Sunday, September 19, 2010

Siemens: Stuxnet Can Manipulate PLCs on Specific Types of Systems

Via H-Online -

Siemens is reporting that industrial plants in Germany have also been hit by the Stuxnet worm. According to Wieland Simon, press spokesperson at Siemens, approximately one third of the 15 infections discovered at industrial plants worldwide have been found at sites in the German process industry sector. Siemens' own plants are said not to be affected.

Analyses by Siemens have reportedly confirmed that Stuxnet can, in theory, manipulate Programmable Logic Controllers (PLCs). However, this behaviour has so far not been observed in the wild. According to Simon, Stuxnet checks the configurations of infected WinCC or PC7 systems for existing data blocks. If it finds suitable blocks, it becomes active and modifies the controller code. If it doesn't find any, it remains inactive. The worm seems to look for specific types of systems to manipulate. Siemens couldn't provide any details about which systems precisely are or could be affected. Simon added that no system with an active worm has so far been observed.

On their web site, automation system security specialists Langner Communications have released a more detailed analysis of how Stuxnet manipulates PLCs. According to this analysis, the worm injects arbitrary code when transmitting blocks of code to the PLC. To compromise data transmissions, it diverts the data via a wrapper DLL before submitting it to the SIMATIC Device Operating System's original s7otbxdx.dll library for processing.


The analysis by Langner is awesome stuff. They basically come to the same conclusion of many in the community: the attackers - 1) have heavy inside knowledge 2) are highly skilled 3) are going after a target they deem high-value 3) don't care about getting caught and going to jail.

So what types of physical systems was Stuxnet targeting?

Someone knows and that knowledge might offer a clue into why Stuxnet was built and who might be behind it.

Sadly, the public may never know that answer.

No comments:

Post a Comment