A friend sent me the story below:

Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?
The Christian Science Monitor
[url=http://news.yahoo.com/s/csm/327178][/url] http://news.yahoo.com/s/csm/327178

By Mark Clayton Mark Clayton Tue Sep 21, 3:08 pm ET

Cyber security experts say they have identified the world's first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.

At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran's Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.
(Follow link for the rest of the story)

Another example, in April 2009, pervasive espionage, penetrating the U.S. electrical grid by cyberspies from China, Russia and other countries was disclosed. The intrusions were not limited to a particular company, region or infrastructure system and the intruders left behind dormant software programs that could be activated to disrupt the systems. ("Electricity Grid in U.S. Penetrated By Spies", by Siobhan Gorman, April 8, 2009, http://online.wsj.com/article/SB123914805204099085.html)

Michael Fitzpatrick, CEO of the information risk management firm NCX Group, was discussing cyber security and said “If man made it, man can break it.” (Curtis Sliwa radio show, August 30, 2009).


A good reason to begin one's preparations using low tech, without any outside utilities or assistance. Anything on top of that is "gravy".

If it requires batteries, recharging, refueling, etc. by means which you don't control or can't create from materials on hand, look for a lower tech option.

The Iranian Nuke plant control computers are most likely running Linux (there is a US trade embargo on Iran, so probably wouldn't be able to get a Windows License ). A most sensible precaution when running a high risk project such as a civilian nuclear plant which foreign powers have been threatening to destroy for some time now.

What is potentially worrying though is the fact that many of the computer system for the US and UK nuclear deterrent (sorry its a word that has gone out of fashion lately since the end of the cold war) such as the Trident Nuclear submarines use Windows 2000.

I think I've got a terminal services window running right now. (only kidding NSA...)

As for the Grid going down in the USA due to a hacking and malicious typing of del *.* in a DOS window using Remote desktop help (the Mongolian sitting in his yurt), its these guys you have to worry about.

http://www.youtube.com/watch?v=q1fFivb5qFs

I thought many of the current server systems were running Linux?

Dunno, my wood pile and root cellar have been offline for a while. The old Fender acoustic too; still kicks out tunes. And the old 1938 .303 still makes an impressive boom, with attendant results.

Yes, grid-connected things may be somewhat vulnerable to mischief or malice or dumb-ass-ery; but that's not news. The grid is a convenience (a significant one); but nobody I know will curl up in a ball and quit living while it's patched up.

Meanwhile, I'm researching the latest, greatest novel (using bloody books, if you can believe it!). Blank verse was invented before electricity; maybe that's a place to start?

I was watching a show one day (I think it was on the Discovery Channel of the History Channel) where they did this. They caused a generator to overload and fry itself. Realtime, with a camera pointed at it so you could watch it cook itself.

Anything that is controlled by a computer can be killed with enough effort.

In my line of work (security systems and fire alarm systems) you generally see that the amount of money and trouble someone is willing to put into protecting something is directly proportional to the value of that which needs protecting.

We do everything from systems with just a single door contact that just dial out over the phone line, up to systems that cover every inch of a building (and I mean EVERY inch) and are monitored via phone line, network, AND long-range radio.

We do our part to keep the bad guys from physically gaining entry into the space, but it's amazing what someone can do with a computer nowadays to mess stuff up.

The story is rather speculative but the code writers of the high targeted Stuxnet malware would most likely have required very specialist knowledge. The main thrust of the story was that the Stuxnet malware was used to target a particular SCADA/PLC network (or even an individual PLC) to cause the destruction of the plant being process controlled by that PLC by recognising a particular process variable or subroutine name. This would have required detailed knowledge of the Programmable Logic Control ladder logic program of the targeted system.

Of course if the Bushehr nuclear plant attack was successful then no doubt it would have made the CNN nightly news.

But looking back at recent high profile news stories of things going bang then the Transocean Mexican Gulf Oil disaster could easily have been the target especially when you consider that the Siemens WinCC Simatic SCADA process control software systems are heavily used by Transocean.

Now there would be a juicy Hollywood conspiracy theory. An Israeli Mossad attempt to destroy an Iranian Nuke plant accidentally results in the worst environmental disaster in US history simply because the process name DEADF007 in a SCADA PLC control system happens to be common to both the Transocean Deepwater Horizon rig and the Iranian Bushehr Nuke plant.

Here's a bit more information from the Financial Times.

http://www.ft.com/cms/s/0/e9d3a662-c740-11df-aeb1-00144feab49a.html

The Stuxnet computer worm spreads through previously unknown holes in Microsoft’s Windows operating system and then looks for a type of software made by Siemens and used to control industrial components, including valves and brakes.

