New Danfoss VLT® Decentral Drive E cient, reliable and powerful
New Danfoss VLT® Decentral Drive E cient, reliable and powerful
New Danfoss VLT® Decentral Drive E cient, reliable and powerful
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
elsewhere; <strong>and</strong><br />
• restoring systems after an incident –<br />
such incidents are inevitable <strong>and</strong> response<br />
plans are essential.<br />
There has been a mistaken belief in<br />
“security through obscurity” – the use of<br />
specialised systems, protocols <strong>and</strong><br />
proprietary interfaces. However,<br />
information on protocols is now widely<br />
available <strong>and</strong> some systems have already<br />
been specifically targeted. Examples<br />
include the Modbus protocol <strong>and</strong>, most<br />
recently, Siemens’ WinCC Scada <strong>and</strong> Step<br />
7 PLCs which have been targeted by the<br />
Stuxnet trojan/virus (see box, right).<br />
Industrial control systems have long<br />
operating lives – 10–20 year lifecycles are<br />
not uncommon. Older systems were<br />
designed with little or no regard for<br />
cyber-security, <strong>and</strong> are interconnected<br />
<strong>and</strong> used in ways that was never<br />
envisaged originally. Add to this<br />
increasing system complexity, the<br />
proliferation of access points, <strong>and</strong> the<br />
growing use of wireless technologies <strong>and</strong><br />
the Internet. It is underst<strong>and</strong>able why<br />
governments are promoting cybersecurity<br />
<strong>and</strong> producing general <strong>and</strong><br />
sector-specific guidance.<br />
> Securing industrial controls<br />
In the UK, the CPNI is offering Scadaspecific<br />
advice in a series of process<br />
control <strong>and</strong> Scada security good practice<br />
guidelines. These are founded on three<br />
guiding principles:<br />
• Protect, detect <strong>and</strong> respond It is<br />
important to be able to detect possible<br />
attacks <strong>and</strong> respond in an appropriate<br />
manner to minimise the impacts.<br />
More information<br />
A still from a YouTube video showing a<br />
simulated attack on a generator Scada<br />
system, staged by the Idaho National<br />
Laboratory in the US<br />
• Defence in depth No single<br />
security measure is foolproof<br />
because vulnerabilities <strong>and</strong><br />
weaknesses can be identified at<br />
any time. To reduce these risks,<br />
implementing multiple<br />
protection measures in series<br />
avoids single points of failure.<br />
• Technical, procedural <strong>and</strong><br />
managerial protection measures<br />
Technology is insuffi<strong>cient</strong> on its own to<br />
provide robust protection.<br />
The CPNI also refers to further forms of<br />
guidance – many of them resulting from<br />
work sponsored by the US Department of<br />
Homel<strong>and</strong> Security. These include road<br />
maps to secure the water, electricity <strong>and</strong><br />
chemical sectors. These follow a similar<br />
ten-year programme to assess risks, <strong>and</strong><br />
to develop <strong>and</strong> implement measures to<br />
mitigate these risks. There is an emphasis<br />
on cost-effective security for legacy<br />
systems <strong>and</strong> on new architecture designs<br />
<strong>and</strong> secure communications.<br />
Cyber-security st<strong>and</strong>ards are<br />
blossoming, including work being done<br />
by the US-based International Society of<br />
Automation (ISA), which has published<br />
ISA99 Parts 1 <strong>and</strong> 2 which deal with the<br />
security of industrial automation <strong>and</strong><br />
control systems. Part 1 is the foundation<br />
for all subsequent st<strong>and</strong>ards in the ISA99<br />
series. At the same time, the IEC is also<br />
working on ICS st<strong>and</strong>ards <strong>and</strong> is<br />
considering the work done in ISA.<br />
The challenge is to develop a sustainable<br />
approach <strong>and</strong> to continue a process of<br />
assessment, adjustment <strong>and</strong> review in the<br />
light of emerging vulnerabilities, threats,<br />
consequences, while implementing<br />
appropriate measures.<br />
D&C<br />
* Dr Piggin is a network <strong>and</strong> security consultant with<br />
an engineering doctorate in industrial control systems<br />
networking. He is a UK expert to IEC Network &<br />
System Security <strong>and</strong> Cyber Security Working Groups<br />
involved in producing IEC 62443 Security for Process<br />
Measurement <strong>and</strong> Control – Network <strong>and</strong> System<br />
