Pragmatic 17: Stuxnet

24 March, 2014


John tackles the Stuxnet virus intended to disrupt Uranium Enrichment in 2010 in Iran and in the process explores what SCADA is, how to purify Uranium and of course, the anatomy of the Stuxnet worm.

Transcript available
Welcome to pragmatic pragmatic is a weekly discussion shall contemplating the practical application of technology exploring the real-world trade-offs we look at how greed ideas are transformed into products and services that can change your lives nothing is as simple as it seems this is as much of a tape one tight little bit more about them later on and Alexandra may cause the judging failure to very good Heydon Ben awesome well I just wanted to asked on the show as I usually do have some more reviews and iTunes are fewer people recommend the pod casts we also mention on another point car searches are very nice so there was some from my CVG grey on the year which was very very nice and appreciate that and dark as always also getting our thanks and comments back on feedback from the show about the show on the Twitter app.nets and and so on so are just began to reiterate we do read them all the ones we can find and thank you so much for that but after a two-hour episode last week I wanted to be a little bit more brief this time however the interesting thing is that this is also a listener request just like last episode are which was about P sell this one is going to be about a virus and does not know you are not the common cold though our hands are something that is so that I've had either regrettably or not are lots of experience with which is Skarda so today we can talk about stocks net and this hasn't really been I suppose a hot topic for a while but it came back through the feedback form in the survey that a few people are had asked me to talk about so you know what let's do it so honest answer must go about Skarda and an Skarda festival stands for supervisory control and data acquisition and essentially it is software that runs on a PC typically although you can get Mac and Linux versions of Skarda the less common but they do exist it it started out with control systems and I suppose I would refer people listeners to episode three turn the download off for more information about the plc components of this the control components on but there was a point where everything was integrated where Skarda was what was referred to as the entire control system and our vessel of splintered off in the 60s as some computers and there was our minicomputers and and so on and eventually we got to personal computers everything became separated so that the Skarda became the human machine interface HMI and the PLCs are to use and so on where their own independent devices that didn't require a Skarda front end to function and Skarda was simply considered to be a window into the brain of the plc and the RTU so it was essentially a graphical representation of the data so there is a good history of is a link in the show notes arm history of Skarda in from a gentleman from the electricity industry in the US and are found to be quite fascinating it was in many respects similar to my experiences of our mind and go back quite that far and that it's worth a read of use and some of that history I didn't want to do a history lesson on Skarda really for this episode I want to focus more on stocks net specifically in any case the point is these days Skarda as is the HMI software that lives on the PC generally and was used for is data acquisition oddly as the name suggests are trending an alarming but doesn't actually do direct control technically it doesn't control it requires an operator ever is the interface the operator were traditionally where you would have a pushbutton on a panel and you would we would turn a handle on open and close a valve that's all big maids are to be motorised and you could push a button on a panel or you bring that back into the Skarda such that you click on a button and it becomes our valve open valve close or if it's a position control valve valve go to 26% so you're typing 26% hit enter in the Skarda system in the right spot and it would move that valve the control system the plc write to you would then move that valve into the required position it would also provide things like logging so when you are you click on a button that says IK operator blah blah whatever the name is when you type in a number whatever it is it will you could log what the previous value was what the new value is the time the date and the person that logged and of course if you got multiple Skarda systems around the place the robber saying that our UEA might have one Skarda computer close to one end of the factory one of the other end you can also log the location are that it was changed all that staff DO all the good or operator of a stuff that's that's stored in Skarda the other things that I mentioned trending so trending value so for example let's say you've got a process value like slow flow of whatever temperature whatever LPH shall you think you think of the of the process value that you might be monitoring plc will read that data in importance how you IK at 17.6°F or Celsius or whatever are all the flowrate is hundred and 20 L per second or the oh feet per minute or whatever Hercules the point is that that they would come into the Skarda sky will take a sample and then you could say take and I want 10 samples are every minute or I want one sample every seconds and I will keep history for up to 5 years so we would then store all this information and you could recall that by clicking on the actual number of the Skarda would bring up a nice pretty trend that will show you a nice little grass of our of what that value was are based on all the samples at the Skarda system has accumulated our it also provides an interface for alarm so yay something goes wrong you know your production line and DO someone it's an emergency stop well it would indicate the Skarda and the privy lights flashing and buzzes going off and hopefully no one is injured but the point is that that would be indicated in the Skarda and logged as an alarm so at this time and at this date this emergency stop button was pushed and is Yale show the status of the system so you'll get a loan from Adam and also the system status so broadly speaking the purpose of Skarda the way I'd like to think of it is it is a window into the mind of the plc and the RTU's and okay they don't actually have mines in a mean it's that simple control with a bunch of memory bits in it so it presents the information for the user now Skarda software has been produced for a multitude of different offenders and some of the most popular Skarda systems in the world you may have heard of some you may have never heard of and in fact this will be plenty of people listening to this that have never heard of Skarda or don't know what Skarda is so maybe nice Ms names will not make sense but some of the most popular are scallop packages in the world are one from Rockwell automation is called RS view are another one is Carl from Siemens is called when cc are there is one from Schneider called our video are one from a company that I've done a lot of work with in the past it was acquired by Schneider are in their software skulls of risk or site act which I have