Note: Reid Wightman recently joined Digital Bond. Previously Reid was with SEL, and his background is in embedded systems assessments.
With last week’s Langner post on just how easy the PLC is to reprogram with a logic time-bomb, I wonder: how long will it be until we see Stuxnet clones in the wild?
The answer is, ‘Maybe two years,’ in my opinion. At 27c3, FX showed how to analyze the Stuxnet PLC code (caution: swear words and disparaging remarks made towards open source), allowing for duplication of not only a timed attack, but also the input manipulation code needed to confuse operators further (as though randomly changing output data would not cause trouble enough). The ‘good stuff’ begins at about 47 minutes in.
Since all of the necessary utility functions are implemented and available for download, it seems only a matter of time before the youth start playing with packaged payloads and infection vectors, especially for Siemens equipment.
Clones need not be limited to Siemens hardware, of course. Other vendors are lucky that Siemens got hit first — and they should not waste time waiting to be hit next. No doubt the control system hacker community’s new hobby will become implementing Stuxnet-like features in ladder logic for various PLCs/RTUs/automation controllers and pressing the ‘compile’ button. I worry that incidents will need to start happening in order for vendors to wake up. Remember that, while the outcome of such an attack might just be damage (and thus difficult to capitalize upon for an attacker), early hacking was rarely done for profit…
Image by Marc Lagneau