It reads like Sci-Fi. More about Stuxnet.

[Londo_Jowo]

THe HMI is software that gathers information from the PLC and can also be used to adjust operating setpoints (ie speed, temperature, pressure,...) in the PLC. The HMI has to be configured to access the specific addresses within the PLC to perform these functions.

There are many processes that rely strictly on the PLC and don't have a HMI display. Some are accessed remotely by a DCS to gather the data for display.


PLC = Programmable Logic Controller
HMI = Human Machine Interface
DCS = Distributed Control System

 

[CADsortaGUY]

I don't know what the hell you guys are talking about so you would you mind answering a dumb question for me?

Wouldn't they have to think something is wrong with that specific piece of machinery to shut down the HMI (WTF is that btw?)? Sounds like the worm was designed to make them think everything was just fine until it wasn't.

An "HMI" is a Human Machine Interface - usually a computer or some proprietary touch screen with graphics.

Yes, that's what makes this odd. You likely wouldn't disconnect the HMI when troubleshooting a speed issue or something that presents as a mechanical problem like this one did. Likely they used the HMI to do some trending in an attempt to capture the problem.
Yes, the worms sounds like it was hidden in such a fashion that the normal programming software didn't see the additions and/or didn't actually do much to the PLC other than use it as a place to manipulate commanded frequencies.

 

[Londo_Jowo]

@CADsortaGUY
Everything I'm reading states that Stuxnet changed the logic in the PLC via the HMI software.

 

[CADsortaGUY]

@CADsortaGUY
Everything I'm reading states that Stuxnet changed the logic in the PLC via the HMI software.

That's how I'm reading it as well. However, it doesn't mean it changed it using the traditional HMI software. It's rather vague on HOW or WHAT it changed. For most people it doesn't matter as they don't really know what "magic" happens behind the scenes but as a person who knows - it makes some of the reporting look bad as they just don't know what to ask or what details might be important.
I'm sure in due course we'll find out how but my hunch is scripting that did allow the HMI computer access to the program(or the reporting is just off and it targeted the drives themselves and changed the code there)

 

[Londo_Jowo]

Or possibly the Iranians actually screwed up and allowed the HMI to be accessed from the outside. If this is the case the person/s that wrote Stuxnet could remotely access the HMI/PLC and perform online editing of the logic.

 

[Pulsar]

Normally the HMI (Human Machine Interface) is secure programming that wouldn't be affected by malware. Unless someone that works for Siemens provided the HMI specifics and access to the code/programming.

Huh? The HMI interface has nothing to do with the PLC code. The HMI can be anything it wants - we have hundreds of proprietary HMI's, and thousands of Touchscreen Windows (primarily XP) HMI's. PLC's run no virus protection, and the only thing you have to do to get PLC specifics or HMI specifics would be to BUY one for $5-$20k to experiment with it. I have a Siemens PLC sitting on my desk at work right now as a trouble shooting tool, plugged into an XP HMI. Uploading a modified PLC program is usually as simply as clicking "deploy" and it would be ridiculously simple to write a program that would do the same.

The stuxnet worm, on the other hand, has security experts shocked at how complex it is. You can read direct quotes from them regarding how it works and how they belive that no hacker group wrote it because of the difficulties involved.

Nearly every HMI on the market is built with a USB port or 3 so you can plug in your keyboard, mouse, and flash drive. Older ones have to be plugged into serially. In this case, there was no external connection of the HMI to the outside world. At least that is what the article claims.

Pretty simple. USB worm -> HMI -> modifies PLC code from HMI.

 

[Londo_Jowo]

Huh? The HMI interface has nothing to do with the PLC code. The HMI can be anything it wants - we have hundreds of proprietary HMI's, and thousands of Touchscreen Windows (primarily XP) HMI's. PLC's run no virus protection, and the only thing you have to do to get PLC specifics or HMI specifics would be to BUY one for $5-$20k to experiment with it. I have a Siemens PLC sitting on my desk at work right now as a trouble shooting tool, plugged into an XP HMI. Uploading a modified PLC program is usually as simply as clicking "deploy" and it would be ridiculously simple to write a program that would do the same.

The stuxnet worm, on the other hand, has security experts shocked at how complex it is. You can read direct quotes from them regarding how it works and how they belive that no hacker group wrote it because of the difficulties involved.