mentioned previously in the show so spent a lot of hours on site act and are there is another one called Wonderware are I fix the simplicity our experience these are all different names for scar software and because the software is not compatible you just knew you design something inside tech is no export to win cc form button or vice versa it's all proprietary indifferent and so on so scar software is really built in two components or layers I guess you've got the graphical layer that you your actual functioning and then there's the driver layer so the driver layer the software has the drivers that actually communicate with with the PLCs and those drivers will be specific for certain plc so if you have a Siemens plc and it's in a seven 207 300 series or if you have a young Modicon Schneider Modicon are premium C or a quantum plc each of those may have a common driver for the brand or they may have individual drivers depending upon the series of plc seem either different driver for AER quantum versus the driver you would need for a premium plc from Schneider or again you RS logics 500 to a control Logix 5000 series the matter how you slice it the drivers themselves are the link between the Skarda and the PLCs and without drivers that work the Skarda is essentially useless one of the things that they decided in industry years ago was to come up with an open our process connection standard and are in a call at OPC are which actually stands for OLE for process control and I will use objects are link and bedding I think from memory and anyway the point of OPC is that if I made a plc or in RTU I could release with it software that would be an OPC driver and that would then mean that it would be possible for any application that spoke are that that support OPC to talk to my plc without any further drivers and that sort of worked okay but there are other issues of OPC generally speaking you want to match up the Skarda system with the kind of plc underneath its otherwise if I buy a Siemens plc on property you have when cc is the finance Skarda and all this is of course I would talk about DCS as he Odysseus is another beast altogether where they the hardware is more like it was back in the 60s prior to the PC's taking often sorrier individual computers taking office on so disfiguring DCS is for a moment because with regards to stocks net arm it was specifically targeting Skarda and PLCs that is my crash course on what Skarda is in the pieces ago to making it our government peacemaking go together maybe someday ago and that a bit more depth but for today that's all I really want talk about so now in order to understand a bit more about stocks net and what it did and why did what it did we need to talk will be about uranium now we did actually cover a little bit of this about thorium women to men thorium are back in arm wonderful episodes for the battery problem so crash course in our some nuclear physics rule quickly and the reason I cover this is well basically because stocks that was all about sabotaging a nuclear facility or a nuclear enrichment facility hence why the talk about this okay so back to high school physics all Adam's consist of protons and neutrons the atomic number is the proton count and for uranium that's 92 the neutrons given protons from flying apart and they'll form semi stable or hopefully more stable structures in the nucleus and the numbers go up are at a non-linear rate the more protons you answer the more protons you add you have to add proportionally more neutrons in order for it to become stable so all elements of got multiple you more or less stable configurations of protons and neutrons and each configuration they call an isotope and that can that isotope will have a total count of neutrons and protons so whenever you see an element you'll see are you uranium 92 to 38 for example, that means is a bass isotope 238 so this tour and 38 protons plus neutrons with is only 92 proton sense you know it's it's uranium and you know how many neutrons in Scott in that configuration that isotope the thing is not all isotopes are created equal so you'll have isotopes that are in fact unstable wall will want essentially will rate will decay will go through radioactive decay through omitting a whole bunch of different particles alpha-beta blah blah gamma but the point is that it's when you find these elements out in the real world they will have a certain blend to them so you'll have less they've got six isotopes for whatever you elements that were talking about and because of the decay rates of the different isotopes you will tend to find on average that there will be a certain proportion of the different isotopes included in your sample so this leads to the idea of an atomic mass or atomic mass unit or they call it AMU obviously short and the atomic mass unit takes those proportions into account circular periodic table you'll see uranium and it'll say uranium 92 minerals say to 38.02891 and that's the AM US the atomic mass unit and what that does that factors in all the different isotopes that you'll find naturally occurring uranium has and it should be a pretty damn good indicator to 38.0289102 that is the giveaway that almost all uranium's most stable isotope is uranium 238 with me so far moping has come back to me come back or so to make for civil nuclear material we need uranium 235 familiar other physical forms but is the most visible and is its percentage is 0.72% so if you take any sample of uranium you're running off naturally occurring you'll only find 0.70% of it is your energy 35 so we are separated out from uranium 238 we have to get to a concentration of somewhere between 3 to 5% of uranium 235 in our sample in order to be used for a nuclear reactor fuel rod interestingly if you want arm if you want more kick you need to get between 80 and 95% to reach what they owe the so-called weapons grade material actually do remember the stuff and I read a gigantic book about Manhattan Project and the incredible monologue doubted you do what you talking about where there was not a part that was the the sizes on there it was actually producing at that was insane you absolutely as it was and what we got all about work with regards to stuff that has everything to do with that so this are the way that they came up a way of doing it and the my predominant way of doing it is to take the uranium that you've gone and converted into a gas and specific gas that they convert into is uranium hexafluoride which is US six is gash estate it is easy to separate because as a metal it's very very hard to separate as a metal is as solid as a liquid once you get to a gas though that's not so much of a problem so I do is a user centrifuge so are you basically puts something a centrifuge and it spins around the circle real fast and the idea is that just like gravity are will eventually if you've got particles in solution and you leave them on the table eventually for some of the precipitate out they will eventually precipitate to the bottom while basin density because gravity will tend to pull them towards the bottom whereas if you would put such a mixture in a centrifuge it will amply oh it'll through centripetal force will provide multiple times the force of gravity and is our it's also the way they Yum they do training for aircraft