Iranian nuclear facilities under "massive attack" by Stuxnet worm

Iranian President Mahmoud Ahmadinejad inspects centrifuges at a uranium enrichment plant.

The Iranian government agency that oversees the country's nuclear facilities reported today that engineers are attempting to defend against "Stuxnet," a Windows-specific worm attacking industrial plants throughout the nation. The malware exploits a Windows vulnerability to seek out and compromise industrial systems made by Siemens. It has also been spotted in other countries, but Iranian targets appear to be the most frequently compromised, by far. Affected nuclear sites in Iran include those the US believes are part of a nuclear weapons program.

But the announcement raised suspicions, and new questions, about the origins and target of the worm, Stuxnet, which computer experts say is a far cry from common computer malware that has affected the Internet for years. A worm is a self-replicating malware computer program. A virus is malware that infects its target by attaching itself to programs or documents.

Stuxnet, which was first publicly identified some time ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target -- the infection has also been reported in Indonesia, Pakistan, India and elsewhere -- a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.

More: New York Times, BBC, NYT Bits Blog, Al Jazeera. Stuxnet was discovered this June and has been the topic of discussion in security circles since; a Symantec advisory is here.

Symantec plans to release more technical analysis of Stuxnet in a paper to be released at the Virus Bulletin Conference on September 29th.

German security researcher Ralph Langner has conducted some interesting work on Stuxnet. Note the "analysis" and "theory" provided here. The punchline: "Welcome to cyberwar."

Not a word about this on the English-language website for Iran's official news agency, not yet anyway.


  1. The truly scary thing about this kind of compromise is that you don’t need to be a nuclear power to have access to nuclear technology. You just need a computer and a high bandwidth connection.

  2. good job whoever did it.

    I am an Iranian and against this brutal and terrorist regime.

    They are not human ruling the country, they are animals in the form of human.

    I hope they create a virus in the future to take this regime out, not just their nuclear facilities.

    Death to Islamic republic, long live Freedom.

  3. Something tells me this won’t end well.

    I suspect we’ll once again be reminded of the meaning of the expression “unintended consequences” at some point.

  4. You haven’t read the articles carefully.
    Stuxnet uses windows computers only as a means of spreading.
    Stuxnet spreads by means of USB memory sticks. Then it hides inside Rootkit and waits. When it detects presence of Siemens development environment for Simatic PLCs it starts to act.
    The virus examines the connected Siemens Programmable Logical Controller and checks if it has particular model of processor. Then it proceeds to check if there are particular data on particular position in two DataBlocks. So, it is designed to sabotage ONE PARTICULAR PLC out there. Once it finds its victim, it inserts a few lines in assembler into OB35. That ‘assembler’ is a low level language called Step 7 that is used for programming of Siemens PLC – Simatics. OB35 is one particular memory address where special routine is located. The routine is run once each 100 milliseconds and is used to control processes that need very, very fast response. The injected code in OB35 is placed at the very top of the loop and waits for a specific event to occur. When the event occurs the injected code skips the rest of the OB35, rendering whatever control mechanism there ineffective.
    In short. The virus is very special, because its target is a Simatic PLC. The PC part is only a means of delivering the “payload”.

    1. The cynic in me wouldn’t doubt that Siemens and Microsoft weren’t in on writing the worm.

      But, seriously, how stupid do you have to be to use windows – unpatched windows – in this situation. It scares the @#$@#@$ out of me that people that stupid are playing with nuclear… anything.

      It makes me wonder how secure any other nuclear facility is, anywhere…

  5. “Affected nuclear sites in Iran include those the US believes are part of a nuclear weapons program.”

    On the 60th anniversary of the nuclear bombing of Nagasaki by the US, Iran issued a statement at an IAEA meeting:
    “The Leader of the Islamic Republic of Iran, Ayatollah Ali Khamenei has issued the Fatwa that the production, stockpiling and use of nuclear weapons are forbidden under Islam and that the Islamic Republic of Iran shall never acquire these weapons.”

