More on Stuxnet – Some Views

 

Stunxnet is beyond imagination. Bloggers claim its targets are beyond process, power and nuclear plants. Siemens systems are also being used in Space as well as Traffic control systems like railways. If you have seen Die Hard 4.0 you can have your imagination rolling!  Now its clear why hackers targeted Siemens systems. But still I have my doubts.

One of the blogs claim it could have even attacked India’s INSAT-4B satellite. Jeffery Carr on his blog says “On July 7, 2010, a power glitch in the solar panels of India’s INSAT-4B satellite resulted in 12 of its 24 transponders shutting down. As a result, an estimated 70% of India’s Direct-To-Home (DTH) companies’ customers were without service. India’s DTH operators include Sun TV and state-run Doordarshan and data services of Tata VSNL.

What does this have to do with the Stuxnet worm that’s infected thousands of systems, mostly in India and Iran? India’s Space Research Organization is a Siemens customer. According to the resumes of two former engineers who worked at the ISRO’s Liquid Propulsion Systems Centre, the Siemens software in use is Siemens S7-400 PLC and SIMATIC WinCC, both of which will activate the Stuxnet worm.”

The blogger has indicated that the PLC’s were used in Liquid Propulsion Systems Centre. Might be that these PLC’s were used as safety systems for gas handling. Whether these PLC’s were used to control satellites is a real question.

 

And there has been lot of talk about SIL. SIL only represents reliability of the system and not security.

 

What is a SIL? (ref: http://www.dyadem.com/services/additional-engineering-services/sil/)

A SIL is a statistical representation of the reliability of the SIS when a process demand occurs. It is used in both ANSI/ISA-S84.01 and IEC 61508 to measure the reliability of SIS. Both ISA and IEC have agreed that there are three categories: SILs 1, 2 and 3. IEC also includes an additional level, SIL 4, that ISA does not. The higher the SIL is, the more reliable or effective the system is.

SILs are correlated to the probability of failure of demand (PFD), which is equivalent to the unavailability of a system at the time of a process demand.

 

There has also a lot of SIL4 discussed on these blogs.

What is SIL 4? (ref: http://www.gmigasandflame.com/sil_faqs.html#SIL4)

SIL 4 is the highest level of risk reduction that can be obtained through a Safety Instrumented System. However, in the process industry this is not a realistic level and currently there are few, if any, products / systems that support this safety integrity level.
SIL 4 systems are typically so complex and costly that they are not economically beneficial to implement. Additionally, if a process includes so much risk that a SIL 4 system is required to bring it to a safe state, then fundamentally there is a problem in the process design which needs to be addressed by a process change or other non-instrumented method.

Quotes one of my Colleagues who is Safety Systems professional “To attain SIL 4 the system has to be non micro processor based and hence more secure. It is true that it is more secure as there is no software involved. However practically SIL4 are not used currently”

This discussion on Siemens website supports it (http://www.automation.siemens.com/WW/forum/guests/PostShow.aspx?PageIndex=1&PostID=181715&Language=en)

However there has been some work on SIL using Linux (Ref: SIL4LINUX). And some claims on Software supporting SIL 4 (www.firmafrance.com/Documents_Produits/Produit3396.pdf)

 

To conclude the SIL standards really do not ensure how secure the system should be from hacking attempts.

 

One more question! How come Windows in Iran. Noted this on Microsoft’s Website (http://www.microsoft.com/exporting/faq.htm)

Are there certain countries you cannot ship Microsoft products to?

Yes.  In general, Microsoft products may not be exported to Cuba, Iran, North Korea, Sudan, or Syria.

 

For automation professionals who would like to know more on the infection process read Symantec’s Exploring Stuxnet’s PLC Infection Process

Share

The Google Threat

image

If you have watched movies like Die Hard 4.0 or War Games you can potentially know how much can be done with information on centralized systems. Though the themes of these movies are fiction, reality is quite close or even worse.

