Reports on the Stuxnet malware have now attracted the world's media, with industrial control viruses even reported on the front page of the Financial Times in the U.K., supported by a full-page technical report under the heading "Computer worm triggers worldwide alarm." While perhaps a little late for such a headline, after two months of reports in the INSIDER, the BBC, Fox News and Bloomberg have the power to trigger such alarm.
The media speculation aired over the last two weeks is based on the belief that Stuxnet was a cyber weapon, developed by a nation state, suggested as the United States, or perhaps more likely, Israel. This weapon was specifically designed to target the Iranian nuclear industry and possibly specifically the uranium enrichment centrifuge plant at Natanz, by preventing a high level alarm shutdown control of some form. The Stuxnet background articles currently available are provided on www.iainsider.com for your own review, and include reports from Iran on the recent production problems at the Natanz centrifuge plant and the Bushehr nuclear reactor.
Some good news for process plants
While all the blocks of code in Stuxnet are still not understood, some of this speculation possibly contains some items of good news for most process control systems. First, it appears that there is no "back door," in other words a communication route from outside to control these embedded blocks from an external command. At least this has not been seen in the current version. Second, there is some form of "end date" built into the malware, after which it is not supposed to continue being infectious—but that does not stop the malware functioning if it has already infected the target PLC. The implication in this report was also that this "end date" might not have worked properly, and, indeed, if reports of a new large Chinese impact of the virus are correct, it is still active.
Third, and perhaps of most interest, is that the malware identifies certain shut-down code blocks in the infected PLC, which presumably are specific to the code blocks used in the uranium centrifuge control system (assuming this was the target, which seems likely). If these are not present, then it is reported the malware becomes inactive. Obviously this is not good news if your process involves the control of centrifuges, and these code blocks might also apply to several other forms of high-level shutdown trip. But once the code blocks are identified, plants not using these code blocks should not have a problem.
Further discussions continue
The subject was, however, the topic of some more down-to-earth technical presentations from Microsoft, Kaspersky Labs and Symantec in the Virus Bulletin 2010 conference in Vancouver, so further reports will be emerging shortly. One part of the puzzle has not yet been sorted: While the Stuxnet malware is acknowledged to target the Siemens PCS7, PLC and software systems, Siemens has made a definitive statement that it "is not involved in the nuclear program of Iran, neither directly nor indirectly"; whereas other sources are ready to assume that their equipment is involved. So either all the theories have got the target wrong, or the malware developers didn't have the right site process system information, or the site, with its Russian integrators, is using unofficially acquired Siemens products, or alternatively, unofficial copy-cat versions of Siemens products. The odds are that in terms of information about the inside of an Iranian nuclear plant, the intelligence sources available to the nation state that developed the virus are probably better informed than the Siemens sales and marketing database.