are sorry astronauts so they can experience the extra cheese and tail takeoff so anyway the idea of using a centrifuge to substantially spin the heavier elements are heavier gases to the outside of the of these things and the slightly lighter ever so slightly lighter uranium 235 stays somewhere in the centre of of the centrifuge so using this sort of an idea the rotation the these are like tall cylinders right in this lease and is a good link in the show notes about this as well the idea is that the inside of the cylinder is only very high speed rotor so the rotor will spin around and spin the gas up to an incredibly high speed and when that happens are the lighter gases will essentially come towards the centre and then by using heating and cooling are by specifically heeding the centre of it than the lighter gases will race the top when they are siphoned up they go on to the next stage so that whereas the Yum the slightly depleted stream sort of like goes back down to a lower stage if that makes any sense it's hard for me to describe it with words but that's that's the gist of how it works in order for the centrifuges to actually function efficiently they need to spend an incredibly high speeds up to 60,000 rpm so these things are very precisely machined and that because uranium hexafluoride is quite corrosive they need to be made out of corrosive corrosion resistant materials so these things are expensive and they spent a very high rates now are if you want to just have a have a think about what dealings with, previously talked about flywheels on the following episode to the Barry problem I've sewed to default absurdity so if you have a look at what I refer back to that you have listed that I casuals and that that tour we took there about some of the challenges of spinning flywheels high speeds so similar similar issues here so the at what you end up with you high-speed low friction bearings and is the the other problem that you've got is that any one individual centrifuge really will not enrich a large proportion of the uranium so what you do is you have dozens or even hundreds of these things cascaded together and in order to achieve the required amount of enrichment says very expensive our process is time-consuming and you know these things are not cheap so are in order to make sure that the rotors and the bearings are not damaged because they are expensive you want to make sure you accelerate them like in a controlled fashion the judges like Flickr switch and go from standstill up to 60,000 rpm in the space of half a second that kind of crazy stuff that would be bad as that will end up damaging the radar and and/or its bearings or possibly even the housing because all that torsional force of acceleration is is a problem so would you want to do is your ramp that up and you want to maintain that speed pretty constantly in and pretty accurately and that there are ways to do that so before we dive into exactly what stocks did because when out the point we can start talking about maybe you could tell still be about time for forms are a key component of asking questions online but up until now the man liable to design configure and administer after all that the results of usual than unflattering the formulas out there that he care of some of the problems make it easier to get something basic up the critics agree with them are still hard when you toilet easy-to-use future Reg and something that looks and looks great on any device this is what Avon comes at platforms are beautifully designed and have cross-platform compatibility Big Ten the tiller to look and work differently on desktops on smart phones and tablets design is about how it works and platforms are built really work regardless of the device the platform itself is a joy to use both as a customer creating a tape form and a user interacting with one UI sexy clean and fast and design in complex series of questions is made simple to the dashboard experience focused on asking and answering one question at a time so it doesn't feel overwhelming and nobody gets lost like a real conversation platform champions good user experience in design this helps you create a space in which users will be more willing to answer more likely to give ice dancers from customer feedback surveys can't estimate many pages of an organisation in the classroom platform let your imagination fly people using tapeworms in a variety of ways to make interactive stories holiday cards 10 presentations avatar creation the list goes on and on tapeworms the only online form builder the less you get unlimited responses for free as many questions as you want as many entries as you get tape form doesn't limit your interaction it just lets you ask I simply for a limited time tapeworms offering a three month free trial of the new take for improved service check out what you can tell by visiting www.tape form duck calm/Fiat likes if you like what you see and sign up be sure to use the coupon code Fiat likes to get your free three months thank you tape form for sponsoring the shell and for making it easier for people to get to know each other better it's awesome thanks 11 okay so now will get into what stocks that actually did so first of all stocks in its original target was believed to be than the tannins I think I'm pronouncing a correctly plant and that in Orion again is a link in the show notes and that was a nuclear enrichment facility stocks that technically is a worm first identified by security company called virus block aider and that was in mid June 2010 and is journalist by the name of Brian Krebs on 15 July 2010 so that's about a month later that had that blog post was the first widely read reports on this particular virus the original name that was given to it by virus block aider was the root kit.temp Hyder then semantic called its wind while W 32 year shelf Win32.temp hide and then later they gave its anonymous name are Win32.stocks that now states that as viruses go there are you know there are cases where viruses will go out of their way to steel are any old keystrokes they can find and reportable back in the hope that sometimes maybe they'll get some vulgar strike unlucky right you know there are the ones that intentionally wait and then wipe your hard drive and start over is otherwise more recently that ransom you to get access to your DM computers I will like to compute an encryption key you pay me money and I'll unlock it for you that kind of BS anyway the point is that they are in essence using exploits our computer exploits but what they're doing is it's a sledgehammer approach so by the end of September 2010 there are over 100,000 known infected hosts that doesn't mean of course there are hundred and the hundred thousand scar systems driving our PO nuclear original facilities just means that you are infected but they couldn't dormant it was first seen in July 2009 so this test is to give you a bit of an odd timeline and become relevant later so essentially the virus has three components and injection and replication method at the Windows operating system level then the second level was a modification to the wind CC step seven DLLs and that open the gateway to the PLCs and then finally the third final layer was a modification to the proper bus communications function layer in the