“Stuxnet” targeted at automation


“Zero day” attack on Siemens control system software shows alarming new level of malware sophistication

by Andrew Bond, Industrial Automation Insider (August 2010 Issue)

16 pages packed with automation news & information

Last month’s cyber attack on Siemens SCADA systems and DCSs has reopened the question of how responsibility for ensuring the security of automation systems in general and those controlling potentially hazardous industrial processes and critical infrastructure in particular should be shared between users and vendors and, indeed, vendors’ suppliers.

Few people in the automation industry, and precious few more in the user community, can now be unaware of the bare bones of what has now become known as the ‘Stuxnet’ affair. According to Siemens it was on July 14th last that the company was notified of a security breach within Windows which could potentially affect its Simatic WinCC SCADA software and the PCS7 DCS which uses WinCC as its HMI. Among the first to identify the threat was Byres Security chief technology officer Eric Byres who confirmed that what Siemens and its users were experiencing was “a zero-day exploit against all versions of Windows including Windows XP SP3, Windows Server 2003 SP 2, Windows Vista SP1 and SP2, Windows Server 2008 and Windows 7.” (see Security threat to the control system world! – this also contains links to other comments on the Stuxnet affair!)

For those, including us, who are not fully familiar with the jargon, a “zero day” exploit is one which is exploiting a hitherto unidentified security breach which only becomes apparent because of and at the same time as the original attack and leaves all other users of the same system or systems at risk until such time as the vulnerability is eliminated.

Spread by USB keys
In this case the ‘malware’, variously described as a Trojan and a worm, seems to have been spread by USB keys, although it seems possible that it could also be propagated via network shares from other computers. It exploits a previously unidentified vulnerability in the way Windows displays icons for shortcuts via .lnk files with the result that, in order to become infected, the user does not even need to open any file or run any application on the USB stick; just viewing the contents via Windows Explorer is sufficient. As a result, disabling AutoRun doesn’t provide any protection either.

Given the ‘zero day’ nature of the attack, it was hardly surprising that no patch was available from Microsoft although it is hoped that one will be prepared by the next due date, for patches to be made available in early August. In the meantime Microsoft outlined a series of ‘work arounds’ which included, not surprisingly, not installing USB keys, disabling the display of icons for shortcuts and disabling the WebClient service.

It also rapidly released a tool which would disable the vulnerability in most cases but would affect the way Windows displayed shortcut icons: and a clean-up tool which would sanitize infected systems but, it warned, might adversely affect the performance of a control system.

Targetted at automation
So far, so Windows generic. Within days if not hours of the existence of the malware, by then dubbed ‘Stuxnet’, becoming known, a number of less sophisticated lookalikes had been identified, a pattern which is apparently the norm for such attacks. However what seems to set this incident apart from the general run of malicious tomfoolery is that the malware displays an unusual degree of professionalism, incorporating a seemingly authentic but fraudulently copied certificate and, even more unusually, specifically targeting industrial automation software. As Byres explained, it “uses the Siemens default password of the MSSQL account
WinCCConnect to log into the PCS7/ WinCC database and extract process data and possibly HMI screens”
which it then attempts to export via an internet connection to a remote server. However, Siemens warned against what might have seemed the most obvious solution, changing the password, because of potential knock on effects elsewhere in a system.

Adding a sinister twist to the story, again according to Byres, is the fact that discovery of the malware coincided with “a concerted Denial of Service attack against a number of the SCADA information networks such as (the) SCADASEC and ScadaPerspective mailing lists, knocking at least one of these services off line”. That seems to suggest that those responsible had prepared sophisticated plans in advance, not only to release the malware targeting the Siemens systems, but to frustrate users’ and vendors’ attempts to counter the threat.

Control system infection
At the time of writing, Siemens claimed to have identified just one user, a site in Germany, where a control system had actually been infected. More-over, even in that case, while it attempted to export data, it was apparently unable to do so because the server to which it was sent either did not exist or was off-line.

Had the objective been actual sabotage, rather than what appears to have been industrial espionage, the consequences could have been very much more serious. Clearly, there is a shared responsibility here. Microsoft has a duty to ensure that its products are as secure as is reasonably possible and to act to eliminate vulnerabilities as soon as is practical after they have been identified. What they can’t reasonably be held responsible for is the consequences of their customers, or their customers’ customers, using those products in a manner which dramatically magnifies the consequences of such unknown vulnerabilities being discovered and exploited by malevolent third parties.

