How Bad Guys Worm Their Way Into Factories
At a September conference in Vancouver, Liam O Murchu, a researcher with the computer security firm Symantec (SYMC), used a simple air pump connected to an industrial computer to pop a balloon. The computer's program called for the pump to stop before the balloon burst. But O Murchu had loaded the Stuxnet worm onto the machine, which let him order the pump to keep going. That, he says, shows what can happen when bad guys gain control of industrial systems: "Imagination is the limit."
The spread of the Stuxnet computer worm has heightened fears about the security of industrial control computer systems that run factories and power plants. The rogue program, which affects machines sold by Siemens (SI), has been found in computers around the world, Symantec says. Most are in Iran, leading analysts to believe that its nuclear program is the target.
O Murchu hypothesizes that the worm may have been unleashed via a USB drive that was plugged into a computer. In some instances, rogue programs have come from USB drives dropped in parking lots that were plugged in by a curious person. Once loaded, the worm can spread because passwords for many industrial control programs—required to give the machine instructions—are either hard to change or can't be changed at all, says Frank Heidt, chief executive officer of Leviathan Security Group, a consultancy in Seattle. "Whoever made Stuxnet gave it a set of master keys to get inside this kind of system," he says.
The weakness goes beyond Siemens, Heidt says, showing passwords in owner's manuals for industrial control software from Honeywell (HON), ABB (ABB), and Invensys. Siemens says the company issued a fix for Stuxnet within a week after it learned of the worm in July and that few customers have had problems. Honeywell and ABB say they are addressing the password issue. Invensys says its security is sufficient.
The risks to such computers were illustrated three years ago when researchers at the Idaho National Laboratory tried to seize control of an electrical generator over the Internet. While the findings of Project Aurora, as it is called, are classified, a leaked video shows a generator emitting black smoke as it follows the team's rogue instructions.
Many industrial control systems were designed before anyone dreamed of connecting them to the Internet. They run machines that have been in place for decades and remain in use longer than most computers. Over time, these systems were linked to the Internet to allow companies to monitor output, material consumption, and inventories. "It was a very natural progression," says Michael Assante, the former security chief of a U.S. utility industry group. "Someone would say 'We need to get the data that we can capture from the plant and get it into the financial system.'"
Security experts take some solace in Stuxnet's complexity, which means that few organizations could create such a worm. Symantec's O Murchu estimates that Stuxnet was written by a team of a dozen programmers working for at least six months, at a cost of more than $3 million. "With an attack like this," he says, "you have to know a great deal about the target in order to get the desired result."
The bottom line: Stuxnet highlights the vulnerabiity of computers that control factories, many of which were developed before the Internet era.