Pragmatic 17: Stuxnet

24 March, 2014


John tackles the Stuxnet virus intended to disrupt Uranium Enrichment in 2010 in Iran and in the process explores what SCADA is, how to purify Uranium and of course, the anatomy of the Stuxnet worm.

Transcript available
Welcome to Pragmatic. Pragmatic is a weekly discussion show contemplating the practical application of technology. Exploring the real-world trade-offs, we look at how great ideas are transformed into products and services that can change our lives. our lives. Nothing is as simple as it seems. This episode is sponsored by Typeform. We'll talk a little bit more about them later on. I'm Ben Alexander and my co-host is John Chidjie. How you doing, John? Doing very good. How you doing, Ben? Not bad. Awesome. Well, I just wanted to start the show out as I usually do. I've had some more reviews on iTunes. A few other people have recommended the podcast. We also got a mention on another podcast, which is very nice. It was from CPG Grey, which was very, very nice. I appreciate that. And as always, I'm also getting thanks and comments back and feedback about the show on Twitter,, and so on. So, just again, to reiterate, we do read them all, the ones we can find, and thank you so much for that. But after a two-hour episode last week, I wanted to be a little bit more brief this time. However, the interesting thing is that this is also a listener request just like last episode, which was about p-cell. This one is going to be about a virus. And not the common cold though. And something that I've had either regrettably or not lots of experience with, which is SCADA. So today we're going to talk about Stuxnet. And this hasn't really been, I suppose, a hot topic for a while, but it came back through the feedback form in the survey that a few people had asked me to talk about it. So you know what? Let's do it. So I'm going to start talking about SCADA. SCADA, first of all, stands for Supervisory Control and Data Acquisition. Essentially, it is software that runs on a PC, typically, although you can get Mac and Linux versions of SCADA. They're less common but they do exist. It started out with control systems and I suppose I would refer people, listeners, to episode 3 "Turn the Damn Light Off" for more information about the PLC components of this, the controller component and so on. But there was a point where everything was integrated, where SCADA was what was referred to as the entire control system. And that sort of splintered off in the 60s as computers and there was mini computers and so on and eventually when we got to personal computers everything became separated so that the SCADA became the Human Machine Interface, HMI, and the PLCs, RTUs and so on were their own independent devices that didn't require a SCADA front end to function, and SCADA was simply considered to be a window into the brain of the PLC and the RTU. So, it was essentially a graphical representation of the data. So, there is a good history of, there's a link in the show notes, history of SCADA from a gentleman from the electricity industry in the US, and I found that to be quite fascinating. It was in many respects similar to my experiences, although mine didn't go back quite that far, and it's worth a read if you're interested in some of that history. I didn't want to do a history lesson on SCADA really for this episode. I wanted to focus more on Stuxnet specifically. In any case, the point is these days SCADA is the HMI software that lives on the PC generally, and what it's used for is data acquisition, oddly as the name suggests, trending and alarming. But it doesn't actually do direct control. Technically it doesn't control. It requires an operator. It's the interface for the operator. So traditionally where you would have a push button on a panel and you would or you would turn a handle and open and close a valve, that's all made to be motorized and you could push a button on a panel or you bring that back into the SCADA such that you click on a button and it becomes a valve open, valve close or if it's a position control valve, valve go to 26%. So you would type in 26%, hit enter in the SCADA system in the right spot and it would move that valve, the control system, the PLC or RTU would then move that valve into the required position. It would also provide things like logging. So you know you click on a button it says oh okay operator blah blah blah or whatever their name is. When you type in a number whatever it is it will you could log what the previous value was, what the new value is, the time, the date and the person that logged it and of course if you've got multiple SCADA systems around the place they're all the same but you might have one SCADA computer close to one end of the factory, one at the other end, you could also log the location that it was changed. So all of that stuff, all that good operator interface stuff, that's stored in SCADA. The other things like I mentioned, trending value. So for example, let's say you've got a process value like flow, flow of whatever, or temperature whatever, or pH, or you know think of a process value that you might be monitoring, the PLC will read that data in and tell you, okay it's 17.6 degrees Fahrenheit or Celsius or whatever, or the flow rate is 120 litres per second or you know feet per minute or whatever the heck it is. The point is that that value would come into the SCADA, the SCADA would take a sample and then you could say take it, I want 10 samples every minute or I want one sample every second and I want to keep a history for up to five years. So we would then store all this information and you could recall that by clicking on the actual number in the SCADA. It would bring up a nice pretty trend that would show you a nice little graph of what that value was based on all the samples that the SCADA system has accumulated. It also provides an interface for alarms. So you know something goes wrong, you know you've got a production line and you know someone hits an emergency stop. Well it would indicate in the SCADA and there'd probably be lights flashing and buzzes going off and hopefully no one's injured, but the point is that that would be indicated in the SCADA and logged as an alarm. So at this time and at this date, this emergency stop button was pushed and it'll show the status of the system. So you'll get an alarm from that and it'll show the system status. So broadly speaking, the purpose of SCADA, the way I'd like to think of it is it is a window into the mind of the PLC and the RTUs. Okay, they don't actually have minds, you know what I mean? It's a little controller with a bunch of memory bits in it, so it presents the information for the user. Now SCADA software has been produced by a multitude of different vendors and some of the most popular SCADA systems in the world you may have heard of, some you may have never heard of. In fact, there's probably plenty of people listening to this that have never heard of SCADA or don't know what SCADA is. So maybe some of these names will not make sense. But some of the most popular SCADA packages in the world, one from Rockwell Automation is called RSVue. Another one is from Siemens is called WinCC. There is one from Schneider called Vigio, one from a company that I've done a lot of work with in the past that was acquired by Schneider and their software, SCADA software is called SciTect, which I have mentioned previously on the show. So I spent a lot of hours in SciTect. And there's another one called Wonderware, iFix, Simplicity, Experian. These are all different names for SCADA software. And of course, the software is not