Krypt3ia

Yes, this diagram does come from a .gov site for an actual system... *sadpanda*

THE STUXPOCALYPSE:

“When he opened the seventh seal, there was silence in heaven as the malware began changing PLC code”

From the book of Langer & Wright:  Revelation Chapter 1 Verse 1

The news cycle still is full of hand wringing over SCADA and Stuxnet while more government officials worry about “Stuxnet” being modified to attack other PLC systems that are vulnerable and riddled with 0day. I have written in the past that I had thought that all of this chicken little reporting and fear mongering was a little over the top and have been taken to task by the likes of certain people who shall remain un-named (though, you don’t have to look much further than the book of Stuxnet revelation above to know who I am talking about)

So, I decided to take some time and do a little research online to see just how bad things really are… With Google and Shodan.

What I Found:

Ok, well, once I began to dig into Shodan and Google I decided that I needed to define the scope a bit. So, I did searches for the popular systems like Siemens. What I discovered was that there were systems indeed online and with web gateways available. Some of these were systems for water treatment, some were for telco, and some were in fact for electrical networks. The numbers showed though, that at least through Shodan, there were not a preponderance of American systems just laying about. Europe though and other countries had a bit higher number of systems.

Once I got past the popular names though, I began to look for other vectors of attack. I thought perhaps I should look for the product names of the gateway products and sure enough, I located a bunch of them out there. The most popular one though (by numbers online) turned out to be a south American product/system and there were plenty of those out there. In fact, once I saw where they were located I had a fleeting thought about power outages in South America and how everyone was debating that they were hacked..

Mmm Could be…  However, without real proof of that, I am unwilling to go on the record and be like the other pontificator’s out there.

Here’s a list of the product names sampled within the Shodan results.

Now, having done all this poking about the question then becomes just what systems are they using for PLC control and just how many companies are there out there? This becomes important as all of the talk is about “Stuxnet” and the apocalypse of the code being re-engineered to attack other facilities than Natanz and the Siemens System 7. I then went to the “Googles” and asked the following question of the great and wise oracle.

“How many PLC controller makers are there in the world?”

Out of the results I got here was the most relevant answer:

PLC controller manufacturers-getting one available through the internet
While finding PLC controller manufacturers to get a PLC, it is important to learn on how to control programmable logic controllers. A PLC programmer is known as person who has the ability to create a system by using PLC programming. Learning about PLC programming is the key for those who want to take part in the automation industry. When it comes to PLC controller manufacturers, some options are available such as Panasonic, Hitachi, Foxboro, Keyence and many more.

Well then, “many” is not a good enough answer for me and I am sure someone (who shall remain un-named) shall beg the question of had I been thorough enough. So, I went back to the great and wise “Google” and put it another way;

“Commonly used PLC systems”

What I got back was a site  that was a kind of a ranking site for people to nominate the makers and systems. Culling the data from this page I get the following names:

• Allen-Bradley
• Siemens
• Mitsubishi
• AB
• OMRON
• Modicon
• GE 9030 and SLC100
• Rockwell
• Telemecanique
• Schneider Electric

And the list goes on a bit more… But you get the point. Not only are there many of them, but, this was also in 2000 when this list was started. So, there is likely to be a great change in the vendors that have popped up on the small scale. However, you can see that the biggies, or should I say “biggie” of Siemens is still pretty popular.

Alrighty then, So, there are many out there but there may be a monoculture of sorts going on due to the nature of choice per countries. As the site listed it, the US uses a lot of Siemens and Rockwell. In fact, the list suggested that Rockwell was over Siemens in the stats for the US. This could be the case, but either way, there is a case to be made that there may indeed be a monoculture issue here. Given that Siemens was pretty 0day riddled per the DEFCON presentation this year, we may indeed have a larger problem that one might think.

This depends though on the target of your attacks and the redundancy of the systems being attacked as well. However, it really does depend on the facts and figures of just how much of a monoculture in PLC/PID/SCADA systems and networks there are out there of varying types and configurations. It’s a complex ecosystem, and thus, to pull off a “Stux” attack en mass is going to be rather difficult. This is why the Stuxnet attack on Iran was so directed. They knew the specific models and systems within the Natanz facility and they programmed accordingly to damage them. In the case of a “Stuxpocalypse” the coders would have to program in every conceivable system type (and yes the PLC flaws do carry over so it may be a one size fits all in that case) but what about all the others? Are all these systems based on all the same code?