Security.<br />
UK Centre for the Protection of National Infrastructure: www.cpni.gov.uk<br />
Practical Scada Security blog (Byres Security): http://goo.gl/GH0e<br />
NIST Guide to Industrial Control Systems (ICS) Security: http://goo.gl/T50V<br />
Siemens information page on Stuxnet virus: http://goo.gl/vwvY<br />
ISA99, Industrial Automation <strong>and</strong> Control System Security: http://goo.gl/Qi2l4<br />
YouTube video of simulated attack on generator Scada system: http://goo.gl/UkGP<br />
Stuxnet – the first<br />
worm known to target<br />
industrial controls<br />
The threat posed by Stuxnet has been portrayed as a<br />
once-in-a-decade event which goes beyond anything<br />
seen before. The worm is designed to sabotage plants<br />
by reprogramming PLCs, <strong>and</strong> to hide the changes from<br />
programmers or users.<br />
Research released by Symantec in mid-September showed<br />
that almost 60% of the approximately 100,000 hosts<br />
infected by Stuxnet have been in Iran, with high infection<br />
rates also seen in India <strong>and</strong> Indonesia. This has led to<br />
speculation that Stuxnet’s goal was to disrupt Iran's nuclear<br />
activities.<br />
Symantec says that Stuxnet is one of the most complex<br />
threats it has ever analysed. Its elements include:<br />
• four “zero-day” exploits (which were previously<br />
unknown, undisclosed to the software vendor, or for<br />
which no security fix is available – a rarity for any virus<br />
which would be considered wasteful by most hackers);<br />
• a Windows rootkit – software that allows privileged<br />
access to a computer, while hiding its presence;<br />
• the first-ever “PLC rootkit” for infecting PLC programs<br />
<strong>and</strong> remaining undetectable;<br />
• anti-virus evasion measures;<br />
• two stolen digital signatures;<br />
• complex process injection <strong>and</strong> hooking code (to<br />
prevent programmers from seeing the infected code);<br />
• network infection routines;<br />
• privilege escalation measures;<br />
• peer-to-peer updates; <strong>and</strong><br />
• remote comm<strong>and</strong> <strong>and</strong> control.<br />
Because PCs used to program control systems are not<br />
normally connected to the Internet, Stuxnet replicates<br />
via removable USB memory drives, exploiting a<br />
vulnerability that allows auto-execution. It then spreads<br />
across a LAN via vulnerabilities in a Windows print<br />
spooler <strong>and</strong> Windows Server remote procedure calls. It<br />
copies <strong>and</strong> executes itself on remote computers via<br />
network sharing <strong>and</strong> Siemens WinCC database servers.<br />
Stuxnet also copies itself into Siemens Step 7 PLC program<br />
projects <strong>and</strong> executes when a project is loaded. It updates<br />
versions via peer-to-peer communications across a LAN. It<br />
communicates with two comm<strong>and</strong> <strong>and</strong> control servers,<br />
originally located in Denmark <strong>and</strong> Malaysia, to enable code<br />
to be downloaded <strong>and</strong> executed, including updating<br />
versions, <strong>and</strong> can change comm<strong>and</strong> <strong>and</strong> control servers –<br />
although this has not been observed yet.<br />
Stuxnet fingerprints specific PLC configurations that use<br />
Profibus for distributed I/O. These configurations were<br />
gleaned using earlier versions of Stuxnet. If the<br />
fingerprint does not match the target configuration,<br />
Stuxnet remains benign. If the fingerprint matches, the<br />
code on the Siemens PLCs is modified with the infected<br />
Step 7 programming software, <strong>and</strong> the changes are<br />
hidden. The modified code prevents the original code<br />
from running as intended <strong>and</strong> causes the plant<br />
equipment to operate incorrectly, potentially sabotaging<br />
the system under control. This is achieved by<br />
interrupting the processing of code blocks, injecting<br />
network traffic onto the Profibus network, <strong>and</strong> modifying<br />
output bits of PLC I/O. How this affects each plant will<br />
depend on how the control system is connected to the<br />
PLC <strong>and</strong> the distributed network I/O via Profibus.<br />
Stuxnet creates is a blueprint for future attacks on realworld<br />
infrastructure, providing generic methods to reprogram<br />
industrial control systems. However, Stuxnet’s<br />
sophistication <strong>and</strong> complexity make it unlikely that similar<br />
threats will develop overnight.<br />
SAFETY<br />
SECURITY<br />
www.drives.co.uk November/December 2010 21