Nearly every HMI on the market is built with a USB port or 3 so you can plug in your keyboard, mouse, and flash drive. Older ones have to be plugged into serially. In this case, there was no external connection of the HMI to the outside world. At least that is what the article claims.

Pretty simple. USB worm -> HMI -> modifies PLC code from HMI.

I can tell you that can't be done with an Allen-Bradley or GE Fanuc PLC. The HMI can't modify the logic, the specific programming software must be used.

 

[Modelworks]

Someone is an idiot, either all the security analysts who checked it and claimed what they did, or you.

Which security analysts ? the one in the article is well respected for one thing, giving interviews. He is well known for being a person that likes to be in the press.

The real analysts , the ones that don't care about getting their name in print, looked over this months ago and really saw nothing special about it . It was created with insider information and targeted a specific site.

 

[Modelworks]

All the HMI systems I've worked around the setpoints are password protected. I seriously doubt the worm could get around a password protected input.

It didn't.
If you want a copy of the code I have it. I'm not totally familiar with the control systems it targeted but from what I was able to pull apart it looks like it never left the windows machines and was able to alter the RPM speeds without doing so.

What I said earlier is what I suspect occurred. I don't see a single thing in the code for altering firmware or hardware. One thing of note for anyone putting the stuxnet code on their pc, you need to make sure your pc is not vulnerable to the shortcut .lnk icon flaw because that is how it runs off the USB drive without someone running it. I recommend a nix based setup if you want to play with it.

Started by giving itself access privilege , then creating a dll file , then overriding and finally there is about 20 integers it changed. One of the things that did strike me as odd is it targeted windows 7 64 bit, which hasn't been out that long so someone had to know exactly what was being run inside the plant.

Se Trusted Cred Man Access Privilege
Se Tcb Privilege
Se Security Privilege
Se Enable Delegation Privilege
Se Impersonate Privilege
Se Assign Primary Token Privilege

SOFTWARE\SIEMENS\WinCC\Setup\STEP7_\Version
SOFTWARE\SIEMENS\STEP7
SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOSEmulationNT

s7apromx.dll

BEGIN EXEC sp_configure
show advanced options
RECONFIGURE WITH OVERRIDE EXEC
sp_configure Ole Automation Procedures
RECONFIGURE WITH OVERRIDE END

 

[Londo_Jowo]

As of yesterday the company where I work has taken Siemens off our preferred PLC vendors list. I can't believe their HMI software is that vulnerable and allows modification of the PLC logic without programmer interaction.

 

[SamurAchzar]

As of yesterday the company where I work has taken Siemens off our preferred PLC vendors list. I can't believe their HMI software is that vulnerable and allows modification of the PLC logic without programmer interaction.

That's pretty ridiculous. I can assure you that whoever knew exactly what hardware is there, had 4 genuine zero-day Windows exploits and went to this level of sophistication would compromise Fanuc's PLCs or anyone else's pretty easily. It's just that Siemens was installed at that target, it's not like the target was hit because it had Siemens.

 

[daishi5]

As of yesterday the company where I work has taken Siemens off our preferred PLC vendors list. I can't believe their HMI software is that vulnerable and allows modification of the PLC logic without programmer interaction.

I don't know much about PLC's, but I do know that in our small IT dept, we were disgusted that Siemens uses a hardcoded admin password that cannot be changed. I have no doubt that if they left a security hole that obvious and easy to exploit in their systems, that they would also fail to secure the much more obscure parts of their systems.

 

[Londo_Jowo]

That's pretty ridiculous. I can assure you that whoever knew exactly what hardware is there, had 4 genuine zero-day Windows exploits and went to this level of sophistication would compromise Fanuc's PLCs or anyone else's pretty easily. It's just that Siemens was installed at that target, it's not like the target was hit because it had Siemens.

You can perform pass through programming with GE and A-B PLC via the HMI but it must be done by the programming software. The PLC will be taken offline during the logic download which would shut down the equipment, so it would be obvious that the program change was taking place.

Apparently the changes can be made without shutting down the equipment with Siemens software.

 

[CADsortaGUY]

You can perform pass through programming with GE and A-B PLC via the HMI but it must be done by the programming software. The PLC will be taken offline during the logic download which would shut down the equipment, so it would be obvious that the program change was taking place.

Apparently the changes can be made without shutting down the equipment with Siemens software.

Uhh.. online editing can be done on other PLCs too. Just normally the HMI software doesn't contain the ability to edit code - just pass information. This is not to say that someone couldn't figure out a way to do it - it just can't be done from stock.

