Control network security lessons from Stuxnet

A UK expert describes how Stuxnet and other threats to industrial infrastructure cyber security are prompting national and international action. Technology Update, February 2011, monthly Control Engineering, North American edition.


Industrial control systems have long life cycles. Older systems were designed with little or no regard for cyber security and are interconnected in ways never envisaged. The mistaken belief in "security through obscurity"—the use of specialized systems, protocols, and proprietary interfaces as the basis of secure systems—is obsolete in the wake of recent incidents. Add to this the increasing complexity, proliferation of access points, wireless communications and wider use of common operating systems, and wider use of the Internet, and it is understandable why governments are keen to promote cyber security.

Information on industrial protocols is widely available, and some systems have already been specifically targeted. These include the Modbus protocol and more recently the Stuxnet trojan/virus, which affected Siemens WinCC SCADA, Step 7 Programming Software and Simatic PLCs. While fixes were quickly developed, Stuxnet was a game-changer in terms of its complexity and reach, and as it and other breaches of security continue to be analyzed, governments are responding with general and sector-specific guidance to protect critical national infrastructures.

Critical national infrastructure

The critical national Infrastructure comprises facilities, systems, sites, and networks necessary for the delivery of the essential services upon which daily life depends. This covers nine sectors: communications, emergency services, energy, finance, food, government, health, transport, and water. Like the U.S. Department of Homeland Security, the UK’s Centre for the Protection of National Infrastructure (CPNI) works with the operators of essential services and with lead government departments to identify critical national infrastructure and to help protect it.

An often cited example to illustrate the risk is the "drive-by wireless hacking" by an Australian ex-employee of a Queensland sewage treatment plant. He used his knowledge of the control system to hack the system 46 times and release millions of liters of waste into public waterways.

The CIA has confirmed a cyber attack caused power outages in multiple cities (including New Orleans in 2008). The CIA also provided information on intrusions into utilities that were followed by extortion demands. The U.S. government has been taking the potential reconnaissance of the power grid by Russia and China seriously, considering the potential for terrorist attack, and this year formed the United States Cyber Command. This group is responsible for directing the defense of U.S. Defense Department networks and conducting military cyberspace operations.

In the UK, the Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides protective security advice to the national infrastructure. Specific SCADA advice is offered by the CPNI in a series of process control and SCADA security good practice guidelines. Much is a result of the work of the U.S. National Institute of Standards and Technology (NIST) and is sponsored by U.S. Homeland Security.

Stuxnet—an usually complex threat

The Stuxnet trojan/virus is the first publicly known "worm" to target industrial control systems. The threat posed by Stuxnet has been portrayed as beyond anything seen before. Its goal was to sabotage a real-world industrial plant, not disrupt abstract IT systems. It was aimed at industrial control systems with the intention to reprogram PLCs in a manner that would sabotage the plant, hiding the changes from programmers or users.

Stuxnet has highlighted the potential to directly attack industrial control systems used in critical national infrastructure, including energy, water, and transport sectors. Research by Symantec (September 2010) showed that nearly 60% of the approximately 100,000 hosts infected by Stuxnet were located in Iran, with relatively high infection rates also seen in India and Indonesia. This has led to speculation that Stuxnet’s goal was disruption of Iran's delayed Bushehr nuclear power plant, or the uranium enrichment plant at Natanz.

Stuxnet has been described by Symantec as one of the most complex threats the company has analyzed. Features include:

  • Four zero-day exploits, which are exploits that are unknown, undisclosed to the software vendor, or for which no security fix is available. This is a rarity for any virus, and would be considered wasteful by most hackers.
  • MS Windows rootkit, which is software that enables privileged access to a computer while hiding its presence.
  • First-ever “PLC rootkit,” which infected PLC programs while remaining undetectable.
  • Antivirus evasion.
  • Two stolen Taiwanese digital signatures to authenticate Windows software.
  • Complex process injection and hooking code to prevent programmers from seeing the infected code.
  • etwork infection routines.
  • Privilege escalation.
  • Peer-to-peer updates.
  • Remote command and control.

Identified vulnerabilities

How does this virus spread? Since PCs used for control system programming are not normally connected to the Internet, Stuxnet replicates via removable USB drives—exploiting a vulnerability that enables auto-execution. It then spreads across the local area network via a Microsoft Windows Print Spooler vulnerability, and via a Windows Server Remote Procedure Calls vulnerability.

Stuxnet copies and executes on remote computers through network shares and Siemens WinCC database servers (SCADA software). It also copies itself into Siemens Step 7 PLC program projects and executes when a project is loaded, and updates versions via peer-to-peer communication across a LAN. Stuxnet communicates with two command and control servers originally located in Denmark and Malaysia to enable code download and execution for the updating of versions. Stuxnet may have the ability to change command and control servers, although this has not been observed as yet.