plc itself so the windows level the first thing if there was a check to see what the operating system was now the operating systems that actually work for we had Windows 2000 Windows XP Windows 2000 three are Vista Windows server 2008 Windows 7 Windows server 2008 R2 right so the bottom line for the OSs that's quite a quite a long list so that the next thing you do does is once a figure that is actually on an operating system that all the hackle work on its axis if the currently logged in user has admin rights and if it doesn't it runs one or another zero day escalation of privilege exploits and that the and which one it runs it runs based on are the operating system that that is installed on servers to different our escalation exploits privilege escalation exploits depending upon what's on so are the most common one Windows XP Windows 2000 that particular one was RMS 10 – 073 now that particular vulnerability was not patched until 12 October 2010 so I refer you back to it was first noticed as in in the wild in July 2009 it was reported on in about July of the four in 2010 the following year and it was not patched until October of that year are so once it got elevated privileges it then injects itself into wind CC and step seven DLLs so it's more is at this point we got all that wind CC in step seven and is I realise I haven't really gone to that yet but bottom line wind CC is Siemens Scala system and I think it stands for windows are control centre arm Windows get Windows controls everything from memory now wind CC is a scar system just like any other and it has graphical front end it's got drivers it's designed to work with the Siemens PLCs or any its OPC compliant so BC drive you can use Bob's PLCs around the corner but so irrespective of that it does not program the PLCs it is not capable of programming PLCs if it is installed on its own it can extract data and write data to and from the PLCs but it cannot modify the plc code itself it can only modify memory addresses now that's that's actually very important because the second piece of software I mention something called step seven now for whatever reason Siemens call there are software for modifying the PLCs the court step back when I started our start out on the step five and step five was purely Dos-based and step five was for while they call in the S5 PLCs has the name step five so S5 PLCs were in a big old certifier lights light beige coloured's big blonde guy chunky things and when they release are the seven PLCs that was in the mid-early to mid 90s they gradually started tail arm to to wind back their row and their efforts on the S5 and step five fade into the background and that's when they produce introduced step seven so step seven was purely Windows-based and it sometimes referred to as somatic manager and it allows you to do a lot of things you can get through step seven you can program is a bunch of add-ons actually allows you to extend this but basically you can program all their PLCs technically need micro winter program at seven 200 but suffice it to say you must install step seven in order to modify the code on the PLCs let's say you want to edit the blockers it's not performing correctly while that's what you need it is your development environment for the want of a better description so it is the equivalent of Xcode are for Siemens PLCs it is not Scala it can display data in tabular format and it can show you live data showing what the logic is doing up to a point it has lower limitations than a minor and is it can give you that body will not give you a beautiful pretty front end like a Scala well it will not trend data for you like Scala will not provide alarming like Scott also is not Scala is purely a development environment for programming PLCs so what do stocks that do while the funny thing is that it actually seeks out wanted Scott to this point it is and it scans a computer and says do you have wind CC install tech yes great do you have step seven installed as well and if you do take your on it goes the next stage if you don't it gives up right there so what it's trying to do straightaway is it's not trying to disinfect any old dam computer it finds itself in allowable elevated privileges 080 day exploit no problem at that point it does nothing if you don't have wind CC and step seven installed it just gives up to nothing else to say in the story LL trifecta computers that sit what then does if you have it installed is it will specifically it will replace S70T BX DX.dll which essentially is the intermediary communicating between the plc and step seven so it does a lot of the data conversion so that's arm the data is written down to the plc and read back from it and it it it essentially does the conversion and a bunch of other bits and bobs so by replacing that it it injects a middleman the modified DLL allows the injection of malicious code but just as importantly is that it masks the return path so if you look into the plc from that compromise version of step seven you will not see that injected the malicious code it will show up as I was not there so not only does it allow you the starstruck stent to inject code it also masks its presence so that if you open step seven all looks hunky-dory looks fine you whatever nots there so the only way to know if you're plc was infected at that in EEO at that point before there was a cleaning tool was released without a way to do that was to have an uninfected step seven most likely on a standalone laptop plugged directly on proper bus into the PLCs memory and then do a code dump from the plc and have a look fretting malicious in other words not straightforward could be done but you know and little bit about the wisdom of putting step seven on a Scala computer at the end so that's where it was stuck that is up to the moments now we have hacked our path into the plc now so we can now inject malicious code of the plc so what did it put in the plc I he will ask well specifically it modified the running setpoints of speeds a variable speed drives in specific PLCs only surreal quick variable speed drives if you are not of VSD is our very speed drive uses our matrix of IGT's insider gate bipolar arm fits the turning current on and off power poles with modulation to give you whatever frequency want to filter the output you nice whites and nice pretty clean sine wave is not really that clean it's clean-ish and the idea is that you can change the frequency from zero up to know how many hundred thousand hertz are because the variable speed drive will will then of course Kayla says going to an induction motor and that particular model will then will then spend whatever speed are is set by the frequency of the power of that way for several speed drives are very very handy very cool and variable speed drives have been around now for getting close to 40 years although the nearest poison back in the early days these days become cheapest chips to the point which VSD is are essentially what makes arm the previous run what makes the VR and all of Tesla's cars the roast of the model S and eventually hopefully the model act Sunday. It's made all of those have very speed drives driving their motors after electric train though I variable speed drives severe as these are an integral part of turning electrical voltage/current