Fortunately, for many years, the water and wastewater industry did not experience too many breaches on the digital front. But a few years back, the Stuxnet virus showed up and our digital innocence was shattered. When this happened, I was somewhat surprised because of the lack of previous attacks, but I never really heard how it all went down until last year when I sat in on a session at WATERCON 2013. When the topic came up the other day, I realized I'd never really shared exactly what I learned that day other than some rough notes I took on Cover-it-live and a general summary on the blog so figured I'd finally get around to posting that information today.
The speaker, Michael Minkebige, a control systems engineer with Donohue and Associates started out by telling us we never really had problems in the past because hackers did not know very much about PLCs. But, he said "Stuxnet was a game changer." It was the first direct attack on PLC and HMI systems and also the first attack on governmental infrastructure from a physical angle because it was the first to destroy physical equipment. Minkebige said, "we've had other threats like denial of service but firewalls and antivirus software handled this." The other reason we were somewhat protected was because our systems and networks were old and isolated or were proprietary. He also said hackers were concentrating more on PCs – they were typically kids trying to cause trouble or break into banking systems. So basically he said we had "security through obsurity."
Then we heard about the Stuxnet attack in June of 2010. He said it was most likely deployed against Iran in 2009 by another governmental entity. Some person had picked up the virus on a USB stick and uploaded it into the Internet. There were 22,000 infections found in Iran and 6,700 in Indonesia. They suspect it took a team of 5 to 35 programmers 5 years to write the code for the virus. It is 500K bytes while most typical malware is only 10 to 15 K bytes.
The virus was spread through memory sticks and targeted Siemens PLCs and HMI software. From what Minkebige understood, the virus would "phone home" to a computer located most likely in Germany or Russia and reported what system it was on and then asked what it should do. The virus was programmed to self-destruct in June 2012. But if your antivirus found it, the virus would morph into something else. It also had two security certificates from Taiwan so it might also have appeared to be legitimate to an antivirus software program. When the virus did launch its attack it typically would change data or set points in the program. Then it would mis-report information about the operational data indicating it was operating at the correct levels or set points when it was not. A typical attack might change the speed of centrifuges by cycling them through great speed changes. There was a loss of 500 to 600 centrifuges because bearings were ripped out from this operational attack.
Unfortunately the code is now public knowledge. But there are some steps we have taken to protect our industry. Homeland Security (DHS) is on the lookout for attacks since water and wastewater plants in our country are vulnerable. And if Homeland Security recognizes an IP address from a suspect area accessing your system, the agency will notify your facility. The PLC industry has also added security to their systems. Operators are advised to keep up with patches for PLC systems. Industry organizations and societies are also publishing guidance. And DHS has released a document on how to secure your systems. We are advised to keep our systems off the Internet if possible. Otherwise, a firewall needs to be used for protection. Also, all systems should prohibit unauthorized memory devices from being used on PCs connected to your system, and you should lock out all USB connections to ensure they are not used. IT departments need to be made aware of this threat so they can monitor the systems for any suspicious activity. It's thought that future attacks might not necessarily be the Stuxnet virus, but an alteration of it.