October 18 October 24, 2010

Bloomberg Businessweek

Industrial Systems

How Bad Guys Worm

Their Way into Factories
Default passwords cant be

changed on many computers

The Stuxnet worm has master keys

to get inside this kind of system

At a conference in Vancouver last

month, Liam O Murchu, a researcher
with the computer security firm Symantec, made a simple air pump connected
to an industrial computer pop a balloon.
The computers program called for the
pump to stop before the balloon burst.
But O Murchu had loaded the Stuxnet
worm onto the machine, which let him
order the pump to keep going. That, he
says, shows what can happen when bad
guys gain control of industrial systems:
Imagination is the limit.
The spread of the Stuxnet computer
worm has heightened fears about the
security of industrial control computer
systems that run factories and power
plants. The rogue program, which affects machines sold by Siemens, has
been found in computers around the
world, Symantec says. Most are in Iran,
leading analysts to believe that that its
nuclear program is the target.
O Murchu hypothesizes that the
worm may have been unleashed via
a USB drive that was plugged into a
computer. In some instances, rogue
programs have come from USB drives
dropped in parking lots that were
plugged in by a curious person. Once
loaded, the worm can spread because

Quoted
The Internet is the crime scene
of the 21st century.
Cyrus Vance Jr., Manhattan District
Attorney, who is prosecuting an alleged
cybercrime ring that
stole millions from
bank accounts around
the world.

passwords for many industrial control programsrequired to give

the machine instructionsare
either hard to change or cant
be changed at all, says Frank
Heidt, chief executive officer
of Leviathan Security Group,
a consultancy in Seattle.
Whoever made Stuxnet gave
it a set of master keys to get
inside this kind of system, he says.
The weakness goes beyond Siemens,
Heidt says, showing passwords in owners manuals for industrial control software from Honeywell, ABB, and Invensys. Siemens says the company issued
a fix for Stuxnet within a week after it
learned of the worm in July and that few
customers have had problems. Honeywell and ABB say they are addressing
the password issue. Invensys says its security is sufficient.
The risks to such computers were illustrated three years ago when researchers at the Idaho National Laboratory
tried to seize control of an electrical generator over the Internet. While the findings of Project Aurora, as it is called, are
classified, a leaked video shows a generator emitting black smoke as it follows the
teams rogue instructions.
Many industrial control systems were
designed before anyone dreamed of
connecting them to the Internet. They
run machines that have been in place
for decades and remain in use longer
than most computers. Over time, these
systems were linked to the Internet to
allow companies to monitor output, material consumption, and inventories. It
was a very natural progression, says Michael Assante, the former security chief
of a U.S. utility industry group. Someone would say We need to get the data
that we can capture from the plant and
get it into the financial system.
Security experts take some solace in
Stuxnets complexity, which means that
few organizations could create such a
worm. Symantecs O Murchu estimates
that Stuxnet was written by a team of
a dozen programmers working for at
least six months, at a cost of more than
$3million. With an attack like this,
he says, you have to know a great deal
about the target in order to get the desired result.Arik Hesseldahl
The bottom line Stuxnet highlights the vulnerabiity
of computers that control factories, many of which
were developed before the Internet era.

Speed Dial
Richard Clarke
The chief counterterrorism
adviser to the George W. Bush
Administration says the U.S.
isnt ready to defend itself
against a significant attack on
its digital infrastructure.
In your book Cyber War, you spell
out what the U.S. needs to do to
protect itself digitally. What are the
top three things?
Job One would be to have the
government work with Internet service providersthe half dozen companies that operate the big pipes
through which all the data traffic
comes into the countryand require
them to be looking for specific attacks. I dont want the government to
do the actual scanning because that
raises privacy issues.
Whats the second job?
Securing the power grid. Making sure
that the networks and systems used
to control it arent connected to the
Internet, where they can be attacked.
Then you make sure theres a diversity
in the operating systems being used,
and, where possible, use proprietary
operating systems.
Arent power utilities already required to lock their systems down?
They are. The only problem is that the
Federal Energy Regulatory Commission doesnt have the audit capability
to find out if theyre complying with
the regulations.
And the third thing youd do?
Start thinking about fundamentally rearchitecting the Internet. Were still
using the basic architecture that Vint
Cerf came up with 30 or 40 years ago.
Id start putting some R&D money into
efforts to see if there are other ways of
running the Internet than the system
we developed back when we thought
everyone using it would be honest.
Arik Hesseldahl

65