Posts Tagged ‘Stuxnet’

The Middle East Joins the SCADA / ICS Standards Foray

April 15, 2012 1 comment

The oil rich countries in the Middle East depend on Industrial Control Systems (ICS) to run the Energy sector which is responsible in average for generating around 70-90 % of the national GDP. and ultimately providing around 40% of the world’s total energy consumption.

Since STUXNET news surfaced 18 month ago, the region has witnessed not less than 20 different information and cyber security conferences that addressed the topic and highlighted the ICS security issue as a monumental risk to the GCC region in particular.

The Kaspersky chart below show STUXNET infection rates in the GCC countries,(UAE,Saudi,Kuwait,Bahrain,Qatar and Oman).

STUXNET in Middle East

and recently the state of Qatar through the national CERT issued the region’s first national level ICS security Guidelines in Arabic as well as an English translated version. currently the document “planned to be updated annually” is not mandatory but the document’s roadmap is likely to see a change in the next few years.

You can download a copy of the English translation here (Download)

Press Coverage – Here

Siemens SDLess – What CERTs talked about

August 15, 2011 Leave a comment

Recently I attended the FIRST (Forum of Incident Response Security Teams) conference in Vienna which is the annual gathering for CERTs (Computer Emergency Response Teams) from around the world and everyone noticed that for the first time in the history of the 23 year old annual conference that the main buzzword was not some new IT security breakthrough, the most talked about vendor in the lobby and in the hallways was not Microsoft with all it’s glory, the hottest sessions were not F-SECURE’s Mikko H. Hypponen or Kaspersky’s Founder Eugene Kaspersky and the most talked about threat was not buffer overflow.

The answer for all of the above was one word…”SIEMENS”.

It was clear that things have changed and that there is a shift in the priorities of the attendees.and this is very alarming to see that in the FIRST conference specially.

The significance of the FIRST conference is that its in my opinion…the ultimate good guys gathering.

CERT teams are the real firefighters on the ground and usually those guys deal with all the dirt on a 24x7x365 basis and many of them do it country/regional level…also by design CERT staff are some of the most connected people in the information security business and most importantly they thrive on hard earned IT community trust. so if you hear them saying this is a game changer and most of us are not ready…this is your cyber strategy needs to be revised heads-up right here.

Also for the first time SIEMENS represented by SIEMENS-CERT was going to talk about Stuxnet from their perspective. although it was one of 3 parallel sessions i guess everyone in the conference was in this room to hear what SIEMENS have to say in its own defense regarding Stuxnet.

They kickstarted the session by asking everyone not to copy anything from the slides and to stop using social media completely, the slides were all marked as CONFIDENTIAL…turned out that there is nothing they can add to what everybody knew.

SIEMENS said that they completely understand why they are being scrutinized and that they did a mistake handling the Stuxnet issue…yes they said “We did a mistake” and I have to credit them for that. the mistake in their presentation was Siemens CERT not sharing any of the information at hand “early on” with other CERTs or at least proactively explaining the issue to the Media properly, this is true but its not the root cause of the problem.

Stuxnet over the week end
SIEMENS CERT first heard about Stuxnet over the weekend and at first glance they thought it can wait till monday, they started to slowly unwrap the malware only to be beaten to it by Ralf Langner initial findings posted on his blog which started a media frenzy…in their own words it was a top decision not to enter the fray until they finish the entire analysis (took them 6 month)…but who can wait with such a gem at hand. and the rest is history.

SIEMENS View on how to improve security in the future
They said that as a vendor SIEMENS value security and couldn’t be less annoyed standing here having to clear/justify this mess, and that they promise to be more open and to issue alerts, customer specific notifications and patches much sooner if anything of such nature surfaced again.

What they didn’t say and should be saying
SIEMENS never came close to acknowledge that their entire design process which has always been flawed but survived due security by obscurity came to a sad end..and to make things worse…everybody (researchers, opportunists and criminals) is now trying to play with it maybe he/she stumbles upon something that can cause more embarrassment. they need to come clean and know that the only proper way to fix this kind of fundamentally poor design issues (Hard coded passwords, leaving unnecessary ports and services open…etc)…is a totally new SDL “Security Development Lifecycle” that would eventually allow them to spot things much early on and to avoid silly mistakes as in hard coding passwords in the year 2011.

Stuxnet Code: can be downloaded from Here (Important: After downloading – Change the extension name to .RAR)
Watch Ralf Langner talk in NATOs conference on cyber conflict
ICS-CERT alert on the hard coded credentials in SIEMENS products

Stuxnet: Introduction, Installation and Infection Video

February 23, 2011 Leave a comment


This demonstration video takes a detailed look at the Stuxnet worm on a Siemens PCS7 FieldPG host. The demo provides a brief overview of the worm, and then takes a look at how it exploits Windows vulnerabilities to install itself on the target host, infect various Windows and Siemens components, and then replicate itself for installation on other hosts.