Inside the PLC

Stuxnet fingerprints specific PLC configurations that use the Profibus industrial network for distributed I/O. The particular configurations were gleaned using earlier versions of Stuxnet. If the fingerprint does not match the target configuration, Stuxnet remains benign. If the fingerprint matches, the code on the PLCs is modified with the infected programming software and the changes are hidden.

The modified code prevents the original code from running as intended and causing the plant equipment to operate incorrectly, potentially sabotaging the system under control. This is achieved by interrupting processing of code blocks, injecting network traffic on the Profibus network, and modifying output bits of PLC I/O. How this affects the individual plant system depends on how the control system is connected to the PLC and distributed network I/O via Profibus.

The future threat Stuxnet poses is as a blueprint for attacks on real-world infrastructure, providing generic methods to reprogram industrial control systems. However, the level of sophistication and complexity of Stuxnet, which require significant resources, make it unlikely similar threats will develop overnight.

To address the vulnerabilities revealed by Stuxnet, the series of process control and SCADA security good practice guidelines from CPNI and NIST include a series of sector "road maps" for securing the water, electricity, and chemical sectors. There is an emphasis on cost-effective security for legacy systems and new architecture designs and secure communications.

Standards in this area are blossoming as well, including work being done by the International Society of Automation (ISA), which published ISA99 Parts 1 and 2 that deal with industrial automation and control systems security. Part 1 serves as the foundation for all subsequent standards in the ISA99 series. Meanwhile IEC is also working on ICS standards and is considering work already done in ISA.

In the first public speech given by Britain’s secret intelligence agency GCHQ, Chief Ian Lobban highlighted the "real and credible" threat facing the UK’s Critical Infrastructure from terrorists, organized criminals, and hostile foreign governments. He demanded a swifter response to match the speed with which "cyber events" occurred, and stated that the UK's future economic prosperity rested on ensuring a defense against such assaults. The challenge is to implement appropriate measures while continuing the process of assessment, adjustment, and review in light of emerging vulnerabilities, threats, and consequences.

Dr. Richard Piggin [rpiggin(at)] is a UK-based network and security consultant. He works with the IEC Network and System Security and Cyber Security working groups, and is involved in developing IEC 62443 Security for Process Measurement and Control – Network and System Security.

What is a threat?

According to the National Institute of Standards and Technology (NIST) Guide to Industrial Control Systems (ICS) Security, potential cybersecurity incidents may include the following:

  • Blocked or delayed flow of information through control system networks, which could disrupt control system operation.
  • Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
  • Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects.
  • Control system software or configuration settings modified, or software infected with malware, which could have various negative effects.
  • Interference with the operation of safety systems, which could endanger human life.

Best practices for industrial control network protection

In the UK, the Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides protective security advice to the national infrastructure. Specific SCADA advice is offered by the CPNI in a series of process control and SCADA security good practice guidelines.

The foundation of the best practice is three guiding principles:

  • Protect, Detect, and Respond - It is important to be able to detect possible attacks and respond in an appropriate manner to minimize the impacts.
  • Defense in Depth - No single security measure itself is foolproof as vulnerabilities and weaknesses could be identified at any point in time. To reduce these risks, implementing multiple protection measures in series avoids single points of failure.
  • Technical, Procedural, and Managerial protection measures - Technology is insufficient on its own to provide robust protection.

Recommendations from the National Institute of Standards and Technology (NIST) include:

  • Restricting physical access to the ICS network and devices.
  • Protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing; disabling all unused ports and services; restricting ICS user privileges to only those that are required; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where feasible to prevent, deter, detect, and mitigate malware.
  • Maintaining functionality during adverse conditions. This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event.
  • Restoring the system after an incident. Incidents are inevitable and an incident response plan is essential.

For further reading:

Stuxnet as a Precision Weapon

Cybersecurity standard aims at critical infrastructure in process industries

Securing Legacy Control Systems

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Safer human-robot collaboration; 2017 Maintenance Survey; Digital Training; Converting your lighting system
IIoT grows up; Six ways to lower IIoT costs; Six mobile safety strategies; 2017 Salary Survey
2016 Top Plant; 2016 Best Practices on manufacturing progress, efficiency, safety
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
Automation modernization; Predictive analytics enable open connectivity; System integration success; Automation turns home brewer into brew house
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems
Natural gas for tomorrow's fleets; Colleges and universities moving to CHP; Power and steam and frozen foods

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
Compressed air plays a vital role in most manufacturing plants, and availability of compressed air is crucial to a wide variety of operations.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
click me