compatible. You design something in SciTect. There's no export to WinCC form button or vice versa. It's all proprietary and different and so on. So SCADA software is really built in two components or layers I guess. You've got the graphical layer that you actually function in and then there's the driver layer. So the driver layer of the software has the drivers that actually communicate with the PLCs and those drivers will be specific for certain PLCs. So if you have a Siemens PLC and it's an S7200 or an S7300 series or if you have a Schneider Modicon premium PLC or a Quantum PLC, each of those may have a common driver for the brand or they may have individual drivers depending upon the series of PLC. So you might have a different driver for a Quantum versus the driver you would need for a premium PLC from Schneider or again you know RSLogix 500 to a Kontrologix 5000 series. No matter how you slice it, the drivers themselves are the link between the SCADA and the PLCs. And without drivers that work, the SCADA is essentially useless. One of the things that they decided in industry years ago was to come up with an open process connection standard. And they called it OPC, which actually stands for OLE for process control. And OLE is object link embedding, I think from memory. And anyway, the point of OPC is that if I made a PLC or an RTU, I could release with it software that would be an OPC driver. And that would then mean that it would be possible for any application that spoke, that supported OPC to talk to my PLC without any further drivers. And that sort of worked okay, but there were other issues with OPC. Generally speaking, you want to match up the SCADA system with the kind of PLC underneath it. So in other words, if I buy a Siemens PLC, I'm probably going to have WinCC as the front-end SCADA. And all of this is, of course, I'm not even talking about DCSs here. DCSs are another beast altogether, where the hardware is more like it was back in the 60s prior to the PCs sort of taking off and, sorry, individual computers taking off and so on. So just forgetting DCSs for the moment, because with regards to Stuxnet, it was specifically targeting SCADA and PLCs. That is my crash course on what SCADA is and the pieces that go to making it go together. Maybe someday I'll go into that in a bit more depth but for today that's all I really want to talk about. So now in order to understand a bit more about Stuxnet and what it did and why it did what it did, we need to talk a little bit about uranium. Now we did actually cover a little bit of this about thorium when we're talking about thorium back in one of the follow-up episodes for the battery problem. So crash course in some nuclear physics real quickly and the reason I've got to cover this is well basically because Stuxnet was all about sabotaging a nuclear facility or a nuclear enrichment facility, hence why I need to talk about this. Okay, so back to high school physics. All atoms consist of protons and neutrons. The atomic number is the proton count and for uranium that's 92. The neutrons keep the protons from flying apart and they'll form semi-stable or hopefully more stable structures in the nucleus. And the numbers go up at a non-linear rate the more protons you add. So the more protons you add you have to add proportionally more neutrons in order for it to become stable. So all elements have got multiple, you know, more or less stable configurations of protons and neutrons and each configuration they call an isotope and that can, that isotope will have a total count of neutrons and protons. So whenever you see an element you'll see, yeah, uranium 92, 238 for example and what that means is that that's isotope 238. So there's There's 238 protons plus neutrons, but there's only 92 protons, hence, you know, it's uranium and you know how many neutrons it's got in that configuration for that isotope. The thing is, not all isotopes are created equal, so you'll have isotopes that are, in fact, unstable or will essentially will decay, will go through radioactive decay through emitting a whole bunch of different particles, alpha, beta, blah, blah, blah, gamma. but the point is that when you find these elements out in the real world, they will have a certain blend to them. So you'll have, let's say you've got six isotopes for whatever, you know, element that we're talking about, and because of the decay rates of the different isotopes, you will tend to find on average that there will be a certain proportion of the different isotopes included in your sample. So this leads to the idea of an atomic mass or an atomic mass unit or they call it AMU obviously for short and the atomic mass unit takes those proportions into account. So if you look at a periodic table you'll see uranium and it'll say uranium 92 and then it'll say 238.02891 and that's the AMU that's the atomic mass unit and what that does that factors in all the different isotopes that you'll find naturally occurring uranium has and it should be a pretty damn good indicator 238.02891. The 0.2 that's the giveaway that almost all uranium's most stable isotope is uranium-238. With me so far I'm hoping? Yeah it's coming back to me. Coming back all right all right. So to make fissible nuclear material we need uranium-235. I mean there are other fissible forms but it is the most fissible and its percentage is 0.72 percent. So if you take any sample of uranium you're only going to naturally occurring you'll only find 0.72 percent of it is uranium-235. So we've got to separate that out from uranium-238. We have to get to a concentration of somewhere between three to five percent of uranium-235 in our sample in order to be used for a nuclear reactor fuel rod. Interestingly, if you want more kick, you need to get between 80 and 95 percent to reach what they so-called weapons grade material. I actually do remember this stuff now. I read a gigantic book about the Manhattan Project and the incredible amount of work they had to do to do what you're talking about. Oh yeah. That was the hard part. That was the hard part. The science was all there. it was actually producing it that was insane. Yeah, absolutely. And what we're going to talk about with regards to Stuxnet has everything to do with that. So, the way that they came up, a way of doing it, and the predominant way of doing it, is to take the uranium that you've got and convert it into a gas. And the specific gas that they converted into is uranium hexafluoride, which is UF6. In its gaseous state it's easy to separate because as a metal it's very very hard to separate it as a metal, as a solid, as a liquid. Once you get to a gas though that's not so much of a problem. So what they do is they use a centrifuge. So you basically put something in a centrifuge and it spins around in a circle real fast and the idea is that just like gravity will eventually if you've got particles in solution and you leave them on the table, eventually if there's some of them are going to precipitate out, they will eventually precipitate to the bottom, well, based on the density, because gravity will tend to pull them towards the bottom. Whereas if you were to put such a mixture in a centrifuge, it will, you know, it'll, through centrifugal force, will provide multiple times the force of gravity and it's also the way they do training for aircraft, sorry, astronauts, so they can experience the extra G's of take-off. So anyway, the idea of using a centrifuge to essentially spin the heavier elements, heavier gases to the outside of these things and the slightly lighter, ever so slightly lighter, Uranium-235 stays somewhere in the center of