PDA

View Full Version : VFD: Worm Vulnerability



EddyCurr
02-20-2011, 09:27 PM
It does not appear to have discussed before, so here is a bit of background
on Stuxnet, a worm of uncertain origin that apparently was targeted at
Variable Frequency Drives.


Worm Was Perfect for Sabotaging Centrifuges (http://www.nytimes.com/2010/11/19/world/middleeast/19stuxnet.html)
By WILLIAM J. BROAD and DAVID E. SANGER
Bloomberg 2010.11.18

Experts dissecting the computer worm suspected of being aimed at Iranís
nuclear program have determined that it was precisely calibrated in a way
that could send nuclear centrifuges wildly out of control.

Computer analysts say Stuxnet does its damage by making quick changes
in the rotational speed of motors, shifting them rapidly up and down.

... a study released Friday by Mr. Chien, Nicolas Falliere and Liam O. Murchu
at Symantec, concluded that the programís real target was to take over
frequency converters, a type of power supply that changes its output
frequency to control the speed of a motor.

The wormís code was found to attack converters made by two companies,
Fararo Paya in Iran and Vacon in Finland. A separate study conducted by
the Department of Homeland Security confirmed that finding, a senior
government official said in an interview on Thursday.

Then, on Wednesday, Mr. Albright and a colleague, Andrea Stricker, released
a report saying that when the worm ramped up the frequency of the
electrical current supplying the centrifuges, they would spin faster and
faster. The worm eventually makes the current hit 1,410 Hertz, or cycles
per second ó just enough, they reported, to send the centrifuges flying
apart.

In a spooky flourish, Mr. Albright said in the interview, the worm ends the
attack with a command to restore the current to the perfect operating
frequency for the centrifuges ó which, by that time, would presumably be
destroyed.


Stuxnet virus: worm 'could be aimed at high-profile Iranian targetsí (http://www.telegraph.co.uk/technology/news/8021102/Stuxnet-virus-worm-could-be-aimed-at-high-profile-Iranian-targets.html#)
By Claudine Beaumont
The Telegraph 2010.09.23

The Stuxnet worm first came to light in June, and has been monitored by
security and cyber terrorism experts ever since. It is transferred between
machines by USB memory stick, which means that even computers that are
not connected to the internet for security reasons are still susceptible to it.

It searches for software, made by computer giant Siemens, that is often
used to control systems in industrial facilities such as power plants. It can
then be used to reprogram a computerís commands, and issue it with a new
set of instructions.

.

J Tiers
02-20-2011, 09:44 PM
Nothing to do with VFDs directly....

The malware actually targeted a particular Siemens PLC, searching for a particular program type used for centrifuges.

The PLD would then issue commands to the VFDs

Tony Ennis
02-20-2011, 09:48 PM
Stuxnet is amazing.

EddyCurr
02-20-2011, 10:25 PM
Stuxnet is amazing.


The short path from cyber missiles to dirty digital bombs (http://www.langner.com/en/2010/12/26/the-short-path-from-cyber-missiles-to-dirty-digital-bombs/)
By Ralph Langner
Langner Communications 2010.12.26

More and more details of the Stuxnet malware and its purpose become
clear. Stuxnet appears to be the first real cyber warfare attack in history,
with “real” meaning that the virus caused physical destruction of heavily
fortified military targets, some of them buried 75 feet underground.

According to David Sanger from the New York Times, an Israeli military
official had estimated that an air strike against the Iranian nuclear program
would cause a delay of two or three years. So it looks like Stuxnet achieved
pretty much what an air strike would have achieved, only at much less cost,
without known fatalities, and without a full-blown war in the Middle East.

However, there is at least one reason why we shouldn’t embrace cyber
warfare. Unlike bombs, missiles, and guns, cyber weapons can be copied.
The proliferation of cyber weapons cannot be controlled. Stuxnet-inspired
weapons and weapon technology will soon be in the hands of rogue nation
states, terrorists, organized crime, and legions of leisure hackers, some of
whom are just waiting for a better thrill than World of Warcraft.