    It is Khamenei who is the supreme power in Iran, not Ahmadinejad and a fatwah from him has a force in Iran similar to the effect a constitutional pronouncement from the Supreme Court would have in the US.

    Iran is well within its rights under the non-proliferation treaty, and the US is not meeting its obligations under the treaty to assist all signatories who comply with the treaty in their peaceful nuclear programs. The US government leadership’s scuttling of a fuel swap brokered by Brazil and Turkey, relentless baseless accusations, hardball political and diplomatic arm-twisting for sanctions, ongoing invasion and occupation of Iran’s neighbors to the east and west, illegal support of a covert nuclear-armed enemy of Iran in the middle east, and threats to use nuclear weapons against Iran show that it is not to be trusted at all in anything it has to say about Iran’s supposed threat.

    A few people in the media and politics have succeeded in making nearly everyone think that Iran is trying to make nuclear weapons, but the US intelligence agencies and IAEA who have the most actual knowledge do not agree. War against Iran would be disastrous. Don’t fall for the same lies they used to get us into Iraq.

    1. “The Leader of the Islamic Republic of Iran, Ayatollah Ali Khamenei has issued the Fatwa that the production, stockpiling and use of nuclear weapons are forbidden under Islam and that the Islamic Republic of Iran shall never acquire these weapons.”

      These words mean nothing. The Koran permits lying to non-believers in the furtherance of Islam.

      Kudos to the Stuxnet developers on a job well done.

      1. Actually a Fatwa is addressed to Islamic people, as I understand it, so , is the Ayatollah allowed by the Koran to lie to believers, too?

        Your debunking is bunk, IMO – could you reference the passage in the Koran that states that lying to non-believers is OK?

        I could probably find such a passage in Deuteronomy for you!

        BTW I reject all three middle-eastern (Abrahamic) religions: JudeoChristianIslam. They are seeds of racism and hate, long-obsolete tribal programs of mind control.

        At least Islam got art and poetry.

        1. I’m not that guy, and I read the Qu’ran too long ago to even begin to say where this was, but I remember passages saying that if a muslim lived in a place hostile to Islam, he was allowed to lie about being a muslim, but it was better to leave and join a muslim community, or find unoccupied land and start one.
          There’s also the concept of hudna, which is basically a ceasefire which the muslim side uses to shore up its defences for the next fight, which is fairly dirty(but then that’s war, innit?), and would apply in this case. Iran is openly hostile to the US, and having nukes, to say nothing about whether they’d consider a first strike, would force the US to be a lot more delicate with them.
          I don’t personally think the regime is so cohesive that the people who would be directly involved in planning which nuclear capabilities to persue are talking so in-depth with the Ayatollah(nasty bureaucracies are notoriously balkanised), but a fatwa is public enough that you could probably argue for it being to believers(and thus has to be as truthful as possible) or in front of non-believers(and thus making it acceptable to lie to protect muslims) as needs dictated.

          Me, I think that if Ahmadinejad really wanted to go for nukes, he seems power-hungry enough to rub out the Ayatollah, or at least threaten him, to do it, so all that nonsense up there isn’t so necessary. To be honest, I wouldn’t be surprised by any logical leaps a Truther might make. Conspiracy theorists are just nutty.

    2. Sounds like standard US behavior ever since WW2, the fewer nations that have nukes the more they can play international big brother.

    3. Iran is so powerful; so powerful a few guys in a windowless room have passed infected computer code to their Agents inside your ‘nuclear program, and have rendered it inert.

      You have dealt with faulty centrifuge tubes, fool!
      You have many other specially faulty indistrial parts in your nuclear program, and you have no idea how many or where they are!

      And now –

      This same thing that hobbles your nuclear program happened to your Air Fleet of F-14 fighter aircraft some years ago after you kicked American Technicians out – those planes sat there and sat there, and proudly collected dust under the Iranian Flag! Never to be flown again!

      Owned Again by the evil capitalist American pigs!

  6. News of this worm made the rounds about a week ago. However, what’s most interesting is that experts who examined it were astounded by the level of complexity involved ; they even went to suggest that it could be the work of “state-backed professionals”. Some even suggested that the Iranian nuclear program could be the actual target, before it became apparent that it was the case.