Consider the amount of information Google has. They have an awful lot of data. They record everything. They have your IP address, your search requests, the contents of every e-mail you’ve ever sent or received. They know the news you read, the places you go.  They’re even collecting real-time GPS location and DNS look-ups. They cache web pages, have history of pages that don’t even exist currently. They know who you friends are, where you live, where you work, where you are spending your free time. They know about your health, your love life, your political leanings. ‘They even know what you are thinking about’ – quotes Marlinspike

While it is being claimed that IP addresses is kept for 18 months and anonymized immediately, privacy experts have alleged that even with anonymized user data, where bits of the IP address are changed or deleted, it is still relatively easy to correlate those addresses with user cookies to get a lock on a search engine query author’s identity.

I was myself surprised to see that Google web history not only records what I search but also what I browse. With it wide rage of services and rising popularity Google will be set to have more information about the whole world than sum of other organizations put together. While Google is an organization people trust, security of its systems especially from Chinese hackers is a big question?

Ref: http://www.zdnet.com/blog/security/google-even-knows-what-youre-thinking/6291

 

Share

India – Top Websites

Below is the list of top websites (Top 20) in India as per Alexa as queried today.

All websites are known but what surprised me is the IRCTC website on number 19!

  1. Google India

    google.co.in

    Indian version of this popular search engine. Search the whole web or only webpages from India. Interfaces offered in English, Hindi, Bengali, Telugu, Marathi and Tamil.

  2. Google

    google.com

    Enables users to search the Web, Usenet, and images. Features include PageRank, caching and translation of results, and an option to find similar pages. The company’s focus is developing search technology.

  3. Yahoo!

    yahoo.com

    Personalized content and search options. Chatrooms, free e-mail, clubs, and pager.

  4. Facebook

    facebook.com

    A social utility that connects people, to keep up with friends, upload photos, share links and videos.

  5. Orkut.co.in

    orkut.co.in

    orkut.co.in

  6. Blogger.com

    blogger.com

    Free, automated weblog publishing tool that sends updates to a site via FTP.

  7. YouTube

    youtube.com

    YouTube is a way to get your videos to the people who matter to you. Upload, tag and share your videos worldwide!

  8. Rediff.com India Ltd.

    rediff.com

    Online portal with free e-mail and many other services.

  9. Wikipedia

    wikipedia.org

    An online collaborative encyclopedia.

  10. Indiatimes

    indiatimes.com

    Portal site; includes news stories under subject headings, and links to other information sources.

  11. Twitter

    twitter.com

    Social networking and microblogging service utilising instant messaging, SMS or a web interface.

  12. Windows Live

    live.com

    Search engine from Microsoft.

  13. WordPress.com

    wordpress.com

    Free blogs managed by the developers of the WordPress software. Includes custom design templates, integrated statistics, automatic spam protection and other features.

  14. Microsoft Corporation

    microsoft.com

    Main site for product information, support, and news.

  15. Microsoft Network (MSN)

    msn.com

    Dialup access and content provider.

  16. RapidShare

    rapidshare.com

    Users can upload up to 100 meg files for sharing. Provides downloads of 100 megs per hour on the free service. Premium service also available.

  17. LinkedIn

    linkedin.com

    A networking tool to find connections to recommended job candidates, industry experts and business partners. Allows registered users to maintain a list of contact details of people they know and trust in business.

  18. IN.com

    in.com

    IN.com gives you a short @in.com email address, and lets you find the best of News, Music, Videos and Games, from more than 16,000 websites.

  19. Indian Railway Catering and Tourism Corporation

    irctc.co.in

    Offers online rail ticket booking, and checking of ticket reservation status. Includes train schedules, availability of tickets, and a travel planner.

  20. Cricinfo

    cricinfo.com

    International cricket news, live scores, photos, columns and player profiles. Provides archive scorecards, statistics database, ratings and email newsletter. Part of ESPN International. UK.

Share