into mechanical motion these days so that a variable speed drives are and in this particular case the variable speed drives were connected to the rotors on the centrifuges so the variable speed drives did the acceleration control and the speed control of the actual rotors as I was spinning okay so how on earth did it no white to specifically modify setpoints and and so on and I guess I was a little bit more before it makes any sense so stuck that specifically only attacked plc systems with Vera VSD is from two vendor's company called Veh con base in Finland these rows back on maybe as far, I'm sure the other one Ferraro payer which is based in around itself now that Australia the blocks is just plain weird because if you are writing something that was meant to disturb systems generically like you are trying to stop something generically in multiple plants of different kinds around the world why would you restrict yourself to VSD is would be no harder extended to more than just to build a research publisher subroutines no problem good done because every variable speed drives stores the setpoints in different locations so they have two routines in stuck snap that actually target each of those different VSD is but only those two so that leads to the it's very specific on why specific will get the conspiracy theories so each of the drives are set has subtly different's arm addressing and the attacked timing sequences are also subtly different this probably good reason for why the tiny things were different I just I don't have the complete control system designs I can't answer exactly why they were different but it may be some to do with the these are the Varco arm fake on sorry the vacant drives maybe they were connected up throughout a different kind of gearbox or made a different had different number of poles on them I don't know all I know is that there were differences and no assume that there are logical differences because the day of rest the detail would suggest that whoever was writing stocks that have a complete set of blueprints for the control system because it's just one way way too specific variable speed drives get a speed setpoint they tell you you tell a Singapore speech were run on a run at 50 Hz hundred hertz 200 Hz 2008 watermelon number is does matter you tell these drives traditionally using analog signal which is 4 to 20 mA which is what some buyers refer to as currently currently serve problems because you know they are they can be affected by noise although admittedly that hasn't been a problem so much and so went to current loops previously low-voltage loops and voltage lives were highly susceptible to noise problems so since they went away from zero 1005 also went for 20 mA then things got better but it's better still thickened or digitally and hence that's why a lot of them are going to control via proper bus of course I say proper bus arm which is short for process fieldbus that's a Siemens standard and it's been around for a long time the oldest one is mod bus and we actually did talk about this as well on another communications are referred to in the download off the episode three so refer that if you want to know more about it but in any case proper bus is fully digital which means advice and 50 Hz the drive will get 50 Hz that we know plus or -5% 2% 1% based on the inaccuracies in a current loop so that precision makes it attractive is not just that one wire can carry hundreds and hundreds of parameters so I can dynamically change the acceleration the ramp rates for wrapping up revving down braking coefficient that all sorts of details I could modify the proper bus if I really wanted to the mapping of the data on the property bus arm is gonna be different for each drive and obviously hotels for two separate drives but in any case arm you that's what they did specifically as it was clearly for a specific target now the only variants of plc that we implemented were the 7315 – two now at the time that they wrote stocks that there were two models available of the 315 – two there was this rabbi – two DP which is to distribute periphery of a.k.a. property bus and the other was 315 – 2 PM DP and PN stands for our property net in other words industrial ethernet or Elisa Siemens version of industrial ethernet medical property net so the idea is a PDP CPU will have one profit and one property bus interface now it doesn't really matter which of those two models it is our end of program plenty of those big that exact model plc are the other variants of the day program before but it was an incomplete implementation was four and seven I was a 417 I believe 417 – three maybe I fly didn't actually buy the rhino index is incomplete so you are the one that they completed index was the SM 315 – two that was when the exploit round specifically and only son otherwise if stuck snap found that you had an computer operating system that it could compromise it would elevate its privileges and it was Sadie have winces in step seven yes you do great next step if at that point then read the system data block and said all yon SM 315 – 2p DP or 2 PM DP is sale mother not interested and would stop right there again very specific so and there is no reason that I can think of why the army because functionally speaking a 315 – 2 PM DP is very little different from a 3171 3182 or 3 PM DP because those models are simply got more memory and more ports you can handle more I/O that they're essentially the same body plc again very specific and one more thing that even that specific is they were going to use they were using is the stuff that was using specifically the communications blocks for the CP 342 – five module that stands for communication processor I hi no sign olives of biox in dealing with the sodium long but the point is that a superiority is five is an independent communication processor that you can add on to your plc to give you an additional property bus port site so you use up all the data or all of the devices on the one that is built into the CPU while you add an ICP card you get a whole new card you can you have a whole new proper bus network so why on earth if you've got because of me I can count the number of times I use a 342 – five on one hand you know because honestly between you you got to DP ports on a two DP hence the number two DP are all the 2 PM DP you got one property bus and one property net usually on most size systems that's plenty you only need to add another proper bus are module if you've got lots and lots of devices hanging off of it and you overload one or you don't want level I want to spread the load so again and Scott are very specific when you think about it if you're how I said with the centrifuges that you needed dozens if not hundreds of these things to think about how you would design that so the limit on the property bus network is 32 devices per segment and if everything wasn't a variable speed drive and essentially general investors will have a reasonable amount of data going back and forth with a large number centrifuges at you've got it would make sense if I was designing it that's what I would do as I would split them up I say okay worldview 31 this card or another card you can do the next 30 in this country the next 30 because it would be very computationally expensive it would