    Coincidentally, the American general in charge of cybersecurity recently told the NYT that the USA’s defences against cyber-attacks on “banking, aviation, and public utility systems” needed to be reinforced.

    Some links :

    Bruce Schneier’s take on it :

    Article predicting the attack of Iran’s nuclear facilities :

    NYT article :

  7. Not sure my comment will pass the spamfilter with all the links, so here’s an edited abstract : this worm was spotted in the wild about a week ago, and the experts who examined it found it so complex that they thought it might actually be a state-developed cyberweapon. Some even speculated that it was aimed at Iran’s nuclear facilities, before these facilities started flaking. Also, cyberwar is a hot topic among the US military these days, and the US Gen. in charge of cyberdefense has made some noise about protecting American networks against cyberattacks.

    1. Actually, the worm was spotted *long* time ago Summer 2009. At first it was thought to be one of the countless, unremarkable worms spreading through USB memory sticks. Then, it was discovered it targets PCs with SCADA-HMI software from Siemens called WinCC. So they tried to alalyze it further. But the analysis was difficult, because the internals of the virus are encrypted and obfuscated. It was only last week that a breakthrough occurred and researcher called Langer (www dot langer dot com slash en) was able to make the virus work in a lab. Langer found out the virus targets a very specific PLC.

      Having Windows in a control room is, sadly, very very common. All the big SCADA/HMI packages (what we call visualization – application that displays for operator what is going on in process he is controlling) are built on Windows. WinCC, inTouch, PCIM,
      Only very few factories have visualization done through Unix, Linux or QNX.
      You have to realize that the Windows PC does not directly controll the process. The control is done through Programmable Logic Controllers, in this case Simatic PLC from Siemens. Visualization PCs “only” work as Supervisory Control And Data Aquisition / Human Machine Interface. – Windows PCs display info to the operators an communicate with PLCs.

  8. It’s funny because the US and Europe whine about how the Chinese hackers are constantly bombarding their networks with incredibly complex attacks.

    I guess its gloves off now since everybody wants to tell other people off for doing the same thing they are doing themselves. I know who my money is on.

  9. I think the medium here is the message.

    The existence of this worm in Iran’s nuclear facilities completely undermines the “Iran is a responsible nuclear energy developer” message.

    If the PLC can be infected, it can be restored from a known good image. If it uses a protocol to communicate with a display computer, the protocol can be reverse-engineered. The security holes in the electronic systems can be closed. The reputation hole never can.

    1. The PLC does not get infected, the Windows PC does. The Windows PC uses the PLC as a peripheral. That peripheral allows the Windows PC, with the proper software, to communicate to equipment that operates the power plant.

      You deeply underestimate the sophistication of Stuxnet. It was clearly developed with maltent, and with insider knowledge. There are indications it was using a zero-day Microsoft vulnerability long before that vulnerability became publically disclosed. Siemens own WinCC software is widely used with a default admin password, by design. Stuxnet leverages that as well. The security holes here are non-trivial and not easy to patch against.

      SCADA systems operate physical equipment, often equipment of major size and physical power. If SCADA systems fail, people can die. Really, truely die.

      I know it seems like B.S. to suggest there’s some sort of covert, black-ops organization behind this. But the possibility is very real. It is likely that the US military helped engineer Stuxnet, either via funding, providing insider knowledge, or covertly protecting operations.

      However, while the US may have been involved I would be surprised if it was the sole player. Historically, the United States has avoided being directly playing these kinds of games, instead preferring to allow other nation-states to take the fall. There’s more than one nation in the Middle East that does not want Iran to have nuclear power of any sort.

    2. The existence of this worm in Iran’s nuclear facilities completely undermines the “Iran is a responsible nuclear energy developer” message.

      OK, I’ll bite. How exactly does someone being under attack undermine their responsibility? All it shows, factually, is that someone infiltrated far enough to plant malware.