 

[Londo_Jowo]

Uhh.. online editing can be done on other PLCs too. Just normally the HMI software doesn't contain the ability to edit code - just pass information. This is not to say that someone couldn't figure out a way to do it - it just can't be done from stock.

I know online editing can be done to ladder logic, though it does take several steps to perform. Change the PLC to Remote/Run, begin rung edit, make changes, test edit, and compile edits.

If structured text or function block is used the changes must be made offline and then download to the PLC. The PLC will transition from Remote/Run to Remote/Program prior to the download. Once the download is completed the software will ask if you want to go back to the Remote/Run state.

 

[AnitaPeterson]

So, here's a question.

Some people say Wikileaks' Assange should be treated as a terrorist for his recent coup.

Why isn't anyone criticizing the company who discovered the Stuxnet worm, and made its discovery public?

These may seem unrelated at first, but look at it this way:

1) Assange is condemned for aiding and abetting (or whatever the expression is) the "enemies of democracy" by making the U.S. diplomatic documents public.
2) Belarus-based company VirusBlokAda discovers Stuxnet and makes its existence public, thereby thwarting the virus and preventing it from executing its mission: to render inoperable the potentially dangerous military installations of a nation that is part of the current "axis of evil"

Seems to me that divulging the existence of Stuxnet is just as dangerous (if not more so) than the revelations that the U.S. government is keeping tabs on both its allies and enemies.

Thoughts?

 

[Londo_Jowo]

Why isn't anyone criticizing the company who discovered the Stuxnet worm, and made its discovery public?

I don't think the company that reported Stuxnet knew the full extent or intent of the virus/worm. They probably thought they were helping rid the IT world of another virus or worm.

 

[AnitaPeterson]

Pleading ignorance doesn't really work in courts... how is this any different? Should noble intentions be exempt from responsibility?

Wasn't the antivirus company just doing its job? Sure, but then, that's what the TSA also says.

It's all a matter of interpretation. Or, as Obi-Wan Kenobi would put it, "a certain point of view"... and it's a slippery slope.

 

[CADsortaGUY]

I know online editing can be done to ladder logic, though it does take several steps to perform. Change the PLC to Remote/Run, begin rung edit, make changes, test edit, and compile edits.

If structured text or function block is used the changes must be made offline and then download to the PLC. The PLC will transition from Remote/Run to Remote/Program prior to the download. Once the download is completed the software will ask if you want to go back to the Remote/Run state.

The steps don't mean as much as it seems you are thinking. Yes, downloading would cause problems but online editing would take nothing more than a script to do especially if someone took the time to write something that allowed direct program access without needing the prog software loaded on the HMI it took over.

Meh, I still think it's pretty damn interesting but probably not all that elaborate code wise - the elaborate part was the intel to direct the code writing so it knew what was supposed to be in place.

 

[Londo_Jowo]

I don't think it's as simple as you think. I've seen engineers with the help of A-B and GE attempt to write batch files to simplify the process with no success.

 

[CADsortaGUY]

I don't think it's as simple as you think. I've seen engineers with the help of A-B and GE attempt to write batch files to simplify the process with no success.

Didn't say it was simple, but definitely possible.

lol, there is little reason for batch files to simplify an A-B process. GE - don't know - don't care - it's not something I deal with. Both by choice and by customer choice. lol. The process of writing code and HMI apps in A-B is rather easy due to the tools A-B designs for each. A decade ago- maybe, but now it'd be a waste of time to try to shave dev time with batch files. FT is so finicky it'd probably F something else up.

 

[Mark R]

New report out from a scientific group that have carefully dissected the Stuxnet worm. The conclusion is tanatalising - the worm seemed precisely engineered to destroy or damage very high-speed uranium enrichment centrifuges.

Short version: The stuxnet worm triggers when it detects a certain industrial configuration - specifically, large banks of variable-voltage, variable frequency inverter drives, designed for speed control of ultra-fast motors.

The payload is to reprogram the motor speed controllers to ramp up to approximately 90,000 rpm as hard as possible. After a short period of overspeed - the motor controllers would then have their original program restored, presumably in an attempt to make diagnosis of the malfunction as difficult as possible.

By curious coincidence, based on analysis of the Iranian centrifuge design, 90,000 rpm is significantly above their normal speed and would almost certainly cause irreparable damage to the centrifuges, if not completely destroying them.

NY times article