Regardless of the zero sum game theories on SCADA system security flaws being universal, then, one would have to create malware that would be in effect, polymorphic (Hell, should just say zenomorphic huh? Go all Alien) This would, as I have said in the past, make the payload pretty much bloatware in my book. So where is the efficacy or for that matter, the probability that the Stux is going to be modified to this level of pandemic generating scale? Never mind the task of getting it onto all of the systems needed to have the “apocalypse” that every chicken little seems to be worried about. I know, I have said this before, but I thought I would just re-iterate it all again. I just don’t see this being a large scale attack vector even from a nation state level. Pockets of attack yes, but not anything that is going to put us down for the count.

And that is what I am trying to say here. There is way too much FUD with all of the yammering I have seen and not enough rational thought. It’s, to quote “Team America”

Spottswoode: From what I.N.T.E.L.L.I.G.N.C.E has gathered, it would be 9/11 times 100.
Gary Johnston: 9/11 times a hundred? Jesus, that’s…
Spottswoode: Yes, 91,100.
Chris: Basically, all the worst parts of the bible.

Targets & Vectors:

Gas Pipelines

Yep, this would be bad for areas of the country. If gas pipelines exploded it would cause fires and destruction, likely loss of life etc etc. So, if someone were to make a concerted effort to locate all of the gas pipeline/producers networks and find out what PCS’s they are using they could do it. This would be nation state really and it is possible. However, this type of kinetic attack would have to be in tandem with other manoeuvres to attack the infrastructure. It’s a fire sale scenario really.. The fallout though of hitting one facility and  causing damage/fear/deaths would the psyops side of it.. That is unless the aggressor is looking once again, to a larger attack on the country concurrently.

Nailing all of the pipelines though or a great number of them simultaneously… I really don’t see as all to feasible.

This is not the Stuxpocalypse you are looking for…

Electrical Facilities and Grids

Ok, so here we have an interesting conundrum. With the advent of the “smart” grid, this might in fact make it easier to have a larger percentage of failure within the system itself. Everything being tied together this way and monitored will only serve to make the system more susceptible to a single point of failure I think. Of course there are many people working on this issue and trying to make the smart grid more secure. We will see how that plays out down the road though. At present though, one would have to look at taking down the grid with malware.

Could it happen? Maybe, large sections could go out. Or, if you hit the central nervous system of the network you could potentially have large areas of the country down for a while. Now, can you use Stuxnet and PLC malware to make the grid eat itself en toto is the real question isn’t it? All at once? A cascade failure of epic proportions?

Not likely. Though the systems are connected, once again, the effort would have to be nation state, it would have to consider that the energy companies are using monocolture technologies, and code accordingly. So, I don’t see this as happening on the level of the FUD reporting out there would make it out.

Nuclear Facilities

To start off, I would like to cite an article on SCADA and Nuclear facilities to enlighten you all…

In retrospect, Lunsford says–and the Nuclear Regulatory Commission agrees–that government-mandated safeguards would have prevented him from triggering a nuclear meltdown. But he’s fairly certain that by accessing controls through the company’s network, he could have sabotaged the power supply to a large portion of the state. “It would have been as simple as closing a valve,” he says.

From America’s Hackable Backbone on Forbes back in 2007

I have said this before and now I will say it again. There will be no Chernobyl events here, and for those of you who know reactors, will know the reasons it will not be a Chernobyl event (design wise) However, the fact is that people worry about this because they think a meltdown is as easy as the China Syndrome.  So, will Stuxnet or some other PLC hacking cause this to happen? Apparently no according to this IBM guy and the NRC.

*breathe people*

Could the system scram and be down for a while? Sure. That could happen and it would cause people to be without power for a while as they find out what happened. Having just gone through a tropical storm and power loss here, I can see how it would be irritating but it would not be the preamble to war… Or the apocalypse.

Supply Chain Attacks

Supply chain attacks are quite possible but, they are likely only to happen in pockets as the companies are all varied. So, you might not get your new car on time, or whatever else you wanted to buy or sell that you manufacture. This could be bad from a bottom line perspective monetarily, but, once again, this would not be an apocalypse. It is also key to note that with each company would be different PLC systems so that stux code would have to be very specific or hugely varied and bloated to work on a large scale.