      I’m willing to give you a chance to explain that assertion, though I’m not especially credulous, nor am I willing to become so.

      1. Okay, since a word to the wise isn’t sufficient.

        You’ve got a PLC. You’ve got a Windows machine that is the logger / interface / display for the PLC. There’s some sort of protocol that the Windows machine uses to communicate with the PLC. That protocol, if documented well, could be implemented on any arbitrary computer running any arbitrary operating system – say, machines running Ubuntu, Red Hat, Solaris, or any POSIX-compliant OS — Rather than Windows, a notoriously unstable, buggy, and insecure operating system. One that hosts 99.99999% of the computer viruses in existence. INTEROPERATING WITH A PLC THAT CONTROLS A NUCLEAR FACILITY. (Anyone with any sense could stop right there, but word to the wise, etcetera)

        More background: It’s well-known that Microsoft Windows’ encryption engine (That handles the encryption of disks, messages, and communications links) is, itself, subject to being updated / replaced at any time by Microsoft.

        Microsoft is a multi-national corporation which is based in the United States, and is subject to doing what it is ordered to do by the United States Government, who considers Iran a state sponsor of terrorism – Iran sponsors Hezbollah.

        The US Government is prone to doing things by fiat, rather than by law – bypassing even FISA courts and the normal “you need a warrant to do that” process of law.

        The US government has a political policy position that Iran should not be developing any sort of nuclear program, neither for arms nor for energy, because the energy program may be a cover for the research, development, and running of an arms program.

        Iran has made noise, in the past, about using nuclear weapons against Israel.

        Iran has stated that their nuclear program is only for energy and not for arms.

        Iran has stated that their energy program is a responsible one.

        The US position is that Iran will not run a responsible energy program.

        Remember the part about the encryption engine? Yeah, there’s more to that: There’s more than one key that can authorise the replacement of the encryption engine in any arbitrary copy of Windows. The second key (after Microsoft’s own key) was named, in debugger code found long ago, “_NSAKEY”. Try Googling that. Read a bit. I’ll wait. Be sure to read Schneier’s opinion.

        All done with that part? Alllllrighty.

        It requires absolutely zero credulousness to posit that it is entirely possible that the United States, or an agent of the United States, developed and released or planted (I’m trying really hard here to not enumerate and explicate ways for Iran to have secured their machines because, really, I don’t want to assist them) this virus / trojan, in the specific goal of being able to hook into the nuclear plant’s control machinery.

        From that point, it could be remotely shut down. Or destabilised. Or a catastrophic failure could be ordered. This isn’t hard to see. It would benefit the United States’ government’s position enormously to sabotage Iran’s technical facilities, at the right time, or shut them down, during an arms inspection, or have them undergo a runaway reaction during an arms inspection, or otherwise, and drop fallout material with an elemental signature that demonstrates that they were manufacturing plutonium on purpose. Or breeding some other weaponisable material. If that’s really what they’re doing.

        And the downside of this scenario going public is this: The United States gets to sit in the UN Security Council and demonstrate that Iran is an idiot child playing with a gun it doesn’t understand and cannot handle.

        —– Oh, and one more thing: How /exactly/ does a B-52 bomber take off from a North Dakota military base, with live nuclear warheads in delivery vehicles, and fly EAST to Barksdale AFB in Louisiana, EAST — to a base that is a staging point for movement to the Middle East, during the Bush Administration, during a time of tense standoff with Iran, when:

        A: the official story is they were being flown SOUTHWEST to be decommissioned at Kirtland AFB in New Mexico, and

        B: accessing the nuclear warheads in question requires authorisation from no less than the Joint Chiefs, VP, or President, involves two-man operation to authenticate the orders, requires two-man operation to alert the guards on the storage facility and authenticate the approach orders (the guards are ordered to shoot, on sight, anyone attempting to enter the storage facility who has not previously authenticated with them their order to enter, much less an order to move and load, nuclear warheads)

        C: There have been standing order for 40 years against the movement of nuclear warheads — in delivery vehicles or not — in aircraft over US soil, and every single person involved understands WHY. That includes pilot, ground support (arms load, arms move, ground crew, other support crew)

        D: Cheney had been pushing to bomb Iran since before Clinton was elected to office.

