineering-services/sil/)

A SIL is a statistical representation of the reliability of the SIS when a process demand occurs. It is used in both ANSI/ISA-S84.01 and IEC 61508 to measure the reliability of SIS. Both ISA and IEC have agreed that there are three categories: SILs 1, 2 and 3. IEC also includes an additional level, SIL 4, that ISA does not. The higher the SIL is, the more reliable or effective the system is.

SILs are correlated to the probability of failure of demand (PFD), which is equivalent to the unavailability of a system at the time of a process demand.

 

There has also a lot of SIL4 discussed on these blogs.

What is SIL 4? (ref: http://www.gmigasandflame.com/sil_faqs.html#SIL4)

SIL 4 is the highest level of risk reduction that can be obtained through a Safety Instrumented System. However, in the process industry this is not a realistic level and currently there are few, if any, products / systems that support this safety integrity level.
SIL 4 systems are typically so complex and costly that they are not economically beneficial to implement. Additionally, if a process includes so much risk that a SIL 4 system is required to bring it to a safe state, then fundamentally there is a problem in the process design which needs to be addressed by a process change or other non-instrumented method.

Quotes one of my Colleagues who is Safety Systems professional “To attain SIL 4 the system has to be non micro processor based and hence more secure. It is true that it is more secure as there is no software involved. However practically SIL4 are not used currently”

This discussion on Siemens website supports it (http://www.automation.siemens.com/WW/forum/guests/PostShow.aspx?PageIndex=1&PostID=181715&Language=en)

However there has been some work on SIL using Linux (Ref: SIL4LINUX). And some claims on Software supporting SIL 4 (www.firmafrance.com/Documents_Produits/Produit3396.pdf)

 

To conclude the SIL standards really do not ensure how secure the system should be from hacking attempts.

 

One more question! How come Windows in Iran. Noted this on Microsoft’s Website (http://www.microsoft.com/exporting/faq.htm)

Are there certain countries you cannot ship Microsoft products to?

Yes.  In general, Microsoft products may not be exported to Cuba, Iran, North Korea, Sudan, or Syria.

 

For automation professionals who would like to know more on the infection process read Symantec’s Exploring Stuxnet’s PLC Infection Process

Share

Stuxnet – The New Generation Control Systems Computer Worm

Stuxnet is a Windows-specific computer worm first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus. It is the first discovered worm that spies on and reprograms industrial systems. It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes.Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes. (Ref: Wikipedia)

It is the first-ever computer worm to include a PLC rootkit.It is also believed to be the first worm to target critical industrial infrastructure. Furthermore the worm’s probable target has been said to have been high value infrastructures in Iran using Siemens control systems. It has also been said that the infestation by this worm might have delayed the start up of Iran’s Bushehr nuclear power plant. (Ref: Wikipedia)

As of end September 2010 the virus has widely affected Iran, Indonesia and India (Source: Stuxnet Under the Microscope)

image

(Image Source: Stuxnet Under the Microscope)

A high volume of detections in a single region may mean that it is the major target of attackers. However, multiple targets may exist, and the promiscuous nature of the infective mechanism is likely to targeting detail.

With its ability to attack industrial control systems, Stuxnet is the first computer virus that causes real-life harm.

Being a control systems professional I can imagine how much damage these little piece of software can create. It is beyond the imagination of Hollywood movies. With its ability to modify the engineering done in Control or Safety systems it can defeat the very purpose it was built for by turning the Plant to a potential weapon of Mass Destruction (WMD). The disaster may not be a boom & fire as shown in movies. A poisonous gas leak or nuclear spill can be more dangerous, Bhopal Gas tragedy an example of it. Oops! this is more threatening than the Google Threat discussed in my earlier blog. And yes, there are new themes available for Die Hard, War Games, Enemy of State, Eagle Eye……

This also calls for nations to strengthen their Cyber Security. And soon cyber security will become a multi bullion dollar industry, multiple times its current volume. I feel the control systems should move back to proprietary operating systems. Gone are the days when these systems were designed and considered to be more secure. With these systems getting more open day by day with insecure implementation of Microsoft dominated OPC (OLE for Process Control) and integration with upper level solutions like ERP the probability of risk is even higher. The strength of the chain is as strong as the weakest link. With new versions of Windows coming up there has been no increased security. A better solution may be to design Windows operating systems catering to automation platforms.

While it is being claimed that there is remedy for Stuxnet, we really need to wait and see if it is yet to unfold. While this worm has been discovered for Siemens systems and if it is true that it is a nation state sponsored project there are many to come targeting all platforms taking a nation’s defense and economy to its control.

Share

Avatar Movie – A Common man’s review

AvatarPoster

I did not show much interest on this movie as I first saw the dubbed trailer on a Tamil channel expecting it to a be a below average movie promoted by the channel’s excellent marketing team. I really didn’t know till yesterday that it is a James Cameron movie. In fact I wanted to watch this movie just because of Cameron. With 3D tickets not available we chose to watch it 2D at Innovative Multiplex.

I should say I really did not have much expectations expect for Cameron. I already brushed up a bit of the storyline via Wikipedia. The story is simple -“Avatar is the story of an ex-Marine who finds himself thrust into hostilities on an alien planet filled with exotic life forms. As an Avatar, a human mind in an alien body, he finds himself torn between two worlds, in a desperate fight for his own survival and that of the indigenous people.” 

The Story does not do much to the movie. Its purely screenplay and the super cool visual effects (the graphics are designed with finite details) that drives the 3 hour long movie. Wow! One would really wonder the power of imagination and cannot resist the beautiful Pandora’s rainforests (They look so real I wish I was there!)

But the movie reminds of some earlier movies like Matrix while transporting between Human Mind & Avatar and Kamal Hassan when the heroine cries for her dead father.  One cannot expect logic or scientific reasoning in movies like this but some instances does prick your common sense.

Don’t expect a ‘Titanic’ but you can be sure assured of a three hour good time pass.

Overall Rating: image

Share