the centrifuge. So using this sort of an idea, the rotation, these are like tall cylinders right, and there's a good link in the show notes about this as well, the idea is that the inside of the cylinder is a very high speed rotor. So the rotor will spin around and spin the gas up to an incredibly high speed and when that happens the lighter gases will essentially come towards the center and then by using heating and cooling, by specifically heating the center of it, then the lighter gases will race to the top where they are siphoned up when they go into the next stage. So that whereas the slightly depleted stream sort of like goes back down to a lower stage if that makes any sense. It's hard for me to describe it with words but that's the gist of how it works. But in order for the centrifuges to actually function efficiently they need to spin it of incredibly high speeds up to 60,000 rpm. So these things are very precisely machined and because uranium hexafluoride is quite corrosive they need to be made out of corrosion resistant materials. So these things are expensive and they spin at very high rates. Now if you want to just have a think about one of the other things we've covered previously we talked about flywheels on the follow-up episode to the battery problem, episode 2D, follow-up episode 2D. So if you want to refer back to that, if you haven't listened to that, then I encourage you to listen to that. We talk there about some of the challenges of spinning flywheels at high speeds. So similar issues here. So what you end up with is you've got high speed, low friction bearings, and the other problem that you've got is that any one individual centrifuge really will not enrich a large proportion of the uranium. So what you've got to do is you've got to have dozens or even hundreds of these things cascaded together in order to achieve the required amount of enrichment. So this is a very expensive process, it's time consuming and you know these things are not cheap. So in order to make sure that the rotors and the bearings are not damaged because they are expensive, you want to make sure you accelerate them in a controlled fashion. You don't just flick a switch and go from standstill up to 60,000 rpm in the space of half a second. That kind of crazy stuff, that would be bad because that will end up damaging the rotor and/or its bearings or possibly even the housing because all of that torsional force of that acceleration is a problem. So what you want to do is you want to ramp that up and you want to maintain that speed pretty constantly and pretty accurately. And there are ways to do that. So, before we dive into exactly what Stuxnet did, because we're now at the point where we can start talking about it, maybe you could tell us a little bit about Typeform. Forms are a key component of asking questions online, but up until now they've meant a lot of work to design, configure, and administer. And after all that, the results have usually been unflattering. There are form builders out there that take care of some of the problems and make it easier to get something basic up, but creating something great with them is still hard. We need a tool that's easy to use, feature-rich, and something that looks and works great on any device. This is where Typeform comes in. Typeforms are beautifully designed and have cross-platform compatibility baked in. They're tailored to look and work differently on desktops, on smartphones, and on tablets. Design is about how it works, and Typeforms are built to really work, regardless of the device. The The platform itself is a joy to use, both as a customer creating a Typeform and a user interacting with one. The UI is sexy, clean, and fast, and designing even complex series of questions is made simple through their dashboard. The experience is focused on asking and answering one question at a time, so it doesn't feel overwhelming and nobody gets lost. It's like a real conversation. Typeform champions good user experience and design. This helps you create a space in which users will be more willing to answer and more likely to give honest answers. From customer feedback and surveys, contest and landing pages, event organization, in the classroom, Typeform lets your imagination fly. People are using Typeforms in a variety of ways. To make interactive stories, holiday cards, team presentations, avatar creation, the list goes on and on. Typeform is the only online form builder that lets you get unlimited responses for free. As many questions as you want, as many answers as you get, Typeform doesn't limit your interaction. It just lets you ask awesomely. For a limited time, Typeform is offering a three-month free trial of their new Typeform Pro service. Check out what you can build by visiting If you like what you see and sign up, be sure to use the coupon code FIATLUX to get your free three months. Thank you to Typeform for sponsoring the show and for making it easier for people to get to know each other better. It's awesome. Thanks for that, Ben. Okay, so now we'll get into what Stuxnet actually did. So first of all, Stuxnet's original target was believed to be the Natanz, I think I'm pronouncing that correctly, plant, and that's in Iran. Again, there's a link in the show notes. And that was a nuclear enrichment facility. Stuxnet technically is a worm, first identified by a security company called Virus Block Ada. and that was in mid-June of 2010. And there's a journalist by the name of Brian Krebs on the 15th of July, 2010. So that's about a month later. That blog post was the first widely read report on this particular virus. The original name that was given to it by VirusBlockader was the rootkit.temphider. Then Symantec called it, well, W32, for Win32.temphide and then later they gave it its synonymous name win32.stuxnet. Now Stuxnet, as viruses go, there are cases where viruses will go out of their way to steal any old keystrokes they can find and report them all back in the hope that sometimes maybe they'll get something, they'll strike it lucky, right? There are the ones that intentionally wait and and then wipe your hard drive and start over. There's other ones more recently that ransom you to get access to your damn computer. They say, "Oh, well, I've locked your computer with an encryption key. You pay me money and I'll unlock it for you." That kind of BS. Anyway, the point is that they are in essence using exploits, computer exploits, but what they're doing is it's a sledgehammer approach. So by the end of September, 2010, and there are over 100,000 known infected hosts. That doesn't mean of course, that there are 100,000 SCADA systems driving nuclear enrichment facilities. It just means that they are infected, but they could have been dormant. It was first seen in July of 2009. So that's just to give you a little bit of a timeline and that'll become relevant later. So essentially the virus had three components, an injection and replication method at the Windows operating system level. Then the second level was a modification to the WinCC Step 7 DLLs, and that opened the gateway to the PLCs. And then finally, the third final layer was a modification to the Profibus communications function layer in the PLC itself. So on the Windows level, the first thing it did was it checked to see what the operating system was. Now the operating systems that it actually worked for, We had Windows 2000, Windows XP, Windows 2003, Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2. All right, so the bottom line with all the OSs, that's quite a long list. So the next thing it does is once it figures out it's actually on an operating