Skip to: [ search ] [ menus ] [ content ] Select style [ Aqua ] [ Citrus ] [ Fire ] [ Orange ] [ show/hide more content ]



Stuxnet: the back door to your power plant?

Yes, the Raging Grannies (1)  were in the Net Neutrality protest at Google (1; video) in Mountain View today, but we see a lot of them in the Bay Area, and I’ll save that story for another day.

Meanwhile…

Yesterday, Liam O’Murchu, manager of operations for Symantec Security Response, told CNET (Elinor Mills authored the article) that the Stuxnet worm, which infects industrial control systems (particularly in India, Indonesia, and Iran, but also in the United States) not only steals data, but also leaves a back door that could be used to remotely and covertly control the operations of electrical power plants and oil refineries. (Gaseous centrifuges or nuclear reactors, anyone…? [see below]) (Note added August 14, 2010: Siemens control software is used for nuclear reactors on aircraft carriers, as mentioned by CNET and Weiss’s statement below, which also mentions Iranian centrifuge plants.) O’Murchu would not name the companies infected, nor state how many companies had been infected.

Let’s just hope when they leave, they don’t “turn off the light.” …or explode the refinery (or even just release toxic gases, which sometimes happens accidentally in the Bay Area and which might be even more deadly). (Note added August 14, 2010: …without even CONSIDERING the nukes.) (Note added September 19, 2010: Some questions crossed my mind this week, to which I have no answers. Could terrorists use the backdoors established by the Stuxnet worm to shut off valves in natural gas transmissions lines to allow the building pressure in aging pipelines to duplicate the local explosion and fire the Bay Area saw in San Bruno? If so, could this type of disaster be produced anywhere that high-pressure pipes and remotely-controlled valves exist in a Stuxnet-damaged [not necessarily “still infected”] environment?)

The Stuxnet worm exploits A HOLE IN ALL VERSIONS OF…. wait for it… darn, you guessed it – Windows:-) in the code that processes shortcut files ending in “.lnk.” According to CNET, Microsoft has said that the worm infects machines via USB  drives, but it can also be embedded in Web sites, remote network shares or a Microsoft Word document. :-) (Note added September 24, 2010: We later found out that the Stuxnet worm exploits THREE holes in all versions of Windows, TWO of which were/are still unpatched as of September 21, 2010.)

(Note added August 14, 2010: I have to marvel at the operating system choice by utilities and other companies [and the U.S. Navy] for their control systems, when other operating systems based on UNIX [e.g. Linux or Solaris – even Secure Solaris] are available to them.)

(Note added September 21, 2010: If merely shutting off valves/switches can disrupt pipeline/electrical infrastructure, this ability would provide terrorists/foreign countries the capabilities to perform remotely the equivalent of “pin-point bombing” to “carpet bombing” to using a reactor as a “dirty bomb” ALL WITHOUT AIRPLANES! It seems to me like a high price to pay for running Windows.)

According to Symantec’s O’Murchu, although Microsoft issued an emergency patch for the Windows Shortcut last week, just installing the patch is not enough to protect systems running Siemens Simatic WinCC software, because the worm is capable of hiding code in the system that could allow an attacker to remotely interfere with plant operations WITHOUT ANYONE KNOWING ABOUT IT.

O’Murchu said:

“There may be additional functionality introduced into how a pipeline or energy plant works that the company may or may not be aware of,” he said. “So, they need to go back and audit their code to make sure the plant is working the way they had intended, which is not a simple task.”

The Stuxnet worm (FAQ from July here) was written to steal code and design projects from data bases inside systems running the Siemens software used to control industrial manufacturing and utilities. (Note added August 14, 2010: The July FAQ stated, at that time, “Symantec researchers said they are seeing between 8,000 and 9,000 infection attempts a day.” The worm also uploads its own encrypted code to the Programmable Logic Controllers (PLCs) that control the automation of industrial processes and which are accessed by Windows PCs.

O’Murchu said that an attacker could use the back door installed by the worm to not only execute processes and delete files, but potentially to do things like close valves and shut off output systems.

Symantec researchers are not done analyzing the code. O’Murchu said, “we know it checks the data and depending on the date it will take different actions, but we don’t know what the actions are yet.”

CNET states:

“This new information about the threat prompted Joe Weiss, an expert in industrial control security, to send an e-mail on Wednesday to dozens of members of Congress and U.S. government officials asking them to give the Federal Energy Regulatory Commission (FERC) emergency powers to require that utilities and others involved in providing critical infrastructure take extra precautions to secure their systems. The emergency action is needed because PLCs are outside the normal scope of the North American Electric Reliability Corp.’s Critical Infrastructure Protection standards, he said.”

“The Grid Security Act provides emergency powers to FERC in emergency situations. We have one now,” he wrote. “This is essentially a weaponized hardware Trojan” affecting PLCs used inside power plants, off-shore oil rigs (including Deepwater Horizon), the U.S. Navy’s facilities on ships and in shore and centrifuges in Iran, he wrote. “We don’t know what a control system cyberattack would look like, but this could be it,” he said in an interview.

Department of Energy intrusion detection testing didn’t and would not have found this particular threat and anti-virus didn’t and wouldn’t protect against it, Weiss said.

“Antivirus provides a false sense of security because they buried this stuff in the firmware,” he said.

Infection with the worm dates back to at least June 2009. Symantec is notifying infected companies and working with authorities. Symantec cannot tell remotely whether foreign code has been injected. O’Murchu speculated that a large company involved in industrial espionage or a nation-state could be behind the attack, because of its complexity, the high cost of acquiring a zero-day exploit for an unpatched Windows hole, programming skills and knowledge of industrial control systems, and tricking victim computers into accepting the malware by using counterfeit digital signatures. (Note added August 14, 2010: Actually, the July CNET article says that the digital signatures are suspected to have been stolen from two Taiwanese chip manufacturers based in the same complex.)

Sleep well tonight…. :-)

(Note added August 14, 2010: The CNET article above cites studies concerned with the vulnerabilities of U.S. infrastructure. As I wrote about earlier, the National Security Agency [NSA] and Raytheon are involved with an infrastructure project called “Perfect Citizen” with conflicting reports as to the purpose of the project.)

(Note added August 26, 2010: I also wrote a little bit about a very recent essay on the Pentagons’ Cyberstrategy, by Deputy Secretary of Defense, William J. Lynn III, here.)

-Bill at

Cheshire Cat Photo™ – “Your Guide to California’s Wonderland™”

You can view higher-resolution photos (*generally* 7-30 megabytes, compressed) at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. Apparel and other gifts decorated with some of our most popular photos can be ordered from the Cheshire Cat Photo™ Store on CafePress®. Both Shutterfly™ and CafePress® ship to most international locations worldwide! Framed prints and prints on canvas can be ordered from our galleries on redbubble®. All three locations are accessible from here. Be a “Facebook Fan” of Cheshire Cat Photo here! If you don’t see what you want or would like to receive an email when new photos are up on the site, send us an email at info@cheshirecatphoto.com.

©2010 William F. Hackett. All Rights Reserved.

No Comments to “Stuxnet: the back door to your power plant?”

  (RSS feed for these comments)

You must be logged in to post a comment.


InspectorWordpress has prevented 52153 attacks.
Get Adobe Flash player