simply be of a lot of devices I need to address so how exactly does it do its magic court magic how it impacts the plc is really not that difficult when using a CP card than the native send receive functionalities built in the somatic manager is not available I on certain levels of proper bus data transactions and not only get the details but essentially you will tend to use DP receive an DP send okay little real quick lesson on Siemens plc Siemens PLCs have essentially for four kinds of blocks you have organisation blocks obese and the organisation blocks their job is to execute repeated code are the want of a better way of describing our FC's functions and our functions are essentially you put a bunch of inputs into the function experts about much about without a function don't have to have inputs and outputs you can simply call it and it will execute a series of instructions and then it'll it'll jump out and then that's it now like a subroutine it's not really that different alter any of function you would write in a MC or Objective-C function blocks however are subtly different from functions because they can have an attached data block which is the fourth kind of dialogue is really just a table of data you preserving space in the memory and saying I want this as this is this is an integer disability and this is a double word whatever whatever and you give a symbol name and he had saved the guy now got data block J function blocks Directly associated with that fund the data block is directly associated with a function block so you can't create a function block without a matching data block border means is that you can actually call a function block and have dozens of different data blocks that drive the functionality and that is one of the methods by which in a Siemens plc you will have our one function block that controls a valve and yet you have 100 different valves in the rule defined by their own individual data block this as valve wonders above to those of our friends on hence giving a personality against Allendale blocks as well being is the basic types of blocks so inject itself into Obi-Wan and OB 35 Obi-Wan every time I say that is Obi-Wan Kenobi seriously it's called only one anyhow only one is referred to in Siemens parlance as the site click task so in other words it kicks itself off at the end of itself ever make sense you start the block when used when you hit run on the plc it will start executing at that point it will run through the instructions and Obi-Wan were heads out the end it will circle back to the beginning and start again so it is the site click ongoing process cycle task OB 35 is a time triggered task of higher priority than Obi-Wan and is a whole bunch of them on their seven arm 305 – two you only get OB 35 but if you go the more expensive PLCs you will get more OBs get SM for hundreds you'll get OB 3536 as of the 89 so you can actually have multiples and that's important when they do immigration to the DCS that they have just busier seven again sidetracked long story point is you can set that trigger after one over one second 10 seconds 500 ms so whatever Obi-Wan is doing whatever code is executing Susie hit that one second let's as it was taken over 35 will save you shut up on the demo thing then execute the code maybe 35 dumps at the end of it and then waits for goes asleep until the next minute comes around and Obi-Wan carries on its doing so the whole point is that you've got your main psychic task either periodic executable task injects code into their but because it's special functions to the next thing that does is it moves there DP receiving our function from wherever it is in the code to function F FC 18699Y1869 but I guess they figured it's a long way from all the function was restart numbering functions from one like you normally do EEE it's pretty unlikely you have a phone OR plc that's got 1869 functions and on the ice and have written plc: SM 300 and had that many unit for hundreds yes night but not not not a 300 nano so I think it is shoved out there because in the far right my figured now is not likely to be anything there technically if there was something there it would probably overwrite it and you may have a dysfunctional plc on your hands but I think that is an even bet you and I can hassling their probably not anyway when you install the DP receive functions and receive functions are normally going to FC one FC to you Dragon into the library they automatically go to see one of the two course you can rename them to whatever number you like our but irrespective of what number it is it shifts that copy out FC 1869 and it inserts its own copy and cause its own copy is extra special what it does then is those function blocks control the proper bus messaging to anything on the property bus so whatever it's called on a CP 342 – five card which is in this case we we believe talking to a variable speed drive it can now intercept someone to can do that it now owns every link in the chain so now it can take over from the wind CC from the scarred level all the way down through the step seven level through the driver down to the plc and then directly on the property bus at that point stuck that installation is essentially complete and it now has control so the next thing and it does which is again super specific is it monitors the frequency of any the attached variable speed drives in the system but it only adjusts those that are spinning at a rate between 807 Hz and 1210 Hz now I'm into listening for a while and admittedly I have not actually had anything to do with our nuclear plants and nuclear fuel enrichment plants but those numbers sounds so terribly specific to me so there's a reason that they asked so damn specific overrun percentages on am I trying to figure out based on the other number of polls you would expect on the motor is what you would expect their spin that the rotational rates to be truth is I couldn't find a pattern if anyone knows of the partners please share but I'd I don't know this property some specific reason that I just don't have the design details a conveyancer anyway once it's done that once it figures outlook I have some motors in the system yes there on this card yes I menacing the property bus and LMI them there spinning between hundred and 7000 1210 hertz at that point in time all the criteria are met and then it will periodically modify the frequency up to 1410 Hz in other words going overspeed right down to 2 Hz which is practically stopped and then appoint roughly in the middle somewhere 1064 Hz so as it messes with the frequency of that the motor is spinning the rotors and it does so in a are a more direct fashion it also instills a bunch of data blocks that the wind CC the PC part of the virus looks at Annex data block 890 amounts monitored from the scar side and if you have multiple PLCs it will scan the bus and it'll say okay or you PLCs of the flag set in dB 890 I wash or go off at the same time so what does it actually synchronises all the PLCs are connected to do the same thing all the motors at exactly the same time on the on the control system that this case is that that scar system so if you had you know like one scar system controlling five PLCs all five PLCs and although most would do exactly the same thing at exactly the same