Stuxnet - I was wrong

Back in July when Stuxnet first became public, I wrote in our Siemens PCS7 WinCC Malware White Paper and told anyone that would listen that Stuxnet was targeted at stealing intellectual property from process systems. The code we analyzed showed Stuxnet performing SQL database accesses and process information uploading to servers in Denmark and Malaysia, so this seemed like a sure answer.

Plus I had been dealing with a client that just had a major IP theft issue in their operations (resulting in some large scale counterfeiting), so I knew this sort of thing was happening. And heck, the theft of process information for commercial espionage has been around long before networks and cyber-security showed up - check out the article "The Pizza Plot" for an example of how Schwan's used production information from a Kraft plant in Sussex, WI to reshape the store-bought pizza market. It wasn't cyber driven, but it sure could have been...

Unfortunately I guessed wrong with Stuxnet.

This week Ralph Langner posted new information on his website  that indicates Stuxnet is a targeted attack against a specific site (possibly the Bushehr Nuclear Site in Iran, but that is a guess and I am staying out of the guessing business for a while).

What Ralph found was that Stuxnet looks for its victim by checking for the existence of a very specific string in data block 890 in the Siemens PLC. If it doesn’t find it, Stuxnet quits. If it does, Stuxnet does a few more tests and then injects Step7 code into the PLC in a block that is called every 100 ms. Ralph’s interpretation is that Stuxnet is changing the PLC logic so that the code that controls a very fast running process will no longer be executed. And then something blows up...

So it appears that Stuxnet was designed to destroy something – a very specific target that used Siemens control systems.

The days of saying “no one would or could attack a control system” are over. Someone has started a cyber war and we all have to take it seriously. If we don’t, our jobs, our companies, our critical systems and perhaps our lives could become collateral damage.

Even though I have been in the security business for over a decade, Stuxnet has changed my view of the SCADA security world. Let me know if and how Stuxnet is changing how your company views the security of their processes too.

For another perspective on the target process for Stuxnet, see the Digital Bond post "Stuxnet Target Theory".

Add new comment