system that the hack will work on, it checks to see if the currently logged in user has admin rights. And if it doesn't, it runs one or another zero day escalation of privilege exploits. And which one it runs, it runs based on the operating system that it's installed on. So there's two different escalation exploits, privilege escalation exploits, depending upon what it's on. So the most common one, Windows XP, Windows 2000, that particular one was MS10-073. Now that particular vulnerability was not patched until the 12th of October, 2010. So I refer you back to it was first noticed as in in the wild in July of 2009. It was reported on in about July of 2010, the following year, and it was not patched until October of that year. So once it's got elevated privileges, it then injects itself into WinCC and Step 7 DLLs. So it's more or less at this point, we're gonna talk about WinCC and Step 7. And I realize I haven't really gone into that yet, but bottom line, WinCC is Siemens SCADA system. And I think it stands for Windows Control Center, Windows Control Center, I think, from memory. Now, WinCC is a SCADA system just like any other, and it has graphical front end, it's got drivers, It's designed to work with the Siemens PLCs or any it's OPC compliant. So if you have an OPC driver, you can use Bob's PLC from around the corner. But irrespective of that, it does not program the PLCs. It's not capable of programming the PLCs. If it's installed on its own, it can extract data and write data to and from the PLCs, but it cannot modify the PLC code itself. It can only modify memory addresses. Now that's actually very important because the second piece of software I mentioned is something called Step 7. Now for whatever reason Siemens call their software for modifying their PLCs, they call it Step. Back when I started out, I started out on Step 5 and Step 5 was purely DOS based and Step 5 was for, well, they called them the S5 PLCs, hence the name Step 5. So S5 PLCs were big old sort of light beige colored big blonk like chunky things. And when they released the S7 PLCs that was in the mid early to mid 90s, they gradually started to wind back their efforts on the S5 and step 5 faded into the background. And that's when they introduced step 7. So step 7 was purely windows based and it's sometimes referred to as "Somatic Manager" and it allows you to do a lot of things. You can, through Step 7, you can program... there's a bunch of add-ons that actually allows you to extend this, but basically you can program all of their PLCs. Technically you need Microwind to program a S7200, but suffice it to say you must install Step 7 in order to modify the code on the PLC. So let's say you want to edit a block because it's not performing correctly, well that's what you need. It is your development environment for the one of a better description. So it is the equivalent of Xcode for Siemens PLCs. It is not SCADA. It can display data in tabular format and it can show you live data showing what the logic is doing up to a point. It has a lot of limitations but never mind that. And it can give you that but it will not give you a beautiful pretty front end like a SCADA will. It will not trend data for you like SCADA will. It will not provide alarming like SCADA will. So it is not SCADA. It is purely a development environment for programming the PLCs. So what does Stuxnet do? Well, the funny thing is that it actually seeks out, once it's gotten to this point, it scans the computer and says, do you have WinCC installed? Tick, yes, great. Do you have step seven installed as well? And if you do, tick, you're on. It goes to the next stage. If you don't, it gives up right there. So what it's trying to do straight away is it's not trying to just infect any old damn computer. It finds itself, it gives, ooh, elevated privileges, zero to exploit, no problem. At that point, it does nothing. If you don't have WinCC and Step7 installed, it just gives up. It's got nothing else to sell you, end of story. It'll try and infect other computers, but that's it. What it then does, if you have that installed, is it will specifically, it will replace S7OTBXDX.DLL, which essentially is the intermediary communicating between the PLC and Step 7. So it does a lot of the data conversion so that the data is written down to the PLC and read back from it, and it essentially does the conversion and a bunch of other bits and bobs. So by replacing that, it injects a middleman. The modified DLL allows the injection of malicious code, but just as importantly as that, it masks the return path. So if you look into the PLC from that compromised version of step seven, you will not see that injected malicious code. It'll show up as though it's not there. So not only does it allow the Stuxnet to inject code, it also masks its presence. So that if you open up step seven, it all looks hunky-dory, it looks fine. You won't even know it's there. So the only way to know if your PLC was infected at that point before there was a cleaning tool that was released, the only way you could do that was to have an uninfected step seven, most likely on a standalone laptop, plugged directly on Profibus into the PLC's memory, and then do a code dump from the PLC and have a look for anything malicious. In other words, not straightforward, could be done, but, you know, and we'll talk a little bit about the wisdom of putting step seven on a SCADA computer at the end. So that's where Stuxnet is up to at the moment. So now we've hacked out a path into the PLC now, so we can now inject malicious code into the PLC. So what did it put in the PLC? I hear you all ask. Well, specifically it modified the running set points of speeds of variable speed drives in specific PLCs only. So real quick, variable speed drives, if you don't know what a VSD is, a variable speed drive uses a matrix of IGBTs, insulated gate bipolar FETs, the turning current on and off, pulse width modulation to give you whatever frequency you want, you filter the output you get a nice, well I'd say a nice pretty clean sine wave, but it's not really that clean, it's cleanish. And the idea is that you can change the frequency from zero up to, you know, however many hundred or thousand Hertz, because the variable speed drive will then of course go, let's say it's going to an induction motor, and then a particular motor will will then spin at whatever speed is set by the frequency of the power of that waveform. So variable speed drives are very very handy very cool and variable speed drives have been around now for Getting close to 40 years although they were dear as poison back in the early days these days They've become cheap as chips to the point at which VSDs are essentially what makes the Prius run what makes the And all of Tesla's cars the roads to the Model S and eventually hopefully the Model X someday if it ever gets made all of those have variable speed drives driving their motors. If you're on an electric train, they all have variable speed drives. So VSDs are an integral part of turning electrical voltage/current into mechanical motion these days. So that's what a variable speed drives are and in this particular case the variable speed drives were connected to the rotors on the centrifuges. So the variable speed drives did the acceleration control and the speed control of the actual rotors as they were spinning Okay so how on earth did it know like to specifically modify set points and so on and I guess we got a little bit more before it makes any sense So Stuxnet specifically only attacked PLC systems with VSDs from two vendors. A company called Vacon based in Finland. I think