The risks to "SCADA" systems from Hackers ! 

 

presented By N.E.M Business Solutions

Steve Gibson and Leo Laporte

Not something that we normally concentrate on in the food industry, but maybe we should.  

"I.T" managers in the food industry should read this.

The following text is an extract from the "Security Now" podcast  by Steve Gibson of the "Gibson Research Corporation".

The podcast by Steve Gibson and Leo Laporte was recorded on 16th September 2010, the full text and audio files can be found at:

http://www.grc.com/sn/sn-266.htm

 

This is the extract:                                                          Security Now with Steve Gibson and Leo Laporte

Steve: So in security news, I mentioned a couple times this botnet which was using a previously unknown security hole. Well, it turns out that the bad guys are apparently even further ahead of us than we knew. We've talked about the Stuxnet, S-t-u-x-n-e-t, the Stuxnet worm, before because that was the one which surprised us back in July with the shell remote code exploit, the .LNK. Remember the shell shortcut, .LNK, that's the one that was spreading through these SCADA systems. SCADA is the acronym for Supervisory Control And Data Acquisition, which is used unfortunately in high-automation factories and plants like nuclear reactors and in other major, like power control, power-generating factories and things. It's sort of like the underlying technology for doing factory and large plant automation. And for whatever reason, the Stuxnet worm had - it was, like, going after these SCADA systems.

And what was found was that, unfortunately, the way SCADA's architecture was set up, they had hard-coded passwords in these systems, which was known to this worm, this Stuxnet worm, which was using the hard-coded passwords for its own purposes. So what Kaspersky Labs folks recently discovered was that not only could it spread using this shell shortcut vulnerability, this .LNK vulnerability, but it was also able to spread using that previously unknown printer sharing vulnerability that Microsoft just patched two days ago, and no one knew about it. Except this worm knew about it, and it was using it.

And what's also creepy is that they found as they analyzed this worm that there was the ability for it to use a vulnerability which has been known for more than two years. It was back in 2008 there was a vulnerability. And what was interesting is that, if the worm used that in corporate networks, that is, this worm was not only - it's a Windows-based worm, but it's targeted at these SCADA systems because unfortunately Windows is the interface to these Supervisory Control And Data Acquisition systems. So Windows was sort of like the door into these SCADA systems.

But the worm was smart enough to know if it was on a corporate network that would probably sense its attempt to use this '08 exploit. And if it sensed that, it would not use it. It only used it if it could tell, through its own analysis, that it was on an older network, like one of these SCADA networks, that would probably be vulnerable to that and wouldn't be updated and able to sense that it was doing that.

So Siemens, the manufacturer of this particular brand of SCADA systems, has said that at least 14 operational plants located in the U.K., in North America, and Korea, and also by far the largest number of infections located in plants in Iran, had been infected. And Joe Weiss, who's a managing partner at Applied Control Systems, ACS in Cupertino, that's a major supplier of this kind of automated control technology, has said that, as troubling as the Stuxnet worm has been for Windows, the real target appears, as I was saying, to be these SCADA control systems which are interfaced to Windows, and that's their way in.

Symantec reported that this Stuxnet has the ability to take advantage of the programming software to also upload its own code into what are called PLCs, the Programmable Logic Controllers, in industrial control systems that are typically monitored by the SCADA systems. In addition, said Symantec, Stuxnet hides its own code blocks so that, when a programmer using an infected machine tries to view all the code blocks on this PLC, not even a Windows thing, so this is crossing out of Windows into equipment automation systems, they will not see the code injected by Stuxnet. Thus, this Stuxnet isn't just a rootkit that hides itself on Windows, as we know it does, but is the first publicly known rootkit that's able to hide injected code located on these programmable logic controllers, these PLC systems.

And finally, Joe Weiss, this guy at ACS, was quoted saying the mechanism that the Stuxnet worm uses to install the Siemens payload comes at the very end, which means - that is, the end of what the worm is doing - which means this isn't a Siemens problem and that they could have substituted GE, Rockwell, or any other manufacturer's PLCs as the target of the worm. And he says at least one aspect of what Stuxnet does is take control of the process and be able to, for example, whatever the programmer wanted - opening and closing valves in the plant, turning pumps on and off, or speeding up a motor, or slowing one down. He says, "This has potentially devastating consequences, and there needs to be a lot more attention focused on it." So it's frightening stuff, Leo.

Leo: Yeah, no kidding.

Gives you something to think about.

 

2010

N.E.M Business Solutions        Tel / Fax  : 01823 680119     Mobile   07768 981196 

E-mail   neil@nem.org.uk