One aspect that has often been ignored in discussions about critical
infrastructure protection is that in industrialized nations, targets for
Stuxnet-inspired attacks extend deep into the private sector.

... we have to face the fact that the pure existence of the Stuxnet code
in the Internet, ready for download and dissemination by anyone, creates a
national security threat for highly industrialized nations, most notably for the
United States and Germany. The economy and public life of these nations is
highly dependent on undisturbed operation of the exact controller types that
are attacked by Stuxnet. An ICS-CERT advisory on Stuxnet from August 2,
2010 states: “These products are widely used in many critical infrastructure
sectors.”
.

RB211
02-20-2011, 10:36 PM
How or why would the computer system controlling the nuke plant even be connected to the internet in the first place?

macona
02-20-2011, 10:45 PM
They werent, the virus was brought in via sneakernet on USB drives. This is not the first time a virus has been made to attack specific hardware, nor will it be the last.

EddyCurr
02-20-2011, 10:45 PM
How or why would the computer system controlling the nuke plant
even be connected to the internet in the first place?2nd last paragraph in post #1 addresses this.

Something as simple as software updates perhaps get infected on a
connected PC and then are conveyed to the unconnected controller.

.

EddyCurr
02-20-2011, 10:49 PM
Windows systems at risk from Stuxnet attack (http://www.zdnet.com/news/windows-systems-at-risk-from-stuxnet-attack/446162)
By Tom Espiner
ZDNet UK 2010.07.19

One of the attack vectors Stuxnet uses is via USB stick. The malware
requires no user interaction to infect the system. The operating system
merely rendering an icon launches the malware.
.

J Tiers
02-20-2011, 11:19 PM
How or why would the computer system controlling the nuke plant even be connected to the internet in the first place?

And it was not a nuke plant anyway.....

it was an enrichment plant, with a large number of centrifuges used in the separation of reactor/bomb-grade isotopes from the others.

So the damage was to equipment for enriching fissionable material, and not to any sort of "nuke plant" as the term is generally understood

EddyCurr
02-20-2011, 11:42 PM
Because that is what the worm's developers apparently targeted very
specifically.

.

Paul Alciatore
02-21-2011, 02:50 AM
What do you mean "not a nuke plant"? The only reason for that level of enrichment is to make nuclear weapons. This is the single, most difficult part of making a nuclear weapon. So such a facility IS making nuclear weapons, by definition. It is, in fact, a "nuke plant" and can only be a "nuke plant" as it has no other function.

Once you have the fissionable material, you could assemble the bombs in a garage or tent.

Paul A.




And it was not a nuke plant anyway.....

it was an enrichment plant, with a large number of centrifuges used in the separation of reactor/bomb-grade isotopes from the others.

So the damage was to equipment for enriching fissionable material, and not to any sort of "nuke plant" as the term is generally understood

The Artful Bodger
02-21-2011, 02:54 AM
What do you mean "not a nuke plant"? The only reason for that level of enrichment is to make nuclear weapons.

What level of enrichment are we talking about and how do we know they are processing to that level?

JoeLee
02-21-2011, 08:16 AM
Wouldn't someone notice that a large chnck of memory is being used on the USB drive and wonder what it is. I find it hard to believe that it could be hidden on a flash drive with out notice.

JL.......................

J Tiers
02-21-2011, 08:31 AM
What do you mean "not a nuke plant"? The only reason for that level of enrichment is to make nuclear weapons. This is the single, most difficult part of making a nuclear weapon. So such a facility IS making nuclear weapons, by definition. It is, in fact, a "nuke plant" and can only be a "nuke plant" as it has no other function.

Once you have the fissionable material, you could assemble the bombs in a garage or tent.

Paul A.

You may have noticed that I said "as the term is generally understood".......

Obviously the usual meaning of a "nuke plant" is a nuclear power plant. A place where fissionable material is maintained in a "critical" state, i.e. a state of net power output / self-sustaining reaction.

