The Stuxnet virus could be lurking on your computer

June 2nd, 2016, Published in Articles: EE Publishers, Articles: EngineerIT, Uncategorised articles

 

In 2009 a virus called Stuxnet caused critical failure in some of Iran’s uranium enrichment facilities in Natanz, leading to a shutdown of that facility in order to prevent meltdown. The virus is acknowledged by many as the first to be created as a targetted weapon. This means that the virus, rather than simply affecting all systems in the same way, would specifically look for the system at Natanz and target that.

The virus worked by first recording supervisory control and data acquisition (SCADA) data about the uranium centrifuges for a week or so, at which stage it started to intercept the data being sent to the control room and instead transmitted its own stream of information. It then started to change the rotational speed of the centrifuges, raiding them up to dangerous levels such that they started shutting down.

Doron Kowensky (right) made a presentation on Cyber Security at the May Tshwane Branch of SAIMC. On the left is the chairman of the branch Jurie Weidemann.

Doron Kowensky (right) who made a presentation on cyber security at the May 2016 Tshwane Branch of the SAIMC. is seen with branch chairman Jurie Weidemann.

After the Stuxnet virus was uncovered it was found that probably most computer systems in the world were infected with the virus; however it was looking for a very specific setup and so was benign with the other systems. However at the time of writing, Stuxnet can be relatively easily obtained off the internet, and there are a plethora of videos available on Youtube that dissect the virus and explain how it can be manipulated. Also we have no idea how many other similar viruses are being developed currently as well, whether for targetted attacks or untargetted dissemination. Either way Stuxnet was a huge eye-opener to the fact that network attacks are evolving at a scary rate.

As Ethernet networks have become the standard for running industrial control and automation around the world, and most of these connections have options for remote access and control via the Internet (or a privately owned wide area network (WAN); protecting against viruses such as Stuxnet, as well as direct hacking attempts and other attacks, is critical. Various methods are available for helping to protect against attacks, however if these are not properly implemented and maintained they are next to useless.

One of the first methods to protect a network is physical access control. This includes keeping sensitive networking hardware locked in protected cabinets/rooms (such as switches and routers), as well as controlling who has access to these devices. This also extends to monitoring users of networking hardware, whether they are third party contractors or direct employees. It is important to remember that a user with good intentions but incomplete knowledge of the network and devices can be just as destructive as a user with malicious intent. Whether the damage to the network was intentional or accidental is of little consequence when production is grinding to a halt.

The next important component to look at is a proper anti-virus system for the network. This should include anti-virus software on all critical PCs on the network, which must be regularly updated (most anti-viruses these days will check for updates two to three times per day to make sure they are always up to date). An anti-virus system can also include company policies, such as banning the use of external storage devices, e.g. flash drives. If data off an external flash drive is required, this drive should be checked on a PC that is not connected to the network in any way (known as an air-gap PC) that also checks for viruses. Some modern firewalls can also check incoming files, and if a potentially dangerous file is discovered it will be send via the internet to a testing location where it can be run to see if there is any malicious code contained in the data.

Firewalls are another major component in network security, and will often contain an anti-virus plugin as well. Firewalls allow us to have proper granular control over all traffic entering or exiting the network, and are important to install and commission, not only where the network connects to the internet, but wherever it connects to a slightly less secure network, such as an uplink to a corporate head office. Managers in HQ will often want to be able to monitor certain details from the network, such as production rates, losses etc. All of this traffic should be monitored and only served out where required. Any other data transfer between the secure and non-secure networks should be monitored and controlled, and unless completely necessary should be blocked where possible.

Ethernet networks and the internet have without a doubt changed almost everything about this world, from personal interactions and business to monitoring of countrywide production systems (or even global systems). While the benefits of using Ethernet for monitoring and control of industrial sites and systems are definitely evident, if not properly secured one could be a single data transfer away from critical failure of the system. The Ethernet network is the nervous system of any industrial mission critical site these days, however without a strong and secure immune system (network security) an infection and catastrophic failure could be waiting just around the corner. For this reason network security must be properly planned and implemented on any mission critical network, and should definitely not be underestimated.

Contact Doron Kowensky, H3iSquared, Tel 011 454-6025, doron@h3isquared.com

Related Articles

  • South African coal faces bleak outlook
  • South African coal exports outlook: Approaching long-term decline
  • Partnership to create immersive digital experiences
  • SABS to host 42nd ISO General Assembly and ISO Week
  • Digitalisation brings auto manufacturer up to speed