Chemical Facilities

Here we have something that I for one kind of do worry about. It would not take a mass attack on all chemical facilities to cause mass panic and perhaps deaths. At the very least, a chemical production facility being affected by a PLC/Stuxnet like attack would cause evacuations in the area that the plant sits. If someone were to mod the Stux or create something new to attack the controllers at specific facilities, they could cause an explosion or release of toxins.

Ok, I can go with this one a bit… Still though, not an apocalypse. For that matter, one could just get some C-4 and get a job at the facility long enough to plant a bomb… and that is more AQ’s style than trying to create a super weapon out of Stuxnet for this purpose.

Water Treatment Facilities 

Personally, the poop factory is only on here because there are so many of these facilities with an online SCADA presence according to Shodan. If someone were going to attack the infrastructure this way, they could flood the systems with waste and certain areas would have to live on bottled water a while. Surely not the Stuxpocalypse you are looking for here. Frankly, if a terrorist wanted to go after us this way, they would instead do what they have already tried to do in the past, poison the water with a toxin that they pour into it.

Not so worried here…

Telecommunications

Shodan showed many telco’s with SCADA online to access. Now, if I were looking to take over a country I’d use the old aphorism of going after the radio and TV first.. Sure, this could be done in pockets but once again, there is no silver bullet here, no digital Ebola, that is going to take out the networks of all of these carriers. So, this would be a nuisance, people would have issues, some may die due to 999 or 911 not working, but, yet again, not the Stuxpocalypse.

SCADA On The Internets and There ARE NO AIR GAPS!

*facepalm*

Once again, yes Virginia, SCADA systems are networked. Yes they are even connected to the Internet insecurely in some cases. Just like any other technology, the connections are made for the ease of use of the company/user. In fact, as I have said before and as you can see from the diagram at the top of this article, they in fact also use Microwave, WIFI, and other RF means to get far flung data from point A to B.

Yes.. It’s true.

However, so far in my looking around, the systems that I primarily see as having these types of connections (RF) are water, gas, and electric systems. So yeah, you could mess with them by RF and cause issues. However, I have also seen systems that were located in well areas with only puny locks to protect the doors to the facility and no one.. not a soul around for miles to stop you from picking them.

I’d say that is insecure… BUT, I have yet to see one of these sites that if I popped it and brought it down, would cause a cascade failure and the apocalypse… And therein lies the key to the rationality. All systems have pain points but the infrastructure is so large and it has been built with some redundancy to prevent a system wide failure from one node going down.

Meanwhile, back to the air gap thing. I actually saw ONE. One facility had a separate network and it was not V-LAN’d off to “logically separate it” I cannot name the facility,  but lets just say it was involved with power generation. So, yes, they are in some cases air gapped (and you know who I am looking at when I say this.. Captain Generality) Other places, not so much. They have logical air gaps only and yes, those can be breached with the right hacking attacks. I must say that in other places people just didn’t even put any thought into it at all and its all just hanging out for anyone to access like a college girl in a tube top.

It all matters on who has done the planning and who’s watching the hen house. One hopes that post Stuxnet the government and the companies are working on cleaning up their flaws so as to prevent an attack.

Time will tell though… All these companies and infrastructures are snowflakes….

EMP’s Man Made & Solar… Now There’s Your Apocalypse:

So, you want a real apocalypse? Well then, just think on this. If there is a mass coronal ejection big enough, great swaths of the world could be hit  by a nature made EMP. As the sun cycle seems to be ramping up a bit, we may just someday see this happen. If that happens, then you will see some real apocalypse events. I have written about this in the past and frankly think this is a greater threat than the supposed Stuxpocalypse everyone is all chicken little over. There are also small scale EMP weapons the Military have been working with along with the usual talk of a nuclear high altitude det to kick everything off and send us back to the stone age.

Each of these scenarios could happen but, probability wise, they are all pretty low I think.. Including the Stuxnet scenario.

One Last Parting Thought:

So once again, I have stepped into the breach between FUD and SANITY. I am hoping that sanity wins out, but, I know that in a world where Gregory Evans is alleged to be speaking to Congress about cyber security, I have little hope of being listened to by the masses. I will just go back to sharpening my blades, cleaning my guns, and preparing my bugout bags…

Oh, not for the apocalypse you think will be happening.. No.. For the apocalypse of stupid that will be happening thanks to the likes of CNN and the book of Langer and Wright.

K.