A senior Iranian commander has accused the German engineering firm Siemens of helping the US and Israeli to build the Stuxnet computer worm that infiltrated his country's nuclear facilities. The claim by Brigadier General Gholam Reza Jalali came on Saturday in the Islamic Republic News Service, Iran's state news agency, which …
Not very likely because everyone using Siemens SCADA kit knew that the software on the PCs had its passwords hard coded - as far as I can tell everyone buying it is told not to change the default passwords.
siemens is garbage anyway
They used to be the best in many fields. But after seeing how their spinoff Infineon was managed I can understand how this could happen. As others have said perhaps Iran if it was not such a pariah they could shop around and buy decent kit but no they would rather deny the holocaust.
Not just SCADA...
Their medical imaging scanners (we have MRI and CT scanners from them) come included with passwords... located at C:\password.txt
Even worse, that's usually the top entry in the Start>Run box!
I think they provided the piss-poor system in the first place. The attackers had it easy with hard-coded passwords that *could not* be changed.
Add the usual sprinkling of MS holes and it was not mind-blowingly hard, even though it is quite a first in targeted attacks that actually did something obvious.
Dual-use technologies forbidden to Iran
Siemens were not supposed to be supplying dual-use technologies to Iran under the terms of an EU embargo but had apparently been caught doing so on more than one occasion via some of their foreign subsidiaries and via go-between customers in Russia and Dubai. Perhaps their willing cooperation with the creators of Stuxnet was part of a deal to avoid fines, Siemens executives going to prison and lots of unpleasant publicity. Or maybe their original embargo breaches were all part of a cunning scheme to lure the Iranians into an even more cunning trap (and to make a few Euros in the process).
I think you are trying to say that running flash is a severe security hole and that someone likes it that way. If you speak clearly, more people can agree with you.
Anyone look at the type of communications between devices?
Just because I have some experience integrating MODBUS communications, has anyone looked at the type of device communications that were being used? Did they really hack the SCADA software on the master workstation or did they hack into secondtier communications such as RS-485 MODBUS RTU which is a common native language for speed drive programming and parameter setting? It would have been easy to monkey with the MODBUS register data because each speed drive parameter could have easily been modified and few people password protect the speed drives themselves.
If you sent a parameter that represented 110% of the speed the centrifuge speed drive was running at, they could have oversped the motor and the centrifuge would not have been able to "swing" the U-235 atoms into the "collection slot in the centrifuge. Same thing could happen if they were able to change the data in each modbus string somehow.
Hacking the SCADA
Yep, and of course MODBUS doesn't provide much security. You just need to be able to get at the RS485 bus directly, or the TCP/IP network if they're using gateways.
The protocol is very simple, and doesn't offer any security whatsoever.
The question has to be asked though, how did the attackers apparently get at the MODBUS network. Either their physical security is woeful, or someone didn't lock down the TCP/IP part of the network properly.
@Stuart Longland & AC above
Have a read of the Stuxnet Dossier by Symantec. It is a quite superb piece of analytical work.
of course ...
Of course, Siemens *is* responsible.
After all, was it not Siemens that chose *Windows* as the OS for their system??
And the Iranians are just as culpable. Did they not choose to buy a SCADA system whose OS was *Windows*.
Do not blame malfeasance for that which can be explained by stupidity.
If it was down to Siemens they would have charged Iran for deploying it after charging the US and Israel for developing it.
Regardless of the system, software, process, etc no one had a right to hack into their systems and cause harm that may well have caused deaths. From the comments it appears they believe the problem is primarily due to old system, hardware or software. However, I completely disagree based on the sophistication of the worm and the intended purpose. The experts all agree; the sophisticated skills necessary to produce the software, very few countries have the resources, the developer had specific targets, the US and Israeli were involved.
If either of these two country were attacked in this manor the repercussions, well lets just say, war planes. Unless all countries deactivate their nuclear weapons then who are they to dictate to others. After all the US is the only country to have ever use this technology not once but twice. Now the major powers have invented tactical nukes. Any country without nuclear weapons to deter these power hungry countries will soon than later loose to them. Who gives a rats ass if they call it democracy or a dictatorship.
Idiots in charge are at fault.
SCADA should never. ever, be attached to publicly accessible networks.
If you don't understand my comment, kindly be quiet. The adults are talking.
I sort of agree..
