One of the most sophisticated viruses seen to date has been developed to affect industrial control systems. While the identity of those responsible is being speculated, the virus was created by people with detailed knowledge of the particular control systems used at the reactor, knew the best method of getting the virus onto them, and knew the best way to severely disrupt the reactors without being detected beforehand. This also appears to be an attack against a specific target – the Busheshr reactor in Iran. Security experts at Symantec and Kaspersky Lab are in agreement this was a state-sponsored effort involving a lot of research and development on a particular model of the PLC and the software used to program it.
Stuxnet has four main components. The first spreads the virus through a print network, another to distribute the virus by loading itself onto USB drives, and the other two are rootkits for giving it administrator-level access to the system and to alter code being written to PLCs.
A Programmable Logic Controller is a bank of processor-controlled virtual relays that link control systems to industrial machinery. The PLC has a processor-based central unit that runs an event-driven program to control the switching. This program can be entered manually on the PLC’s keypad, but in the case of Iran’s facility, it’s created using the editor software on a laptop and copied to a USB drive that was later plugged in to the PLC’s central unit.
Stuxnet installs itself on the Microsoft Windows OS, searches for the Siemens S7 series PLC program editor, and modifies it to affect the PLCs it’s written to. It also changes the read and write permissions of its code to hide these changes from the programmer.
By renaming the registry file s7otbxdx.dll and replacing it with another (which also contains the rootkit), it can intercept requests being sent through the link and change them. Meanwhile, the original file is still present, having been renamed to s7otbxdx.dll. Stuxnet also uses stolen RealTek cryptographic keys to authenticate itself and bypass security.
The code that’s written to the PLC targets the data blocks that handle high-speed and high-pressure systems. These data blocks are supposed to run every 100 mS in order to react almost immediately to any changes. Other data blocks are added by Stuxnet, very likely to disable safety and alarm systems.
One of the programmers at Byres Security believes the people behind Stuxnet were trying to achieve something bigger by extensively reworking the PLC’s code.
Incidentally, there were rumours of a serious incident at the Natanz reactor last year, which were unconfirmed but reported by Wikileaks shortly before the resignmation of the head of Iran’s atomic programme. 800 of the country’s centrifuges were taken offline around then.