Stuxnet can hide itself, wait for certain conditions and give new orders to the components that reverse what they would normally do, the experts said. The commands are so specific that they appear aimed at an industrial sector, but officials do not know which one or what the affected equipment would do.

This news article could be an interesting psy-ops action to make the Iranians paranoid. Having to constantly check all their computers would slow them down.

-Blast

From what I have gathered the Stuxnet malware.worm had multiple infection vectors to the attempted target system and attempted to use as many Windows vulnerabilities as possible to get to the target system, even the distribution of USB sticks (maybe even planted throughout Afghanistan, Pakistan, Iraq etc i.e. Central Asia) hoping they would make their way into Iran.

This photo is interesting;



This photo apparently shows a windows screen shot of an actual process plant in operation at the Bushehr nuclear plant. No valid Siemens license is in use. Perhaps the rewriting PLC payload of the Stuxnet malware.worm was obstructed i.e. a valid license was required for remote reconfiguration of the PLC target in question. Perhaps the Iranians were already hand coding the PLCs via the PLC interfaces as a work around and this potentially saved the Bushehr nuclear plant from going bang. The published photo could be a two fingers, up yours response to those who initially created the malware.worm. It may have been quickly discovered by the Iranians and quickly reverse engineered to be sent back to potentially create havoc with other process control system that are used heavily around the rest of the world.

Perhaps its the western countries that are currently paranoid especially if the actual PLCs have been rewritten (apparently the recoding of the PLC is difficult to determine from an intial inspection) even though the actual windows Stuxnet malware.worm has been removed from the SCADA Windows based hub computer/controller.

The other worrying issue is that Western nuclear submarines (the main nuclear deterrent) all have a nuclear plant process systems for their main propulsion systems. Hopefully the USN and RN have a strict security policy with regard to USB sticks/cell phones/digital cameras etc getting on board.

OK, count me as confused.
Why would you connect a sensitive computer system to the public internet?
If I was worried about securing it I would simply cut all outside connections.

As far as attacks like this are concerned, it never ceases to amaze me why computers that control the important/critical hardware are somehow connected to the Internet and/or are used without strong security measures. They should be isolated as much as possible.

Edit: chickenlittle beat me to it.

Where I work we use a siemens computer and PLC system to controll all the plant and equipment in a large office building. Nothing like as critical as a nuclear facility, but data loss or programme corruption could lead to substantial monetary loss.
The computer in qustion is used for all sorts of other purposes, including internet access.
This is called "value engineering" since it saves buying a second PC which would be a cause of serious financial hardship to a multi million pound business.
The password is written on the wall next to it !

My company has a client with remote locations across the country exchanging files with a central system. In order to minimize the risk of viruses, they still insist that the remote computers can not be connected to a local network or the internet, and they use dial-up to transfer the files.

Other clients with another product use sneaker-net to transfer files between systems. While not quite as secure because some viruses can be transferred to the media along with the desired file, it still limits exposure because of the physical transfer method.

(Maybe they should run OS/400 instead of Winders, but that's just a geeky server prejudice.)

Most systems can have adequate security, but it's expensive and time consuming to implement proper physical and logical security. Within the last year, the military has prohibited the use of USB drives on their systems.

Once upon a time DOD had itself a very nice secure network, which they got all infected to hell and gone by connecting it to the Internet. It seems that this is a lesson that people have to learn the hard way.

Keeping something disconnected doesn't completely eliminate the possibility of malware infection, unless you fill the network and USB ports with epoxy and post an armed guard to keep people from digging the epoxy out. Frequently, when sensitive systems are compromised, it's via an authorized channel, such as a software update that was infected with malware.

We were taught in the military that the closest you could get to a "safe" computer in the real world was to have it turned off 24/7, unplugged from everything, and sealed in a locked room under armed guard. And even then it wasn't totally safe.

You can take the most secure computer the military has, in the most secure room possible, with no internet connection to it... and then let a 18-year-old E-1 walk in with a video game he wants to load onto it and it all goes to crap right then. Seen it firsthand more times than I could count.

I wonder who the genius' are who created this thing? At least one thing about its creators is certain, they have absolutely no regard for its potentially disastrous effects on the global economy. What a bunch of losers. From today's news

Interesting - right now I'm reading "Cyber War" by Richard A. Clarke - he talks about our offensive cyber war capacity - which is informally ranked as No. 1 in the world - vs. our dependence on the Internet and our defensive capability - which in his estimation combine to make us the most vulnerable to being attacked of almost any country that is "in the rankings" as a cyber world power.