it's pronounced Vacon. Maybe it's Vacon. I'm sure. The other one, Ferraro Paya, which is based in Iran itself. Now that straight out of the blocks is just plain weird because if you are writing something that was, you know, meant to disturb systems generically, like you are trying to stop something generically in multiple plants of different kinds around the world, why would you restrict yourself to two VSDs? Wouldn't be that hard to extend it to more than just two. A little bit of research, a couple of extra subroutines, no problem. Could have done it. Because every variable speed drive stores the set points in different locations. So they have two routines in Stuxnet that actually target each of those different VSDs, but only those two. So that leads to the "it's very specific" and why it's specific we'll get to the conspiracy theories in a minute. So each of the drives as I said has subtly different addressing and the attack timing sequences are also subtly different. There's probably a good reason for why the timing sequences were different. I just don't have the complete control system design so I can't answer exactly why they were different but it might be something to do with the VACON drives, maybe they were connected up through a different kind of gearbox or maybe they had a different number of poles on them, I don't know. All I know is that there were differences and I'm going to assume that there are logical differences because the rest of the detail would suggest that whoever was writing Stuxnet had a complete set of blueprints for the control system because it's just way way too specific. Variable speed drives get a speed set point. They tell you know you tell this thing what speed you want to run it. I want to run it 50 hertz, 100 hertz, 200 hertz, 2000 hertz, whatever the hell the number is doesn't matter. You tell these drives traditionally using an analog signal which is 4 to 20 milliamps which is you know what sometimes referred to as a current loop. Now current loops have problems because you know they are they can be affected by noise although admittedly that hasn't been a problem so much since they went to current loops. Previously they were voltage loops and voltage loops were highly susceptible to noise problems. So since they went away from 0 to 10 and 0 to 5 volts, they went to 4 to 20 milliamps, then you know things got better. But it's better still if you can do it digitally and hence that's why a lot of them are going to control via Profibus. Of course, I say Profibus, which is short for Process Fieldbus. That's the Siemens standard and it's been around for a long time. The oldest one is Modbus and we actually did talk about this as well on the communications with Turn the Damn Light Off episode 3, so refer to that if you want to know more about it. But in any case, Profibus is fully digital which means if I send 50 hertz, the drive will get 50 hertz. There'll be no plus or minus 5%, 2%, 1% based on the inaccuracies in a current loop. So that precision makes it attractive. It's not just that one wire can carry hundreds and hundreds of parameters. So I could dynamically change the acceleration, the ramp rate for ramping up, ramping down, braking coefficient, all sorts of details I could modify of a Profibus if I really wanted to. The mapping of the data on the Profibus is going to be different for each drive and obviously they're tailored for two separate drives but in any case, that's what they did specifically because it was clearly for a specific target. Now the only variants of PLC that were implemented were the S7 315-2. Now at the time that they wrote Stuxnet there were two models available of the 315-2. There was the 315-2DP which is two distributed periphery or aka PROFIBUS and the other one was a 315-2PNDP and PN stands for PROFINET. In other words, industrial ethernet or at least the Siemens version of industrial ethernet they call PROFINET. So the idea is a PNDP CPU will have one PROFINET and one PROFIBUS interface. Now it doesn't really matter which of those two models it is and I've programmed plenty of those that exact model PLC. The other variant that they programmed it four but it was an incomplete implementation was for an S7, it was a 417 I believe, 417-3 maybe. I didn't actually bother writing that one down because it was incomplete. So, you know, the one that they completed in depth was the S7-315-2. That was when the exploit ran on specifically and only. So, in other words, if Stuxnet found that you had a computer with an operating system that it could compromise, it would elevate its privileges and then it would say, "Do you have WinCC in step 7?" "Yes, you do." "Great, next step." If at that point it then read the system data block and said, "Oh, you're on S7-315-2, PDP or PNDP," it'd say, "Not interested," and it would stop right there. Again, very specific. And there's no reason that I can think of why, I mean, because functionally speaking, a 315-2 PNDP is very little different from a 317 or a 318-2 or 3 PNDP, because those models have simply got more memory and more ports. You know, they can handle more I/O. They're essentially the same bloody PLC. Again, very specific. And one more thing that's even that's specific is they were going to use, that Stuxnet was using specifically the communications blocks for the CP342-5 module. That stands for communication processor. I know a lot of this off by heart because I've been dealing with it for so damn long, but the point is a CP342-5 is an independent communication processor that you can add on to your PLC to give you an additional Profibus port. So let's say you use up all the data or all of the devices on the one that's built into the CPU? Well, you add another CP card and you get a whole new card. You can have a whole new Profibus network. So why on earth if you've got... because I mean I can count the number of times I use the 342-5 on one hand, you know, because honestly between, you know, you've got two DP ports on a 2DP, hence the number 2DP, or the 2PNDP, you've got one Profibus and one Profinet. Usually, on most systems, that's plenty. You only need to add another Profibus module if you've got lots and lots of devices hanging off of it, and you overload one, or you don't want to overload one, you want to spread the load. So again, that's kind of very specific. When you think about it, if you remember how I said with the centrifuges that you needed dozens, if not hundreds, of these things or think about how you would design that. So the limit on a profit bus network is 32 devices per segment and if everything was on a variable speed drive and that's actually generally VSDs will have a reasonable amount of data going back and forth with the large number of centrifuges that you've got it would make sense if I was designing it that's what I would do is I would split them up I'd say okay well you 30 you're on this card I'll add another card you can do the the next 30 in this card and do the next 30, because it wouldn't be very computationally expensive. It would simply be, I've got a lot of devices I need to address. So how exactly does it do its magic? If you can call it magic. How it hacks the PLC is really not that difficult. When you're using a CP card, then the native send receive functionality that's built into Semantic Manager is not available on certain levels of Profibus data transactions and I don't want to get into the details, but essentially you will tend to use DP receive and DP send. Okay, little real quick lesson on Siemens PLCs. Siemens PLCs have essentially four kinds of blocks. You have organization blocks, OBs, and the organization