time so synchronised the timing now is exactly quite elaborate because there is a pseudorandom time interval and you look at the way does it counts property bus frames and assist really bizarre but what adds up to is between 13 days and three months apart there will be an attack that runs for between 15 minutes and 50 minutes are not quite an hour or an hour to just over three because now if I was an engineer running those plants I would be ripping my hair out because you'd be sitting there and all be hunky-dory and suddenly you drive to be spinning and also to crazy speeding on what the hell is going on the above steps ever try and diagnose it and everything looks fine because of course masking all Hank Cody cassette to be made against the desk and then by the time you've done beat you head against the desk you look up and editing was back to normal again you'd think did I dream that order that actually happen when you look back on your transmits I now did actually happen oh crap that's what stuck that does and if you want a more detail is a lot more detail and that semantic put together an amazing dossier on this the go through every little intricate detail is a lot more to how the virus spreads over the local network and everything in Howard Howard does some of the other in intricacies within the plc catering to that side of it or you but I discovered what I consider to be the main points but truth be told those of the key points that's that's the basic gist of how it works out I call that a basic gist okay well okay so is the point of all this the point of all this is you will doing that to the rotors will II I base my understanding will cause damage their intention was to either hamper the perform white like severely impact the performance or to damage it side damage the rotors such that the centrifuges were are damaged in the process and would no longer operate either at maximum efficiency oral and by doing the whole pseudorandom attack thing it allowed it to spread the word on a super hurry if I can have a worst-case three months apart and it was definitely designed to be very stealthy in the ends all those requirements when they did their investigation came up for that that star enrichment facility in around of course it went beyond that it spread to other places well and sometimes when these when these attacks occurred they were seeded so people that were involved in those plans are they had from through espionage they actually DO hacked in and inserted the the code on these peoples like flash drives and laptops and in in attempts to get into the building and into the system and in some cases it happened in other cases it didn't answer was inside the system then it spread through the system so it was not just that it was they had to actually it was just let's write the code letter going to the wild know they had actually planned on getting that the reason they had to do that is because these control systems are typically running on standalone networks so this is that this is the false arm is a false sense of security lysine now my own involvement with scar systems is that there is a belief it has been a belief perhaps somewhat now since they stuck that are is less of our belief that if this really was a belief in the previous decade or so that because my system is standalone that I don't have to worry about viruses or malware and everyone said Skyler is far too specific for anyone to be bothered hacking into Hackett right is the wind CC may have 20 50,000 installs around the world maybe that's it probably one of the numbers belong assume it's not huge family copies of Microsoft Word around their so fine I spend my time hacking my and only get bank account details and so on and so forth financial gain or just oppressing people off I wouldn't target the 50,000 copies I target the million copies and that was sort of the prevailing thought but stuff that was not interested in at the wasn't interested in money it wasn't interested in extortion it was interested in causing damage because when I did cause damage or not I don't know and maybe you'll never know but that was clearly the intent and was very specific so they went to whoever built it and it was suspected that it was the US government plus the Israeli government although that's never been proven exactly our strong suspicions but that doesn't mean proof so we don't know exactly specifically right nonstock Bannerman said Hayley was me arm which happens some viruses so what can we conclude from this is if standalone didn't save them the time delay at the operating system level for the patch to come out to patch that zero day vulnerability to give them our elevated privileges that was terrible yet it was known about long before it was never patched so you honestly that's another thing that creeps into that mentality in all well aware and isolated network can go because were isolated were knocking to the Internet we are to worry about patches and updates and so and so forth release for my dinner and every six months or 12 months whereas if you're running an IT department we computer is connected together and is appalled to the Internet you are going to be as an IT guy Yuri running those updates as often as you can because you're like I'm exposing potentially expose someone comes in with a virus it can spread to hold them building before I can say all my it's a respect to the billing so that's that's that's sort of vigilance is prevalent in those systems whereas I found I've got a science whether been discussed is not okay fine non-nuclear power plant okay fine and not a nuclear enrichment facility but I've been to plenty of sites of also different backgrounds from from mining to pharmaceutical to go to hospitals for God sake where they haven't updated their virus definitions a thing if I have a virus scanner will haven't run an update because it's our focus for months if not a year or more and they don't do it because it's hard because it gets used to the whole idea of off well I do is go to Windows update we can't do that you and isolated system you don't give up all the nice whole-body point of not having a portal to the Internet so what you do is you make sure you download all the updates from the Microsoft website are to a drive the well you flash drive I suppose these days that has been heavily virus scanned and you go and you apply those updates essentially off-line is aware and that's how you would do it because that takes more time it's more effort never a nice Arabic cry about as a lot of really have thought of those God for you what we should because had someone actually open Microsoft actually hang on the housing dimension is after 12 October there was that that the attacks were went on for a year and a bit later because people had updated the dam systems me what's wrong with people right that that's what's wrong with people is that they think SA because of my slide system but he's another really good listener to take away from this why the hell was step seven installed on a computer that was running when CC like the skull and the and the and the op the environment the programming environment why was it on the same damn computer me I know the answer it makes it easier for them as a developer to have it all on the one machine because you tweak a better