        Iran rattles their sabres, and then says they are peaceful and responsible, and then secures a major nuclear operation with the skills and technical expertise of my 65-year-old mother (For her, computers are for Solitaire).

        And the US has a definitive policy and operations history of wanting, needing, desiring, and anticipating a nuclear mishap in Iran.

        (Postscript: Oh Jeff, Riffing: The PLC’s code itself is altered, with a subroutine check on one of the event handlers, that conditions the routine handler to skip the entire event handler in the event of some particular (as-yet unknown) condition being signalled. This is what we call in the industry “infected”.)

        1. So I’m supposed to believe that since we’re attacking them it’s proof that they’re doing something wrong?

          Either that or you might be one of the worst advocacy writers I’ve ever run across, because nothing you post demonstrates anything other than that we – or someone – engineered trouble for them, despite their being signatories to the non-proliferation treaties and the commentary from the IAEA that they do not in fact have a weapons capacity.

          1. “So I’m supposed to believe that since we’re attacking them it’s proof that they’re doing something wrong?”

            I never said Iran did anything wrong with respect to developing weapons technology. I targeted the fault as their use of Windows for nuclear technology interface and control. I said their credibility in claiming that they are running a safe, responsible nuclear program is shot.

            “Either that or you might be one of the worst advocacy writers I’ve ever run across, …”


            “… because nothing you post demonstrates anything other than that we – or someone – engineered trouble for them, despite their being signatories to the non-proliferation treaties and the commentary from the IAEA that they do not in fact have a weapons capacity.”

            I never attempted to claim that Iran was developing weapons material. Thus, “If that’s really what they’re doing.”

            I was making the case that — and anyone who can reason can clearly see this fact (And I’m pretty confident that my words convince just about anyone who reads them without an agenda)– Iran’s claim to be a responsible handler of nuclear technology has been shown to be a bluff, a sham, a baseless boast; Thus the bit about the US being able to sit in the UN Security Council and compare Iran to an idiot child with a loaded gun.

            Did you even /read/ what I wrote, or are you one of the fashionably willfully ignorant who are too busy thinking about what they are going to say next, that they’re incapable of listening to\reading someone else?

            Bonus points if you can’t (and it ought to be easy) escape my last assertion above in debate.

          2. Bardfinn, I worked for two years on the software that controls the United States’ weapons grade reactors in Savannah.

            All Iran is doing is copying what we are doing. One of the (many) reasons I no longer work there is that I objected to the replacement of custom programmed DEC hardware with generic windows systems.

            I agree with you; the United States’ claim to be a responsible handler of nuclear technology has been shown to be a bluff, a sham, a baseless boast. Since the Reagan administration at least the USA’s behaviour with our nukes has been comparable to an idiot child with a loaded gun.

            If you see something like stuxnet that targets Honeywell DCS systems, be very afraid.

        2. I take it the b-52 flight mentioned happened before Obama took office, that is while Cheney still was VP? ouch…

  10. Good. Death to the oppressive totalitarian regime of Iran.
    The peace loving world dreams of a future free of their ridiculous Fatwas, lunatic prophets, and senseless cabals.

  11. I work in a plant full of Siemens mail processing equipment, and this got my hopes up for a free vacation, untill I read the description of how the worm works. Damn.

  12. I’m actually curious about the photo. It says the metal rods are centrifuges, but they’re bolted to the floor. Maybe different designs are required for nuclear purposing, but normally (at least in the lab), centrifuges spin the sample in a circular arc at very very high speed, often in a fixed angle rotor.

    I’m curious what actually is pictured.

  13. #23, those are gas centrifuges shown in a cascade. What you see bolted to the floor is the outer case, the part the spins is inside this case.

  14. That Windows machines are used at all, in any part of nuclear plant operation or design, is really the final proof that the people involved are insane. Such a massive liability… I cringe when I see Post Offices use windoze, let alone a nuclear plant!!!