blocks, their job is to execute repeated code for the one of a better way of describing it. FCs for functions and functions are essentially, you put a bunch of inputs into the function, it spits a bunch of outputs out of the function. You don't have to have inputs and outputs, you can simply call it and it'll execute a series of instructions and then it'll jump out and that's it, like a subroutine. It's not really that different at all to any old function that you would write in C or Objective-C. Function blocks, however, are subtly different functions because they can have an attached data block, which is the fourth kind. A data block is really just a table of data. You're reserving space in the memory and saying, "I want this, this, this, this, this, this is an integer, this is a boolean, this is a double word, whatever, whatever," and you give it a symbol and a name and you hit save. There you go. Now I've got a data block. Yay. Function blocks are directly associated with that. A data block is directly associated with a function block. So you can't create a function block without a matching data block. But what it means is that you can actually call a function block and have dozens of different data blocks that drive the functionality. And that is one of the methods by which in a Siemens PLC you will have one function block that controls a valve and yet you have 100 different valves and they're all defined by their own individual data block. This is valve 1, this is valve 2, this is valve 3 and so on. Hence giving them a personality. You can have standalone data blocks as well. But anyway, those are the basic types of blocks. So it injects itself into OB1 and OB35. OB1, every time I say that, I just, OB1, can I be? Seriously, it's called OB1. Anyhow, OB1 is referred to in Siemens parlance as the cyclic task. So in other words, it kicks itself off at the end of itself, if that makes sense. You start the block, when you hit run on the PLC, it will start executing at that point. It'll run through the instructions in OB1. When it hits out the end, it'll circle back to the beginning and start again. So it is the cyclic ongoing process, cyclic task. OB35 is a time triggered task of higher priority than OB1. And there's a whole bunch of them. On the S7, on the 305-2, you only get OB35. But if you go to the more expensive PLCs, you'll get more OBs. You go to the S7-400s, you'll get OB35, 36, 37, 38, 39. So you can actually have multiples and that's important when they do integration to the DCS that they have, which is PCS7. Again, sidetrack, long story. Point is you can set that to trigger after, I don't know, one second, 10 seconds, 500 milliseconds. So whatever OB1 is doing, whatever code it's executing, as soon as you hit that one second, let's say it's set to a second OB35, it'll say, "Whoop, you shut up, I'm gonna do my thing." Then it executes the code in OB35, dumps out the end of it, and then waits for it goes to sleep until the next minute comes around and then Obi-Wan carries on what it's doing. So the whole point is that you've got your main cyclic task and you've got a periodic executable task. It injects code into there that calls it special functions. So the next thing that it does is it moves the DP receive function from wherever it is in the code to function FC1869. Now, I don't know why 1869, but I guess they figured it's a long way from all the function blocks. If you start numbering your functions from one, like you normally do, it's pretty unlikely you're gonna have a PLC that's got 1,869 functions in it. I mean, I certainly haven't written a PLC code on an S7-300 that had that many in it. 400s, yes, but not a 300, oh no, no. So I think they just shoved it out there 'cause it was in the far right, and they figured, no, it's not likely to be anything there. Technically, if there was something there, it would probably overwrite it and you may have a dysfunctional PLC on your hands. But I think that's just an even bet. You know, am I gonna have something there? Probably not. Anyway, when you install the DP receive functions and receive functions, they normally go into FC1 and FC2. You drag them in from the library, they automatically go to FC1, FC2. Of course, you can rename them to whatever number you'd like, but irrespective of what number it is, it shifts that copy out to FC1869 and it inserts its own copy. and of course its own copy is extra special. What it does then is those function blocks control the Profibus messaging to anything on the Profibus. So whenever it's called on a CP342-5 card, which is in this case, we believe, talking to a variable speed drive, it can now intercept. So once it can do that, it now owns every link in the chain. So now it can take over from the WinCC, from the SCADA level, all the way down through the SSTEP7 level, through the driver down to the PLC and then directly onto the ProfiBus. At that point Stuxnet's installation is essentially complete and it now has control. So the next thing that it does, which is again super specific, is it monitors the frequency of any of the attached variable speed drives in the system, but it only adjusts those that are spinning at a rate between 807 Hz and 1210 Hz. Now I've been doing this sort of thing for a while and admittedly I have not actually had anything to do with nuclear plants and nuclear fuel enrichment plants but those numbers sound so terribly specific to me. So there's a reason that they are so damn specific. I've run percentages on them, I've tried to figure out based on the number of poles you would expect on the motors, what you would expect the rotational rates to be. The truth is, I couldn't find a pattern. If anyone knows what the pattern is, please share. But I don't know. There's probably some specific reason that I just don't have the design details so I couldn't answer it. Anyway, once it's done that, and once it figures out, oh, look, I have some motors in the system. Yes, they're on this card. Yes, I'm in a second, they're Profibus. And now they're spinning between 807 hertz and 1210 hertz. At that point in time, all the criteria are met. then it will periodically modify the frequency up to 1410 Hz, in other words going over speed, right down to 2 Hz which is practically stopped and then a point roughly in the middle somewhere 1064 Hz. So in other words it messes with the frequency of the the motor is spinning, the rotors, and it does so in a more direct fashion. It also installs a bunch of data blocks that the WinCC, the PC part of the virus looks at and that's data block 890 and that's monitored from the SCADA side and if you have multiple PLCs it'll scan the bus and it'll say okay all your PLCs I've got a flag set in DB890 I want you to all go off at the same time. So what it does is it actually synchronizes all the PLCs that are connected to do the same thing to all the motors at exactly the same time on the control system that's connected to that SCADA system. So if you had one SCADA system controlling all five PLCs and all of their motors would do exactly the same thing at exactly the same time, so it's synchronized. The timing though is actually quite elaborate because there's a pseudo random time interval and you look at the way it does it, that counts profit bus frames, and it's just really bizarre. But what it adds up to is between 13 days and three months apart, there will be an attack that runs for between 15 minutes and 50 minutes. So not quite an hour, quarter an hour to just over three quarters of an hour. If I was an engineer running those plants, I would have been ripping my hair out because you'd be sitting there at all the