This plant, while obviously handling fissionable material, is not designed to do that.

it therefore belongs to the category of "installations supporting nuke plants", it is a 'fuel processing plant". This "as the term is generally understood".

Otherwise a uranium mine is potentially a "nuke plant"........ under your very general , broad-brush definition.

lazlo
02-21-2011, 09:11 AM
Nothing to do with VFDs directly....

The malware actually targeted a particular Siemens PLC, searching for a particular program type used for centrifuges.

Stuxnet is actually a Windows Trojan. It was designed to attack Siemens SIMATIC WinCC SCADA process control software, which manages Siemens PLC's, but it does so by infecting any Windows PC.

http://www.automation.siemens.com/mcms/human-machine-interface/en/visualization-software/scada/Pages/Default.aspx

It initially propagates via USB thumb drives -- they (the US or Israel) corrupted the autoplay shortcut (.lnk file) so that it silently infects the PC as soon as you insert the thumb drive, even if you have autoplay disabled.

It then uses the network and/or the printer spooler to spread itself to all connected PC's, then same way that Conficker did.

Microsoft has a blog about it here:

http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx

Trend Micro has a good web page and pictorial:

http://threatinfo.trendmicro.com/vinfo/web_attacks/WA_images/WA_Worm-Exploit.jpg

It was detected and cleaned pretty quickly by all the mainstream virus checking software, so I'm morbidly curious if whatever intelligence agency was responsible negotiated with the virus checking firms to keep it off the scan list for awhile...

Rosco-P
08-28-2016, 02:06 PM
Anyone catch Cyberwar on Viceland cable channel? The Stuxnet virus was the story of this particular episodes.

https://www.viceland.com/en_us/video/stuxnet-the-digital-weapon/5786b9d0914084e32a41b548

Lee Cordochorea
08-29-2016, 01:21 AM
Wouldn't someone notice that a large chnck of memory is being used on the USB drive and wonder what it is. I find it hard to believe that it could be hidden on a flash drive with out notice.

JL.......................


It's not like they have a sight-glass, you know. Got to plug them in to take a look-see, and it's too late by then.

RHayes
08-29-2016, 09:03 AM
Norton for Nuke plants?

dave_r
08-29-2016, 01:19 PM
It's not like they have a sight-glass, you know. Got to plug them in to take a look-see, and it's too late by then.

yeah, and a virus scanner wouldn't have caught it because it was a new, unidentified computer virus and the payload of the virus could be spread across a number of files or even in the unused part of the flash drive (riskier, as it would be overwritten if someone copied new files to the flash drive).

Mark Rand
08-29-2016, 03:00 PM
The significant thing about it was that it was an act of war. As such, reprisals are quite acceptable.

ikdor
08-29-2016, 04:35 PM
The significant thing about it was that it was an act of war. As such, reprisals are quite acceptable.
The problem with these things is there's no way to proof it was made by a certain country. Bombing another country just on a suspicion is a dangerous habit.

Paul Alciatore
08-29-2016, 05:46 PM
Those centrifuges may not have been connected to the internet, but I can tell you from first hand experience that computer geeks love to use ALL the latest technology, including using web connections for control and connection of their systems. They will use an internet connection when a single wire that is only a foot or two long would work perfectly.

And nothing that you say or do will convince them that there is any danger to a system that THEY set up. At lease, not until it actually happens. And then they will assure you that they have fixed it and it will NEVER happen again. If you believe that, I have some land in Florida for sale.




How or why would the computer system controlling the nuke plant even be connected to the internet in the first place?

Paul Alciatore
08-29-2016, 05:50 PM
Ahhhhhhhhhhhag!!!!

Caught again by an old post. These things need to have fog horns and flashing lights attached.

Rosco-P
08-29-2016, 06:32 PM
Ahhhhhhhhhhhag!!!!

Caught again by an old post. These things need to have fog horns and flashing lights attached.

May be an old thread, but not old news. http://arstechnica.com/tech-policy/2016/02/massive-us-planned-cyberattack-against-iran-went-well-beyond-stuxnet/