    We have Microsoft to thank for making computing such an un-productive, unreliable, insecure and hair-tearingly awkward activity. Maybe we can soon thank them for another big, ugly war.

    BSOD indeed.

  15. A month or so ago there was a set of photos from this facility.

    Being the computer nerd that I am, the one that stood out was the shot of the workstation in the control room, and a dialog box containing a red icon and a message the some piece of software was not registered.

    Politics aside, it scares the shit out of me that some one might be running a nuclear reactor without registering the software. It’s one thing to pirate a copy of photoshop to create an awesome dragon ball Z background for their android. Its another thing all together running a controlled nuclear explosion with unregistered software.

    1. “I can’t wait for the “I’m a Mac/I’m a PC” ad based around this!”

      The appropriate response being to hand Mac a paper mache mockup of the bomb from pre-OSX Mac OSes.

  16. “Siemens own WinCC software is widely used with a default admin password, by design. Stuxnet leverages that as well. The security holes here are non-trivial and not easy to patch against.”

    So nobody ever changes the default admin password, and you consider that a “non-trivial [to exploit]” and “not easy to patch against” security hole? Um, how about changing the admin password to something else, and just taping the new password to all of the workstations? Then just don’t let anyone near the equipment until they’ve memorized the new password (wait to do the switchover until you’ve got two shifts who’ve memorized the password) and you have patched that whole, without losing the quick response times you might need in an emergency.

    Colossal stupidity here. Any software designer who worked at Siemens and has an axe to grind could do this. You don’t have to invoke the great Satan to explain it.

  17. On the other hand, I’d not put it past the Mossad to have done this, either. Israel has plenty of technically capable people.

    Interestingly, the return code from the conditional subroutine to the event handler routine is “DEADF007”, which, to /me/, is 13375p33|< for either 'deadfool' or 'deadfoot'. One of these --to me-- sounds like Israel's attitude toward Iran, and one like a US operation codename. Which is which I'll leave as an exercise. Post-Post-Script: "Bomb-Bomb-Bomb, BombBombIran, /Bomb-Bomb-Bomb, BOMBOMIrAAaaaAAAAn, oh Bomb IrAAAaaaAAAn, you got me rocking and a rollin', Palin and McCainin' buh-bIran..."* *This is not to be construed by the irony-challenged as support of or advocacy for Palin, McCain, the GOP, or any position of bombing Iran.

    1. That is, leetspeak for “deadfoot” or “deadfool”, and hell, they both sound like counteroperations codenames. (Comment was cut short because a less-than-sign is parsed by the comments intake routine as an opening of an HTML tag, despite a lack of valid HTML tag.)

    2. While wearing my tin foil hat this evening, I received the following communications from David Bowie, who is in space:

      – The Stuxnet code is designed to target the gas centrifuges at Natanz.

      The centrifuges are a set of identically configured systems, a monoculture for a virus to spread through.

      – DEADF007 : means dead man’s foot, as in dead man’s handle.
      The virus disables a failsafe mechanism.

      – The operating capacity at Natanz measued independently by the UN fell 20% over the course of last year from May to November, despite the installed base of centrifuges nearly doubling.

      – The head of irans nuclear programme stepped down without explanation last summer

      – Stuxnet is coded to check the date and to not attempt to propagate after Jan 2010.

      The interesting possibility is that the first attack actually happened May – July 2009, and it’s only now that Symantec / Langaner have figured out what took place and published?

  18. In conclusion, I think we should all take a moment, and be thankful that this has turned out the way it has — “Technical difficulties” — rather than the entirely-possible start-of-all-out-war-in-the-Middle-East-from-a-assassination of Archduke Ferdinandcriticality-incident-being-blamed-on-the-US-or-Israel.

  19. OK, reading through the comments on Bruce Schneier’s article about this, I have found my favorite theory for the plan behind Stuxnet:

    You know what? I find all this wild ass speculation fun. If I come up with a really good theory, can I become a security consultant, too?

