#byres #pollard #stuxnet #cybersecurity #safetysystems #controldesign #pauto #mfg Think about this one over lunch...

July 12, 2011

I'm reproducing here an email thread between Control Design's columnist Jeremy Pollard, Eric Byres of Byres Security and me. It is, shall we say, illuminating. And if this doesn't scare you into moving quickly to secure your plant networks and control systems, you just have not been paying attention, and, frankly, you'll deserve what you get when the hackers get around to your

Pollard:

I'm reproducing here an email thread between Control Design's columnist Jeremy Pollard, Eric Byres of Byres Security and me. It is, shall we say, illuminating. And if this doesn't scare you into moving quickly to secure your plant networks and control systems, you just have not been paying attention, and, frankly, you'll deserve what you get when the hackers get around to your

Pollard:

 http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon.html?utm_source=newsletter_weekly_2011-03-30&utm_campaign=newsletter_weekly&utm_medium=email
 

haven’t listened but Ralph and his boyz are the ones who disassembled the code?????  Fyi dudes...


Byres: 

Thanks for this – I watched it earlier this week and it is pretty accurate. We came to the same conclusions here and discuss them in our How-Stuxnet-Spreads paper and our presentation – both are available at http://www.tofinosecurity.com/stuxnet-central if you want to see them.


Interestingly, there were two other groups that decoded the Siemens PLC components of the worm, besides Ralph: Siemens and Symantec. Symantec generously supplied us the full decodes along with their analysis. Siemens gave us some analysis that hasn’t been seen elsewhere and is interesting, but basically doesn’t change Ralph’s message much. And for Ralph, we got the same info as the rest of the world, which is off his website.
 

Unfortunately the three groups didn’t cooperate, but they did all independently come to the same general conclusions. And that is:

·         this was a focused attack on Natanz,

·         Sequence C was a general purpose reusable attack

·         that this is a nice framework for future attacks.

The biggest disagreement is whether Sequence C was actually used at Natanz or if it was disabled and just waiting in the wings. Frankly I think the designers of the worm did not actually use that sequence in Natanz, as sequence A&B were good enough for their purposes.

I also agree with Ralph that Sequence C was designed for a S7-417F safety controller. It is very reusable…


Pollard:
Wow.. how did this get lost??  oh easily I submit...

It’s the reusability that all shud be worried about, and as Walt says, bang the drum louder, earplugs fly off the shelves…

So instead of pounding the table on that, we should be educating all about proper network connectivity, local threats, end point monitoring and security etc… then stuff from the outside can't get in..
 

But the cloud I fear will simply make the sandbox bigger..and things like android phones and tablets will allow all kinds of crap to be present on the network...


I think too that Stuxnet was a test.. kinda like that Nigerian guy flying from New York to LA on someone elses boarding pass, and had 10 fake ones in his bag… just a test… lets see what we can get away with…
 

Or maybe conspiracy theorists are just hard at work?