The tale of the virus infecting Iran’s nuclear program is one of the fascinating stories of the computer world.
Whoever wrote the Stuxnet worm did a spectacular job in bringing together a number of security problems and then using two weak links — unpatched Windows servers and poorly designed programmable logic controller software — to create a mighty mess in the target organisation.
The scary thing with a rootkit like Stuxnet is that once it has got into the system, you can never be sure whether you’ve properly got rid of it.
What’s worse, this program will be writing to the Programmable Logic Controllers the infected computers supervise so plant operators will never know exactly what changes might have carried out on the devices essential to a plant’s operations and safety.
Damaging Iranian nuclear plants
A report on the Make The World A Better Place websites over the weekend indicates the Stuxnet Worm may have damaged the Iranian nuclear reactor program.
The story behind the Suxnet worm is remarkable. It appears this little beast is a sophisticated act of sabotage involving using a number of weaknesses in computer systems as detailed by Computer World in their Stuxnet Worm hits Industrial Systems and is Stuxnet the best Malware Ever articles.
The risk of unpatched systems
One of the things that leaps out is how servers running unpatched systems are an important part of the infection process. The Stuxnet worm partly relies on a security hole that was patched by Microsoft two years ago so obviously the Iranian servers were running an unpatched, older version of Windows.
This is fairly common in the automation industries. I’ve personally seen outdated, unpatched Windows servers running CCTV, security, home automation and dispatch systems. They are in that state because the equipment vendors have supplied the equipment and then failed to maintain them.
These companies deserve real criticism for using off the shelf, commercial software to run mission critical systems that it was never designed to do.
Commercial programs like the various Windows, Mac and other mass market operating systems are designed for general use, they come with a whole range of service and features that industrial control systems don’t need. In fact, the Stuxnet worm uses one of those services, the printer spooler, to give itself control of the system.
Securing industrial systems
These industrial systems require far more basic and secure control programs, a cheap option would be a customised Linux version with all the unnecessary features stripped out. In the case of Siemens, the providers of the PLCs supplied to the Iranian government, it’s disappointing such a big organisation couldn’t build its own software to control these systems.
Business owners, and anyone who has computer controlled equipment in the premises, need to ask some hard questions to their suppliers about how secure supplied computer equipment is in this age of networked services and Internet worms.
Paul, you seem to assume that a Windows installation “with all the unnecessary features stripped out” would not be secure enough.
How can you be so sure about that?
I think this is more about how we manage and operate our critical systems, not about which OS we choose.
You’re right: There’s no reason you couldn’t run a cut down version of Windows. The real problem is most vendors don’t go to this trouble and just use a standard version of the OS.
Having a seen a number of control systems running antiquated and unpatched versions of Windows, I suspect a server running an insecure version was the channel used to get the Stuxnet worm onto the system.
True, true.. pretty standard security recommendations would largely have kept this thing contained. All those “standard” things that most don’t do very well, that is..