That's right. SCADA should not be connected to public networks. I suspect, bearing in mind the sorts of things it controls, Siemens assumed it would not be. After all, who would want their utility infrastructure to be publically accessible? Oh wait...
I suspect the beancounters are at fault here. It costs money to operate private networks. It's a lot cheaper to bung the lot on one internet connection, and hope it doesn't go titsup.
In fact, a relative of mine used to work for the MOD. His office had two computer networks. One had full access to the internet and was for email and web access. The other, which was for the stuff covered by the Official Secrets act was private..
That's not to excuse Siemens. Closed network or not, they should not be using hardcoded passwords. That's as good as having none at all.
Agreed, but furthermore
The Iranian systems weren't (apparently) on the Internet - Stuxnet was introduced via USB sticks (allegedly). So not only should SCADA systems not be on publicly accessible networks, they need to have any CD/DVD, USB and other non-essential ports disabled* - epoxy glue is quite effective for this purpose, if your software isn't up to the job.
* As Bradley Manning recently demonstrated.
The target machines in this case were not and that didn't save them. And why never, ever? I've seen siemens kit bodged into service by bored techs to run christmas lights, the world is not likely to end if that got pwned.
Have you idiots never heard of "sneaker net"?
If I can plug ANY removable media into your so-called "secure" system, so can anyone else. By definition, that makes you vulnerable to publicly accessible systems.
Note to Brigadier General Gholam Reza Jalali: "Araldite's in t' second drawer, Luv ...".
...the dust won't settle soon on this issue.
This is the usual crap from Iran. Why on earth does somebody have to have leaked information maliciously in order for Stuxnet to be created.
By Iranian logic all the attacks launched against MS, Adobe or any other software could only have been caused by some insider leaking source code. Or is the Brigadeer General's understanding of technology at the same level as our good friend Stephen Fry?
Everyone is to blame
Microsoft are to blame for writing an OS that, to use a door analogy, has all the locks screwed on from the outside.
Siemens are to blame for hard-coding passwords into devices.
Anyone who didn't immediately send back the devices with hard-coded passwords as "unfit for purpose" is to blame, for letting Siemens get away with it.
And anyone who put SCADA devices in a critical facility on the public Internet is to blame, for being stupid enough to put a SCADA device in a critical facility on the public Internet.
It's their own fault...
Iran could have been a tad bit smarter than have the russians install their systems...
After all, they did get a bootleg version of SCADA and other systems, which could not be updated against the vulnerability that the STUXNET virus were using...
but, if this were to go through, i suppose we can all sue HP, Dell and other computer manufacturers for installing an OS on computers that can be attacked by virus and malware...
If Siemens really did help hack the Iranian nuke systems.....
.... Then thanks, Siemens.
Never mind Symantec
The real analysis here, in particular the SCADA-specific Siemens-specific stuff (since when did Symantec have a clue about SCADA and PLCs?), was done by Ralf Langner and team, at www.langner.com
"anyone who put SCADA devices in a critical facility on the public Internet is to blame, "
Any idiot who repeats this daftness in a Stuxnet context is to blame.
Fact: the SCADA devices were not on the public Internet in the Stuxnet picture. Other malware propagation mechanisms are available, and not just to Stuxnet.
USB sticks are an obvious one, but in the context of an industrial automation setup, physically moving a PC (or its connection) between the infected site LAN and the "secure" automation LAN is another strong possibility.
Apparently, you're yet another person who never heard of "sneaker net", and the ramifications thereof, when it comes to today's inter connected world ... Here's a hint: If your employee can plug a USB stick into one of your so-called "secure" systems, your so-called "secure" system is open at least one-way to the Internet. And it's probably both ways.
How the hell do you think Stuxnet spread, anyway? By magic?
::wanders off, muttering about kids these days::
Secure Products and Penalties
We need secure products and penalties for companies that sell blatantly insecure code. If the code cannot be fixed without backward integration issues, the produt vendor should provide a free new release.
Some of these companies have a monopoly which makes it difficult for consumers not to buy. Governments should step in with a penalty or fine
Time to make the world secure else our problems will magnify in the years to come
We'll see you in court
"He went on to say that Iran's Foreign Ministry should lodge complaints in international courts to hold the US and Israel legally responsible."
Legally responsible for allegedly interfering with their illegal weapons program?
- Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
- 14 antivirus apps found to have security problems
- Feature Scotland's BIG question: Will independence cost me my broadband?
- Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro
- FTC to mobile carriers: If you could stop text scammers being jerks that'd be just great