Additional information available at This demonstration video takes a detailed look at the Stuxnet worm on a Siemens PCS7 FieldPG host. The demo provides a brief overview of the worm, and then takes a look at how it exploits Windows vulnerabilities to install itself on the target host, infect various Windows and Siemens components, and then replicate itself for installation on other hosts.

Stuxnet: and The Truth Shall Set You Free

November 13, 2010 Leave a comment

A recent post on Symantec’s security Blog revealed a very crucial piece of information about Stuxnet, The information should definitely stop who ever is denying the fact that Stuxnet is a state sponsored “sabotage-ware” targeting a very special someone.

Symantec with the help of a Dutch Profibus expert can now prove that Stuxnet is looking for two specific Frequency converter drives one made by (Fararo Paya) of Iran and the other is (Vacon) of Finland.



Quote from Symantec’s blog: “Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.”

“However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.”

and then they add: “Stuxnet monitors the current operating frequency of these motors, which must be between 807 Hz and 1210 Hz, before Stuxnet modifies their behavior. Relative to the typical uses of frequency converter drives, these frequencies are considered very high-speed and now limit the potential speculated targets of Stuxnet. We are not experts in industrial control systems and do not know all the possible applications at these speeds, but for example, a conveyor belt in a retail packaging facility is unlikely to be the target. Also, efficient low-harmonic frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment. We would be interested in hearing what other applications use frequency converter drives at these frequencies.”

So FACTs so far are the following:

– We are now able to describe the purpose of all of Stuxnet’s code.

– Stuxnet requires particular frequency converter drives from specific vendors, some of which may not be procurable in certain countries. ( In other words countries under international sanctions ).

– Stuxnet requires the frequency converter drives to be operating at very high speeds, between 807 Hz and 1210 Hz. (According to the US nuclear Commission – more than 600 Hz can be used in Uranium enrichment)

-While frequency converter drives are used in many industrial control applications, these speeds are used only in a limited number of applications. (Nuclear Applications is one of them).

-Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process. (Sabotage is the purpose)

– Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities. (The Special Someone Speaks Iranian)

The original Symantec Blog post HERE

Siemens Official Communication Slides on Stuxnet – Pulled Offline

November 7, 2010 1 comment

CERT Finland took offline the original set of slides , But here is a copy

The_Stuxnet_Malware – Siemens Slides

© Siemens AG 2010. All Rights Reserved.

Siemens Official Slides on Stuxnet

November 4, 2010 1 comment

A couple of days ago Siemens Internal CERT released some slides about Stuxnet as a form of “Official Communication” within their constituents.

Siemens Stuxnet Slides

Siemens Stuxnet Slides

In the official slides (Here) , Siemens confirmed that its a targeted attack by using terms like “targeting a very specific configuration, certain PLC blocks and specific processes or (project)“. These bold statements simply means that Stuxnet makers had (one target) in mind, and this should eliminate any theory out there denying that its a state sponsored malware.

The slides confirmed that the malware is capable of transferring data outside of the infected system back to the command and control servers, yet nothing has been proven specially that the two C&C servers ( • www[.]mypremierfutbol[.]com • www[.]todaysfutbol[.]com ) were brought down by Symantec.

Then the slides claim that all known infections are now clean and zero plant damages reported. yet they didn’t specify their definition of “damage”, is it seeing the plant up in flames or few bytes of data going out ?

The slides go on listing the great deeds of siemens since the discovery of the malware : “white papers, cleaning tools, contacting customers, working with top AV vendors, even magazine interviews”. isn’t this what they are paid to do ?

What really got on my nerves was their genius conclusion that future infections are “Unlikely” , and that is because the malware pattern is now detected by up to date Anti Virus programs. Eureka !!

Yes, future “Stuxnet” infections might be unlikely, but this is certainly not the end of this type of attacks as long as top vendors like Siemens still use “Hard coded & publicly available” passwords on critical systems in the year 2010 and dont even admit that this is the REAL problem.

Another statement that also reflects severe undermining of the terms “due diligence, and responsibility ” is a question they highlighted in yellow : “Has the customer done all he can ? “.

Imagine a car manufacturing company that sold you a very expensive car, supposedly equipped with a seatbelt, then you run into an invisible wall that someone deliberately put in front of you and built it in a very special way, using specific materials that takes advantage of known and published weaknesses in your seatbelt buckle lock design. Imagine yourself sitting in the hospital wondering how on earth you gonna fix this messed-up face of yours, then the car makers dudes comes up and tell you that its partially your fault for not trying to do all you can, perhaps you could have tried holding the buckle with your teeth !

Interesting Post about Stuxnet

November 1, 2010 1 comment

An Interesting post, found on a Stuxnet discussion thread – Tweeted by mikkohypponen

Stuxnet Post

Stuxnet Post