scanner to exhibit a plc code get to see the result of one machine but is there is no chest separation of church and state real rate yes of the developing locally and pushing server that is exactly what to do it properly you have a separate development machine that had no Skyler on it and then you have a separate machine had discovered it was run really a runtime machine that it should do to ordinarily keep them separate and that diagnostic machine was only ever used for loading code to and on to and from the PLCs and is never connected to a network and that's what you should do if you can engineering workstation PCS seven younger choice she had all installed as a DCS but generally speaking if it's not DCS is extra fat programming code so what you do you development you pack up your laptop and go home rate the integrators pack up and go home unit leave the best-of-seven somatic manager costs $5000 in a licence is not cheap so I'm gonna leave step seven, on a client's computer when I do is go just because it's easier this sort of thing that our clients say we like to modify our own: look in the raised eyebrow you really want to modify your own code best of luck but you know it is not not to say that it's hard necessarily better and anyone can do it if they apply themselves it's more the fact that I do warrant their own work as a tea what leaving the keys to the car for Romeo the equivalent of someone is at the bottom of the learning curve we are never to recover for is, dangerous and see either the number of times I'd call as the site where we where they had insisted that we install our step seven on the machine so that they could do my tweaks is necessary you go and they look at the time and date stamps in a cell would have touched it and you like point time and date stamp point when you last step in your lot is last left in your last backup your code comparison like someone change this line of code here from this to this and that that I haven't been here have as another integrated been here are no and you never did it arm know Mike sure anyway so finding it's sloppy to have a step seven on the same damn machines when CC on exam separate diagnostic laptop and leave it at that so I think that sloppy because if that hadn't happened stagnant stocks that never would have worked okay arm the last weigh in of course apart from you make sure you buy the regular patches and so on is a lockdown of USB ports and there is also the software that can let you do that like bit locker style software right where you insert a flash drive into the machine and it will format an encrypted and once it's formatted encrypted it can then only go to another machine run the software with that same predominant and is a virus scanner living crap out of it before you then put it back in the machine and is usually a reverse process as well so when you insert on the protective system you you can go and do that you only have to do that for some patches and updates but really what you'll find is that the skull system might might just save reports in Excel format or something, separate format rate the operators does get a flash drive from out of their pocket they use at home and I scoff over the keys on the puppy whatever anyway they'll put this in from wherever and ill have gone as wonderment and then plug it into a dance gala computer white others for the CSV files for 59 I gotta do some work onto my copy pasted on orbs" of them virus on my Skyler machine and the plan is down tomorrow so you know when I was doing this sort of thing are as low as an integrator you we always recommend things like that so isolate your network you apply the updates regularly like to check once a week once every two weeks just not once a year please, more than that more regularly than that don't install is that your your plc programming environment on the same machine as your Skarda keep them separate honestly if any of those things I listed had been followed stocks that were filed instead it didn't succeeded crazies and that these places that have got so much at stake makes no such simple mistakes so if we can out yet well I guess I would be if it while you rate but maybe not surprised well I mean human nature is human nature and that's the problem and people people just make these assumptions we data about security because insert you stupid reason here but the truth is that there is more than one way to get a virus on the machine and yet you can have the best are firewalls in the world they can have the best email scanners in the world viruses can still get in you that I love the approach of over many email systems now rather than the whole search and attack thing and maybe viruses on their own as it is a separate topic that you rather than any virus in a word macro will disable Word document came in delete one even the GOP's IRA at work here we've got one of these filters PDF no problems no macros in PDF your semi-Word document but from our luck even if you sip it it'll unzip it Detective Zedillo Word document bumped on so you know that's the heavy-handed approach would you not stop the attack vector right rate anyway I don't see much more to say about stuff that so hopefully that some ships one of the six good listener shyness of you will read up on and do arm I think a lot of places are taking it Skyler security a lot more seriously as a direct result stocks net so maybe on the whole it was a good thing for the world in general and maybe it's can indirectly make the world more secure place in terms of control systems but I've so that's it wanted more about this you can find John on Twitter at John Geagea is the seaman Utica gunsight tractor storage and outcome flex and email you consent to giant duck distorted outcome under Alexander and can reach me on Twitter at feel like Southampton you can file out pragmatic show on Twitter to seashell announcements and other related materials I see another thank you to responsive platform for sponsoring this up so she goes back up exhorting everyone thank you they spent a terribly are areοΏ½
Duration 1 hour, 5 minutes and 31 seconds Direct Download
Episode Sponsor:
Typeform: Typeform makes it easy to build and share beautifully designed online forms, combining human creativity with the power of modern, cross-device web technology to create new ways of asking questions online. Visit and use the Coupon Code fiatlux to upgrade to the PRO plan and get three months free.

Show Notes

Related Links:

Premium supporters have access to ad-free, early released episodes with a full back-catalogues of previous episodes


Ben Alexander

Ben Alexander

Ben created and runs and Fiat Lux

John Chidgey

John Chidgey

John is an Electrical, Instrumentation and Control Systems Engineer, software developer, podcaster, vocal actor and runs TechDistortion and the Engineered Network. John is a Chartered Professional Engineer in both Electrical Engineering and Information, Telecommunications and Electronics Engineering (ITEE) and a semi-regular conference speaker.

John has produced and appeared on many podcasts including Pragmatic and Causality and is available for hire for Vocal Acting or advertising. He has experience and interest in HMI Design, Alarm Management, Cyber-security and Root Cause Analysis.

You can find him on the Fediverse and on Twitter.