Process control / automation control systems /SCADA Security rootkit (Stuxnet) #in

Posted on August 10, 2010

Having done a fair amount of work in the area of process control systems, and the design/implementation of control frameworks and minimum standards for these environments in the last few years, I am always interested in reading up on issues and threats being identified in this area.

My experiences have always been that the clients we have dealt with are relatively immature in their dealing with these environments (from an information security point of view) and have been reluctant to acknowledge the threats and take the necessary steps to protect themselves.  They are reluctant to even carry out the basics such as patch management and installation of anti-virus, often pressured by the solution vendors not to.

I noticed a short while back that there was some noise of a new “virus” that targeted WinCC, at the time I read about it briefly and was interested to see that it targeted one specific environment and appeared from the comments to have been designed to attack one specific environment.

Details that are emerging now seem to indicate something altogether different. This virus not only targets on specific environment, but is also a security rootkit. It targets Siemens Step7 and WinCC. Step7 is used to program the Programmable Logic Controllers (PLCs) of the Simatic S7 family.

In an updated blog post found here, Symantec explain in a bit more detail the seriousness of what Stuxnet is and what it does :

“Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.

In particular, Stuxnet hooks the programming software, which means that when someone uses the software to view code blocks on the PLC, the injected blocks are nowhere to be found. This is done by hooking enumeration, read, and write functions so that you can’t accidentally overwrite the hidden blocks as well.

Stuxnet contains 70 encrypted code blocks that appear to replace some “foundation routines” that take care of simple yet very common tasks, such as comparing file times and others that are custom code and data blocks. Before some of these blocks are uploaded to the PLC, they are customized depending on the PLC.”

Two infographics have been shown in various places (Source : app Symantec), that show the distribution of the worm globally. This is not a localised phenomena that affects just one place in the world.

stuxnet global distribution

stuxnet global distribution

Iran, Indonesia and India are the areas most widely hit.

Stuxnet distribution graph

Stuxnet distribution graph

This virus is not just some theoretical proof of concept. In reading through some of the forums I came across this post, which could just as easily have originated from a South African organisation as a foreign one :

“Hi, currently I am in Iran, xxxx commisioning of our project for steel making plant.
We have this virus everywhere here, on WinCC server, clients and so on.
This virus was probably transfered from some USB stick from customer.
In this time I downloading Simatic patch and antivirus software from links above.
I am sure, that I have had this virus minimal one month ago in my project backups too.
So tomorow I try remove this virus and i will inform you. ”

From this it is clear that the environment they are in at least follows the basics of keeping the process control network separate from the organisations administration network and the Internet. This virus is smart, smart enough to know the target environment and run across multiple attack vectors. At very least, this virus is infecting USB memory sticks to get itself across to the process control environment. It is then infecting windows computers through open shares (and other vectors) and then attaching itself to the .DLLs on the WinCC machines and injecting itself into the S7 PLC’s, then modifying code on the PLCs to prevent it’s detection. This is serious stuff and introduces a few degrees more complexity than has been seen before in a worm targeting these sensitive devices.

If that wasn’t bad enough, once this virus has acquired targets, it is then reporting information back to it’s Command and Control centre, and also appears to have the ability to receive remote commands and execute them, as well as download further software from the command centre.

If you run a process control environment / SCADA / PLC’s then you should be concerned. IT security threat to the environment is no longer a theoretical or remote one. It is real, and you could be attacked, if you have not already been. It is important that you have the right governance and processes in place to provide you with both technical and procedural protection against attacks.

Has anyone heard of any infections here in South Africa?


Further reading:

Stuxnet introduces the first known rootkit for industrial control systems

Findings from the field : Stuxnet and Siemens

The Stuxnet worm and options for remediation : Download PDF from Industrial Defender here or get it from

%d bloggers like this: