The Stuxnet attack clearly showed that industrial facilities and infrastructure can be targeted by hackers. Siemens is developing strategies to address new threats from the Internet. Among other things, the company plans to make security updates available to customers more quickly.
Johann Fichtner (top, second from left) and his team exclude the possibility of security flaws when they program their software.
- Text Size
- Share
- Print this page
On July 15, 2010, Siemens received information about a new computer virus — a trojan that seemed to target only Windows computers. The trojan is activated only when it discovers Siemens Simatic automation software. Just one week later, Siemens released a program that removes the trojan, and at the beginning of August Microsoft repaired the security flaws in its Windows operating system that had made virus access possible. By the end of 2010, 24 Siemens customers from industries around the world had reported the presence of the trojan. In each case, the malware was removed without affecting the automation solutions involved.
Still, IT experts were alarmed. “Stuxnet marked the first time that malware was used to directly attack production processes,” says Johann Fichtner, head of Siemens CERT (Cyber Emergency Readiness Team), a group of experts who support the company’s business units in warding off hacker attacks. Stuxnet seems to have been developed over several months by professionals who put a huge amount of effort into their undertaking. Speculation has suggested that the trojan may have been programmed for the sole purpose of destroying centrifuges at the Natanz uranium enrichment facility in Iran. However, very few people know what really happened. Nonetheless, the incident raises the possibility of all kinds of different threats. After all, trojans that smuggle malware could cripple entire infrastructures by interrupting processes in power plants, production facilities, and traffic guidance systems.
Fichtner wasn’t really surprised by the Stuxnet attack, as the possibility of such an incident had long been proven in labs. Still, many specialists had hoped that the firewalls between public and internal networks would block any attack from the Internet. It should be pointed out, however, that the Stuxnet malware didn’t just come from the Internet; it was also spread through the insertion of an infected USB stick. “An attack like that could theoretically endanger millions of facilities,” Fichtner warns. There are differences, though. The attackers’ motives can vary from industrial espionage to sabotage. But whether the issue is dealing with attempted data manipulation, a virus, or a trojan, industry must be ready to face every threat known to the IT world.
Access to Production Data. In general, several trends in industrial automation are now playing into the hands of hackers. First of all, the strict separation between the office world and the industrial realm in which machines and facilities are controlled by special software is increasingly being watered down — both in a physical and a software sense. That’s because plant operators want to be able to remotely monitor and control their facilities, and business units are demanding access to production data so that they can, for example, make seamless cost calculations. As a result, more and more facilities are being linked to the Internet and also being indirectly controlled by common office operating systems. Experts therefore now face a dilemma. “Customers want us to base our applications on open standards, and of course we need to meet this demand,” says Georg Trummer, who is responsible for IT Security at Siemens Automation. “However, this exposes us to the types of security problems every PC user is familiar with.”
There’s also another development that indicates we can expect to see more attacks in the future, and that is that cyber-invasions are becoming more specifically targeted. In the past, virus attacks were like buckshot from a shotgun. Hackers targeted the largest number of computers possible on the Internet and hoped they would hit a security gap somewhere. Today cyber-criminals are more sophisticated. They send their malware to only a few computers with critical security functions, usually for the purpose of industrial espionage. This means viruses and trojans remain undetected for a long time and can do a lot of damage before they’re caught by anti-virus programs.
Office and industrial IT systems are merging rapidly in a trend that is irreversible. Unfortunately, in many cases awareness of potential threats and the implementation of appropriate measures to counteract them are not increasing at the same pace. In the aftermath of the Stuxnet attack, Siemens experts analyzed the facilities that had been infected, including one in East Asia. “We found not only Stuxnet but also many other viruses and trojans,” Trummer reports. This indicates that security measures at these sites were inadequate. Specialists also found a telephone line that allowed dial-in access to a security-critical facility they examined. Amazingly, some companies choose not to use passwords to control IT access to their facilities. “You simply can’t do that,” says Trummer.
Constant State of Alert. Siemens also has to keep its own people constantly alert to IT security. CERT has taught hundreds of Siemens software developers the principles of secure programming in order to prevent programming practices that could open a gateway to hackers. CERT experts put a high priority on the strict separation of program codes and data. Hackers can easily remove password prompts from naively programmed software, for example — exactly the kind of mistake that CERT training seeks to eliminate.
In another measure, software providers are now regularly providing updates for critical services such as plant controls. However, operators of industrial facilities are generally reluctant to use updates because they fear that operations could be disturbed. So although there are a large number of Windows updates out there, only a few actually end up in the PCs used at industrial plants, and if they are in fact downloaded, it’s usually months — or even years — after they became available.
“We need to find a solution to ensure that security updates are introduced more quickly in the future,” says Fichtner. In any case, CERT experts are increasingly being brought in as consultants during the software development phase, rather than being contacted only when a problem arises. The challenges faced by security experts will increase further as complex networked systems like smart grids become the norm. Collective intelligence will be required to make the decentralized power grids of the future as effective as they need to be. However, such systems presuppose a certain amount of trust on the part of the people involved. Completely new types of risks are conceivable in this area. Consider the following example: A homeowner who has a photovoltaic unit on the roof could manipulate his smart meter to show that he has fed more power into the grid than is actually the case. Preventing such fraud would necessitate an intelligent detection system. The smart grid is like an organism that needs to be given an immune system, says Fichtner. “After all, the human body doesn’t trust everything that’s swimming around in its blood either,” he says.