    OK, how’s this? A super super super super secret criminal organization, similar to the fictional(?) SPECTRE, KAOS, COBRA, or The Erisian Movement (real), has kidnapped our best computer scientists who happened to be vacationing all at the same time at various exotic and tropical locales? The reason? To force them to create THE WORLDS FIRST MILITARIZED SOFTWARE!!!â„¢ aka Stuxnet. Once they have the Stuxnet worm in place where it can do massive damage to the world’s sewer and waste processing plants, they will call the world’s leaders and demand ONE MILLION DOLLARS!!! or the shit literally hits the fan. So, it’s just extortion being carried out on an unprecedented level, that’s all. Put that in your fnord and smoke it.

  20. What a coincidence!! Iran is under attack by a “Stuxnet worm” and the country is being run by a little worm. Small world, ain’t it?

  21. I’m glad you were able to show a picture of the Stuxnet worm. Too bad you don’t have one of the virus, oh, you do. I see it now… Two for the price of one!

  22. My vote is this worm was written by a disgruntled employee who had to deal with Siemens controllers at his work. This was his little goodbye gift. He knew exactly the environment his little worm was going to live in. Windows version and patch state, Siemens software state, hardware used, etc. Probably left it on a few USB sticks at work. No thought on it getting out or damage to other companies.

    Not as sexy as a big conspiracy, but the typical dumb ass stuff that happens every day.

  23. It’s true that the Stuxnet worm itself has a limited and narrow target–but even a partial reverse-engineering of it provides the basis for a useful attack vector for any spammer, scammer, phisher, or extortionware creator out there. There’s big danger in blended attacks, using elements from everything that’s gone before, because there’s so much money in it. The Russian, Chinese, and Romanian criminal rings are looking at Stuxnet VERY closely, I’m sure–if anything will signal the death knell of Windows, the bell is as close to ringing as it ever has been.

  24. Windows is the de facto OS for most industries. Its has a low whole life cycle cost mostly due to the fact that every man and his dog knows how to use it and there are plenty of very knowledgeable technicians out there.

    If you strip out the bells and whistles from windows (what good is AERO if all you do is spreadsheets and type letters) to make it as lean and stable as possible it actually runs for a long time without incident.

    In the SCADA world the reliability of the communications a lot less than the bits of hardware and software at the remote ends.

    If you want real security, run the whole set up on a completely intendant network and never, never, never allow any uncontrolled/untested software for any OS onto it.

    Of course this does not fit well with today’s “I must be totally in control” and “it must be remotely audit-able” philosophy.

    On the question of licensing, I know of one product that is free to use for design but can only be run for 15 min at a time to talk to remote devices. You pay a license for a number of I/O points, so seeing a “this is not licensed” warning might just mean that it is a development environment and not an operational environment.

  25. Despite the fact there’s meant to be an embargo on nuclear technology for Iran, Siemens (a German country) is quite happy to provide them with logic controllers and centrifuges.

  26. Ok, I never though I would be writting in a blog or similar but I heard so much nonsense that I need to reply. First, there is someone that says that the code doesn’t infect the PLC. Well man, if it bloody writes a function in the 0B35 that is not supposed to be there I would call in an infection! Ok, it is not a fancy program that reproduce and infects other PLCs but it just screws your PLC functionality. Second, there are some people around claiming that Windoze should not be used. Well, here are some news for you, Windows is WIDELY used in very very big SCADA projects around the world. There are many reasons for this. Just to give you an exmaple, until very recently OPC communication provided by many industrial equipment was only available in Windows. Besides, a Windows production system has nothing to do with the windows running in your room where you actively install crap, autoupdates, download load of dirty stuff and so on. This are centrally and carefully controlled machines, ey! running very stably. Now, here are some news for nerd, security in a big experiment, facility, project is just ensured at the level of the entry point. You just basically disconnect form the rest of the world. So far, virus dont fly over the air. If there is an insider walking in a delivering the virus, then oh yes, no matter waht OS you use, he can also take a hammer and hit your server or pee on your PLC. I assume your understand that even more subtle operations are possible.

Comments are closed.