Stuxnet — the eerily sophisticated 2010 computer worm of murky origin that struck Iranian nuclear facilities last year — is causing a new stir: Fresh white papers have been issued by the nonprofit Institute for Science and International Security; by chief technology and security officers of Tofino Security, Abterra Technologies, and ScadaHacker.com; and by security-software giant Symantec Corp. All indicate that Stuxnet has ushered in a new era of industrial cybercrime — and that no manufacturing plant is immune.
In case you need a refresher, the Stuxnet worm infected Iranian uranium-enrichment plant networks via USB flash drives, and then targeted certain VFDs slaved to Siemens PLCs by Profibus, whipping them through wild frequency changes, and taking the attached centrifuge motors along for the ride until failure by vibration. The flash drives used to infect the Iranian networks — much like the CDs reportedly used by Private Bradley Manning to pass diplomatic cables and videos from the U.S. Secret Internet Protocol Router Network to WikiLeaks — aren't exotic or sophisticated. Now, in response to Manning's actions, for the second time in three years U.S. Strategic Command has banned use of portable memory devices on military networks. In the manufacturing sector, a ban on portable memory is impractical.
Still, just as Ethernet has gained acceptance in industrial applications, so too is USB connectivity booming — in commercial and industrial environments. What steps are being taken to protect the motion designs that incorporate these convenient, standardized ports? Certainly manufacturing centers that are fully networked — in which operations and corporate systems are connected to controls for the sake of productivity — are at heightened risk. More importantly, where else do vulnerabilities lie?
In one effort to find out, the International Society of Automation ISA99 committee for Industrial Automation and Control Systems Security is now analyzing potential weaknesses of ANSI/ISA99 standards — which outline basic cyber-security protocols for industrial automation and controls. The group's goal is to determine if companies following ISA99 standards are protected from cyber attacks resembling Stuxnet, and recommend edits to the standard if needed. In fact, ANSI/ISA99 also forms the basis for IEC 62443 industrial-automation security standards — which will likely become the core international standard in coming years for protecting critical industrial infrastructure that affects human safety and the environment. (Eventually, IEC 62443 could also extend beyond supervisory control and data acquisition or SCADA operations.) The ISA Systems Security investigatory group will publish its findings later this year.
We'll return to this topic again next month, but invite you to share your thoughts on the matter now.