Cyber threats:  the new norm for today’s control engineers

In early 2015 newspapers and media channels published of gleaming pictures of 5+1 leaders posing in celebratory style at striking a deal with Iran that will essentially prevent Iran from developing a nuclear weapon. US president, Barack Obama has said that he will veto any move that prevents this deal from taking place.

So, while the world has become a safer place with this deal, nothing stops Iran from making weapons of mass destruction, of an altogether different type – Cyber weapons.  Iran is said to have the 2^nd largest army in the world set at the task and is currently at cyber-war with United States.  To understand why Iran is bent upon developing these new WMDs, we have to step back – all the way back to 2010.

In November 2010, almost 100 centrifuges shut down at the Natanz fuel enrichment plant in Iran.  Iran gives no explanation for the unplanned suspension of work.  In later years, we found out that the shutdown caused a delay of 2 years in the Iranian Nuclear program – perhaps long enough for making Iran agree on the recent deal.

We now know that the damage to the centrifuges at Natanz was inflicted by a computer virus – Stuxnet.  Stuxnet is the first reported virus to have affected a control system.  While no one has officially claimed the trophy, it is almost known to the point of certainty that the virus was developed by United States – a take 2 of the Manhattan Project.  Manhattan, because it must have taken an enormous amount of effort, ingenuity, hard work and some Germans as well to come up with a working virus!

Stuxnet virus is made up of two components:

1. Dropper

2. Payload

The dropper runs on windows computer systems. This is the component that replicates the virus from one PC to the next, like a worm.  The payload (actual destructive routines) does not run on Windows. This virus is unique in the sense that the payload runs on innocent PLCs.

This presented problems for anti-virus companies as they were not able to understand what malfunction was caused by the virus– They were unable to detect anything wrong with the computers infected by the virus – No data was manipulated; no data was lost.

It was further revealed that the payload is dropped on one and only one specific target in the world: centrifuges installed at Iranian nuclear fuel plants! At that time, the virus was a completely new concept – something no one has ever seen.

It must be hard for you to believe, but interestingly, the standard laptops we all use at our offices have better securities than the PLCs used in the most critical plants in the world.  Implanting a virus in the PLCs mean that a country’s key economic growth areas can be damaged by adversaries – without dropping a single bomb. In hindsight, it makes us wonder why did we not think of this earlier and build strong defenses against it? But as the adage goes – better late than never.

As a controls engineer, I was curious to find out how Stuxnet damaged the centrifuges. So I did some research and found intriguing details of the inner workings of Stuxnet. Here they are:

• Infiltration of the virus was done through engineering software (Step 7) connected to the controller.
• Major attack vector has the purpose of injecting rogue code on to the PLC.
• Attack has been administered by compromising or hijacking the driver DLL that both the SCADA (PCS7) product and the engineering software configuration tool (Simatic S7) used and shared. They both talk to the controller using this DLL.
• Attackers hijacked this DLL first by renaming the legitimate DLL to a new name and then putting the rouge DLL with the original name. So the maintenance engineer when he downloads a new program, the DLL injects the malicious code alongside the original code.  The malicious code runs in parallel to the original code.
• The malicious code is activated at specific points in time – not always. That’s why it is highly stealthy.
• It’s not an attack to manipulate data… or erase data… or ex-filtrate data.  The goal of the attack has nothing to do with the data or information.
• The goal is at the control level. In a control system, you are not as much concerned about the security of the data – you are more concerned with the erratic control of the physical world interfaced with the controller.
• Structured in two different attack modules that go on to two different controller types.
• Interestingly the two control types defined in the Virus were the same ones used in Iranian centrifuge systems.
• Seasoned control system engineers – not IT hackers – developed the virus!
• Interception: This is the real James Bond stuff!
• During normal operation, the virus records the actual (and normal) behavior of the system.
• Once the attack is launched, the virus blocks the updates of the Input process image.
• Instead it feeds false input values to the program.
• These false values make the program believe that all is well.
• Therefore, the program produces outputs and responses that correspond to “all is well” process state.
• However, these responses are again intercepted and not passed on to the field. Instead, the virus-defined values are passed on to the field.
• The “make believe” state is meant not just for the operators but also meant to fool any security counter-measures from initiating that are built as a standard feature of any program.

The centrifuges used for enrichment of Uranium rotate at extremely fast speeds. The Uranium isotopes have very small difference in mass.  In order to separate the two isotopes, such high speeds are required.  The rotors for such centrifuges therefore have very special designs and bearings and rotate at around 1500 rps. This corresponds to a linear speed greater than Mach 2!  At such high speeds, the rotors and bearings have to be specially designed.

The control system makes sure that the rotor is not damaged during startup, operation and shutdown. This is exactly what the Stuxnet virus prevented from happening.

The virus monitored communication over field bus to the VFDs.

It sent false set-points to the drives – making them run at very high and very low speeds in rapid successions, thus damaging the rotors or in extreme cases, causing an explosion due to the Uranium Hexafluoride filled in the rotors.

The virus was designed not just with a hit and run philosophy.  It was not meant to destroy all the centrifuges in one go as it will make the attack very obvious. Rather it was designed to run for years and damage only a few centrifuges at a time.

Stuxnet beautifully did the job it was meant for.  Mission accomplished. It leaves us pondering about what the future holds for us – so let’s have a small discussion on that.

Cyber warfare is the next genre of warcraft.  It poses new challenges and therefore new strategies need to be developed against it.

First reality bite is that proliferation of cyber warfare cannot be controlled contrary to the case of nuclear weapons.  The virus can be written by rogue elements at non-military manufacturing locations.  There is no easy way to identify where the ‘production’ is taking place.  Once developed, the virus can be bought easily and cheaply.  The rogue developers can prepare specific viruses for anything, for example: disrupting the oil production of a country, halting automotive factory production, introducing malfunction in pharmaceutical plants thus releasing dangerous pathogens. All this can be put up on a website for sale and bought over the internet.

A huge gray market can develop where bits of software are purchased by interested states to cause harm to their adversaries.  Anyone can download the Stuxnet virus today from freeware resources, in fact.

The development cost is extremely low in military terms and the results are same as that of conventional warfare – but with minimum collateral damage. States don’t have to risk the lives of their soldiers anymore either.  What took mobilization of huge armored columns, can now be achieved at the click of a button.

It is also not easy to pin-point the attacker.  So immediate counter strike will not always be possible.

There can be no deterrence against cyber-attack – just like there is no deterrence against non-state terrorist organizations.  You might have the best weaponry in the world – but you will not know where to hit!

So what can be a defense strategy against such cyber warfare? Well, the defense industry is still in its infancy right now.  As such we are sitting ducks – there is zero defense against such attacks right now. PLCs have no antivirus software – because they cannot have antivirus software.

Since security at the PLC / controller level is non-existent right now, there are a lot of basic things that can be done to bring it above zero.  These measures may not be foolproof – but certainly better than nothing at all.

One thing which has been recommended is to use digitally signed codes for downloading the programs in PLCs.  One can argue that the digital signatures can be counterfeited as well – but as I said, something is better than nothing.

What other means can be adopted? Well, the great minds in the world are still thinking about it.  But at the same time, great minds in the world must also be thinking about how to release Stuxnet 2.0!

So, gone are the days when computer viruses would only play havoc with your data. No point losing sleep over it, for now there are much bigger threats keeping you awake. Welcome to the 21^st century world of cyber warfare: where cyber security skills has become a pre-requisite for engineers and PLC programmers.