hunky-dory and suddenly your drives would be spinning all sorts of crazy speeds and be like, what the hell is going on? You open up step seven to try and diagnose it and everything looks fine. Because of course it's masking all the hacked code, you can't see it. I'd be beating my head against the desk. And then by the time you've done beating your head against the desk, you'd look up and everything was back to normal again. You'd think, did I dream that or did that actually happen? Then you'd look back on your trends and you'd say, no, it did actually happen, oh crap. That's what Stuxnet does. And if you wanna know more detail, There's a lot more detail than that. Symantec have put together an amazing dossier on this that goes through every little intricate detail. There's a lot more to how the virus spreads over the local network and everything, and how it does some of the other intricacies within the PLC code, if you're into that side of it. But I just covered what I consider to be the main points. But truth be told, those are the key points. That's the basic gist of how it works. And I call that a basic gist. Okay, well, you know. Okay, so what is the point of all this? The point of all this is you will, doing that to the rotors will, based on my understanding, will cause damage. Their intention was to either hamper the performance, like severely impact the performance, or to damage the rotors such that the centrifuges were damaged in the process and would no longer operate either at maximum efficiency or at all. And by doing the whole pseudo random attack thing, it allowed it to spread. They weren't in a super hurry if they could have it worst case three months apart, and it was definitely designed to be very stealthy. In the end, all of those requirements when they did their investigation, came up for that enrichment facility in Iran. Of course, it went beyond that. It spread to other places as well. And sometimes when these attacks occurred, they were seeded. So people that were involved in those plants, they had, through espionage, they actually hacked in and inserted the code on these people's flash drives and laptops and in attempts to get it into the building and into the system and in some cases it happened, in other cases it didn't, and once it was inside the system then it spread through the system. So it was not just, it was a, they had to actually, it wasn't just let's write the code and let it go into the wild, no, they had to actually plant it and get in there and the reason that they had to do that is because these control systems are typically running on standalone networks. So, and this is the false sense of security that I've seen. Now, my own involvement with SCADA systems is that there is a belief, or there has been a belief, perhaps somewhat now, since thanks to Stuxnet, is less of a belief, but there certainly was a belief in the previous decade or so that because my system is standalone, that I don't have to worry about viruses or malware. And everyone said SCADA is far too specific for anyone to be bothered hacking. I mean who would hack it right? WinCC may have 20,000-50,000 installs around the world maybe. That's it probably. I don't know the numbers but I'm going to assume it's not huge. How many copies of Microsoft Word are there out there? So if I'm going to spend my time hacking my and I'm going to get bank account details and so on and so forth, financial gain or just pissing people off, I wouldn't target the 50,000 copies, I'd target the million copies. And that was sort of the prevailing thought but Stuxnet was not interested in that. It wasn't interested in money, it wasn't interested in extortion, it was interested in causing damage. Of course, whether or not it did cause damage or not, I don't know and maybe I'll never know, but that was clearly the intent and it was very specific. So they went to whoever built it and it was suspected that it was the US government plus the Israeli government, although that's never been proven exactly. Strong suspicions, but that doesn't mean proof. So we don't know exactly, specifically who wrote it. No one stuck their hand up and said, "Hey, it was me," which happens to some viruses. So what can we conclude from this is if standalone didn't save them, the time delay at the operating system level for the patch to come out to patch that zero-day vulnerability to give them elevated privileges, that was terrible. It was known about long before but it was just never patched. So honestly, that's another thing that creeps into that mentality. You know, "Oh, well, we're an isolated network and, you know, because we're isolated, we're not connected to the internet, we don't have to worry about patches and updates and so on and so forth." Or at least we might do them every six months or every 12 months. Whereas if you're running an IT department, all your computers are connected together and there's a portal to the internet, you are going to be, as an IT guy, you're going to be running those updates as often as you can because you're like, "I'm exposed. I'm potentially exposed. Someone comes in with a virus, it's going to spread through the whole damn building before I can say, "Oh my, it's already spread through the building." So, you know, that sort of vigilance is prevalent in those systems, whereas I've gone to sites where there've been SCADA systems and, "Okay, fine, not a nuclear power plant. Okay, fine, and not a nuclear enrichment facility." But I've been to plenty of sites of all sorts of different backgrounds from mining to pharmaceutical to hospitals, for God's sake, where they haven't updated their virus definitions. That's even if they have a virus scanner or they haven't run an update because it's for months, if not a year or more. And they don't do it because it's hard, because everyone gets used to the whole idea of, "Oh, well, I'll just go to Windows Update." Well, you can't do that. You're an isolated system. You don't give it a portal to the internet. That's a whole bloody point of not having a portal to the internet. So what you do is you make sure you download all of the updates from the Microsoft website to a drive, well, a flash drive I suppose these days, that has been heavily virus scanned and you go and you apply those updates essentially offline as it were and that's how you would do it. But of course that takes more time, it's more effort and everyone likes to have a big cry about it's like "I don't really have time to update this scanner" well you know what you probably should because had someone actually at Microsoft actually oh hang on the other thing I didn't mention is after the 12th of October there was the the attacks went on for a year and a bit later because people hadn't updated their damn systems I mean what's wrong with people right but that's what's wrong with people is that they think they're safe because it's an isolated system but here's another really good lesson to take away from this why the hell was step 7 installed on a computer that was running WinCC? Like the SCADA and the programming environment, why was it on the same damn computer? I mean, I already know the answer. It makes it easier for them as a developer to have it all on the one machine because you tweak a bit of SCADA, you tweak a bit of PLC code, you get to see the result in the one machine. But there's no separation of church and state, right? Right. Yeah. So, it's like developing locally and pushing to the server. Yes. Yeah. Exactly. See, to do it properly, you would have a separate development machine that had no SCADA on it, and then you would have a separate machine that had the