He makes some interesting parallels to how we don't have an established strategy for cyber war, and how this is similar to the first decade or two after the advent of nuclear warfare capability - a capability without a defined role, without guidance for when it would be used and, more importantly, limits on when it would NOT be used. And that's where we are with cyber war - no overarching strategy for the people who are wielding this to know when we would or would not use cyber warfare.

And he says that while we've developed intelligence-based and military-based cyber groups in each of the armed services that will defend the DOD-related sites, and Homeland Security has cyber capabilities to protect other government sites, NO one is tasked to protect the privately owned, critical infrastructure. Each private sector and company is on its own.

The Stuxnet worm was clearly a one-shot weapon. Once the flaws in the OS were patched it couldn't spread outside the control system. Clearing it from the control system might be a PITA, likely you have to shut everything down, but the process is routine. Once the OS is patched and the control system purged Stuxnet is gone. It will remain as a historical footnote. Possibly as a pet worm in someone's sandbox system where they can study and admire it.

The take away is that you don't connect critical systems to public networks. If there is any connection outside the system it is inherently insecure. Keep your OS and security software updated. Avoid Windows if you are concerned with security.

Usually people who write these things are not genius' they are people who are bored and have time on their hands. It doesn't take that much skill to write these types of worms/virus (We wrote simple boot sector virus' in college), all you need to know is some simple programming skills. You just need the time and nothing better to do so you just keep trying simple variations in your script until something breaks. Most of these kind of exploits are released this time of year as kids start to college, they pay their tuition, room and board, books, etc then have no $ left over for beer so they sit in their dorms bored. Its also why they don't consider the big picture effect of their actions, they are not genius' nor are they quite mature enough to fully understand the effects.

Holy moly. Looks like this thing has really gone global. Tens of thousands of companies are infected and it may have even been responsible for the disabling of an Indian satellite. Symantec's chief response guy has this to say:



Okay, so I also heard some pretty scary interviews from cyber security gurus on the radio today. My question is, should we be more concerned or is this stuxnet really as benign as the media portray? Because they're making it seem like a near miss.

It helps to remember that "cyber security gurus" make their jobs seem more important, and increase what they can charge, by highlighting every potential risk, and every possible way such a thing might potentially cause damage or disruption.

If they can get enough people to demand the authorities 'do something', even when the actual risk is small and the options for 'doing something' are, given our unwillingness to shake thing up, highly unlikely to provide any significant protection, we might see the creation of an entire department within DHS to handle it. Cost: several billion dollars worth of security theater.

The irony is that the same people getting all worked up are exactly the same people who complain about the size and cost of government. But the blow-back really comes when, after spending billions, a cyber attack that no amount of spending could stop does damage. That's when the people who demanded that the department be created, despite warnings that it can't do much, point out how government failed them once again.

Stuxnet is pretty much a spent force. The word is out, the security holes exploited by it patched, the anti-virus programs have incorporated its signature and know what to look for.

The answer is dead simple but it is something that the corporations and utilities will always resist: strict regulation and operational standards for utilities and major infrastructure system operators. There are ways to design in security and protection into the machinery, networks, and software. There are established security protocols that could be, but isn't, incorporated into every step of infrastructure design and operation.

Business is driven to make money. Security, safety, and any societal good is secondary. Until we the people get it through our collective thick skulls that the free market doesn't deal effectively with societal costs, that regulation is vital, that industry will not and cannot regulate itself, we will never deal with the issue. It will take a catastrophic failure that allows a strict regulatory regime to be implemented. Until then industry will mostly pay lip service to network security and infrastructure hardening. For people who run corporations the risk seems remote. The potential for damage and loss of life and property doesn't worry them. They are insured.

The major stockholders and executive officers will be protected. They don't live in places where they, or theirs, are likely to be affected. Worse case, they load their trophy wive, kids, and nanny into the corporate jet and take an extended vacation in Switzerland or Bermuda. Depending on what time of year it is.

My prediction is that you are going to see a whole lot more scaremongering, security theater, posturing, and expensive programs that accomplish nothing. We know what works but we can't bring ourselves to swallow hard and do it. Too many people making too much money exploiting the fear selling rabbit's foot talismans to do anything serious that might actually mitigate the problem.

For business a problem is an opportunity to be nurtured and milked to maximize profits. Solving the problem eliminates opportunities that might be exploited.

Quite interesting article about this worm from Bruce Shneier: http://www.schneier.com/blog/archives/2010/10/stuxnet.html .

Stuxnet may have struck again!!

http://www.bbc.co.uk/news/uk-scotland-highlands-islands-11609870

A grounded RN nuclear stealth Hunter Killer discharging its steam from its reactor propulsion system as the reactor is shut down in a possible emergency.

There has not been one news story that I yet read in regards to this sub that mentions that Stuxnet was even a remote cause of it running aground.