SCADA on it. It was your runtime machine. That's what you would do to ordinarily. You keep them separate. And that diagnostic machine was only ever used for loading code to and from the PLCs, and it's never connected to a network. And that's what you should do. If you've got an engineering workstation in PCS7, you don't get a choice, you get it all installed. That's a DCS. But generally speaking, if it's not a DCS, it's extra for that programming code. So once you do your development, you pack up your laptop and go home, right? The integrators will pack up and they'll go home. you don't leave... Step seven, Symantec Manager costs $5,000. A license, it's not cheap. So, I'm not going to leave step seven on a client's computer when I just go just because it's easier. It's the sort of thing that clients say, "Oh, well, we'd like to modify our own code." And I'd look at them with a raised eyebrow, "You really want to modify your own code? Best of luck." But you know, not to say that it's hard necessarily, but anyone can do it if they apply themselves. It's more the fact that are they going to warrant their own work? Because I tell you what, leaving the keys to the car for the equivalent of someone who's at the bottom of the learning curve, never driven a car before, is kind of dangerous. And the number of times I had callouts to the site where they had insisted that we install step seven on their machine so that they could do minor tweaks as necessary, you go in there, you look at the time and date stamps and they say "oh we never touched it" and you like point at the time and date stamp, you point it when you last stepped and your last left and your last back up, you do a code comparison, you're like "someone changed this line of code here from this to this and that to that, I haven't been here, has another integrator been here? Uh no. And you never did it? Um no." And I'm like "yeah sure." Anyway, so I think it's sloppy to have SSTEP7 on the same damn machine is WinCC. I think you should have a separate diagnostic laptop and leave it at that. So I think that's sloppy because if that hadn't happened Stuxnet never would have worked. Okay, the last way in of course apart from you know make sure you apply the regular patches and so on is a lockdown of USB ports and there's all sorts of software that can let you do that like BitLocker style software, right? Where you insert a flash drive into the machine and it will format it and encrypt it. And once it's formatted and encrypted, it can then only go to another machine running the software with that same crypto on it and have virus scan the living crap out of it before you then put it back into the machine. And there's usually a reverse process as well. so when you insert on the protected system you can go and do that and you have to do that for some patches and updates but really what you'll find is that the SCADA system might save reports in excel format or something a comma separated format the operators will just get a flash drive from out of their pocket that they use at home and they've got photo of the kitties on it or the puppy or whatever anyway they'll put this in from wherever and it'll have god knows what on it and they're plugging it into a damn SCADA computer. Why? Oh they just want the CSV file it's $4.59 they've got to do some work on it tonight copy paste done oops I just got a damn virus on my SCADA machine and the plant is down tomorrow. So you know when I was doing this sort of thing as an integrator we always recommended things like that. So isolate your network, apply the updates regularly, like do it check once a week, once every two weeks, just not once a year, please, god, more than that, more regularly than that. Don't install your PLC programming environment on the same machine as your SCADA, keep them separate. Honestly, if any of those things that I listed had have been followed Stuxnet would have failed. Instead it did and it succeeded. It's crazy, isn't it? That these places that have got so much at stake make such simple mistakes. So, you freaking out yet? Well, I guess I would be if it... Well, yeah, right? But maybe I'm not surprised. Well, I mean, human nature is human nature and that's the problem. And people just make these assumptions. You don't have to worry about security because, insert stupid reason here, but the truth is that there's more than one way to get a virus on a machine. And you can have the best firewalls in the world, you can have the best email scanners in the world, and viruses can still get in. I love the approach of many email systems now, rather than the whole search and detect thing, and maybe viruses on their own is a separate topic, but rather than any virus in a word macro, it'll just say, "Word document came in, delete." Won't even let you open it, it's like, "Oh, it worked. We've got one of these filters." PDF, no problem, there's no macros in a PDF. You want to send me a Word document, boom, out of luck. Even if you zip it, it'll unzip it, detect it's a Word document and, boom, gone. So, that's the heavy-handed approach, but you know what, it stops that attack vector, right? - Right. - Anyway, I don't have too much more to say about Stuxnet, So hopefully that's shed some light on it. There's some good links in the show notes if you want to read up on it. And I think a lot of places are taking it, SCADA security a lot more seriously as a direct result of Stuxnet. So maybe on the whole, it was a good thing for the world in general, and maybe it's going to indirectly make the world a more secure place in terms of control systems. Let's hope so, but that's it. - If you want to talk more about this, you can find John on Twitter @JohnChijji. It's the same on You should check out John's site, Like to send an email, you can send it to [email protected]. I'm Ben Alexander, and you can reach me on Twitter at @fiatluxfm. You can follow @PragmaticShow on Twitter or @Pragmatic on to see show announcements and other related materials. I wanna say another thank you to our sponsor, Typeform, for sponsoring this episode. Make sure you guys check 'em out. Thanks for listening, everyone. Thanks, John. - Thanks, Ben. Thanks everybody. [Music] (dramatic music) (dramatic music) [Music] (thunder) [BLANK_AUDIO]
Duration 1 hour, 5 minutes and 31 seconds Direct Download
Episode Sponsor:
Typeform: Typeform makes it easy to build and share beautifully designed online forms, combining human creativity with the power of modern, cross-device web technology to create new ways of asking questions online. Visit and use the Coupon Code fiatlux to upgrade to the PRO plan and get three months free.

Show Notes

Related Links:

Premium supporters have access to high-quality, early released episodes with a full back-catalogues of previous episodes


Ben Alexander

Ben Alexander

Ben created and runs and Fiat Lux

John Chidgey

John Chidgey

John is an Electrical, Instrumentation and Control Systems Engineer, software developer, podcaster, vocal actor and runs TechDistortion and the Engineered Network. John is a Chartered Professional Engineer in both Electrical Engineering and Information, Telecommunications and Electronics Engineering (ITEE) and a semi-regular conference speaker.

John has produced and appeared on many podcasts including Pragmatic and Causality and is available for hire for Vocal Acting or advertising. He has experience and interest in HMI Design, Alarm Management, Cyber-security and Root Cause Analysis.

Described as the David Attenborough of disasters, and a Dreamy Narrator with Great Pipes by the Podfather Adam Curry.

You can find him on the Fediverse and on Twitter.