Clearly a Siemens user whose WinCC or PCS7 installation has become infected has at one level been extremely unlucky. Not only has an infected USB stick had to find its way onto the site, presumably via one of its own, a contractor’s or a vendor’s employee, but that stick has to find an unprotected USB slot on or with access to the control system. The fact that, thus far, this has only happened once suggests either that, at least initially, the number of copies ‘in the wild’ was relatively small, or that users’ basic security precautions, including locking down or eliminating USB slots, are in general reasonably effective.

Dangerous software error
Nevertheless, while Siemens enjoyed some initial sympathy for being targeted and even a degree of admiration for the speed with which they have responded, fingers are now beginning to be pointed both at them for the vulnerability of their systems and at the users themselves for adopting such systems without apparently questioning their security. Chris Wysopal, CTO of cyber security specialist Veracode, is particularly critical of Siemens’ use of a hard-coded password which, he says, comes eleventh in what he calls the industry standard ‘CWE/SANS Top 25 Most Dangerous Software Errors.’ Writing on his ZeroDay Labs Blog and alleging that Siemens was aware of the issue as much as two years ago, he asks, “Why didn’t Siemens fix the hard coded password vulnerability when it was first publicly disclosed?”

Wysopal has no doubt where the ultimate responsibility lies. “Software customers that are operating SCADA systems on critical infrastructure on their factories with the WinCC Software had a duty to their customers and shareholders to not purchase this software without proper security testing,” he says. Although the incident will once again raise the bigger issue of whether Windows is in fact a suitable vehicle for mission critical industrial and infrastructure applications, more immediately other vendors and their customers will be examining not just their systems’ susceptibility to this particular vulnerability but whether they provide a similar
‘Open Sesame’ to their applications. Software, argues Wysopal, should be subjected to independent security testing before it is deployed if users are to rely on anything more than the hope that someone else falls victim to the next piece of malware and that a patch is released before their own system is attacked. “With the sophistication shown through this multi-stage USB attack, it is clear that hope is not a viable option,” he concludes.

Where’s the automation?


ABB’s Houston party may have invited the automation community . . . but in the event it was all about power

By Andrew Bond (Industrial Automation Insider)

The ABB Automation and Power World event, held in Houston (TX US) from May 18th to 20th, gave an impressive display of the total ABB capability: it was the second time that ABB had joined Automation and Power together, presented as a complete complementary product package. The event was impressive, in logistics and size, with around 4500 delegates from 40 countries, listening to a selection of 500 hours of seminars and workshops, plus visiting the 100,000 sq ft of product exhibition area. Attendance at the main public days from customers and press was up 35% on last year: these three days were sandwiched between two busy weekends of ABB sales conferences and meetings, also covering the 800 staff from their distributors and sales partners, so a lot of leverage was added on top of the customer event. From the 1500 ABB staff present in Houston, the most regular comment – even from the power side – was that they had never realized just quite what a broad range of products was indeed available from ABB – but this was always made with a nod towards the power transmission products. (See also our blog Power, Energy and er Automation? last May)

What about Automation?

Peter Terwiesch - more power for major population centres

Well the word is right in there, in the title of the event. This was right where it stayed, in the ABB Automation and Power World Daily Blog from Malcolm Shearmur, from ABB’s corporate communications. Shearmur says he is “particularly interested in the energy challenges facing the world in the 21st century”. Rather than a total blanking of automation news he did include two relevant paragraphs at the end of one report, on a presentation by Peter Terwiesch, ABB’s chief technology officer, mentioning the trend towards wireless measurement: obviously automation is not Shearmur’s main interest. The major topic of Terwiesch’s excellent, and balanced, presentation was the world need to deliver more power to the major population centres, while reducing emissions and using additions from renewable sources, such as hydropower. High Voltage Direct Current transmission (HVDC) is offering the technology to transmit huge amounts of power, over long distances, and not just for power links to offshore platforms. For example ABB is helping to build the 200km 800kV o v e r h e a d transmission line from the Xiangjiaba hydro power plant, in southwest China, over to Shanghai, to deliver 6400MW of power (which is almost as much as used by Switzerland, admits Shearmur).

This project exceeds previous technology levels, providing twice the power rating and using a 33 percent higher voltage than all existing installations. ABB has invested in the new equipment development, manufacturing and testing facilities to enable this new technology to be used commercially. This ABB equipment has been under successful test operation at 850kV DC since 2006, at the STRI Laboratory in Sweden. US Investment in HVDC ABB see this as an area of major opportunity: Enrique Santacana, head of ABB in the US and North America, announced at a press briefing in Houston that they plan to invest about $90m to build a new highvoltage cable factory, in the USA. This is to meet the strong growth in demand for high-voltage direct current (HVDC) applications, in overlay grids being developed to complement the AC grids in use in Europe and the USA.

The Terwiesch presentation did pay particular attention to the convergence and commonalities between power and automation systems. Back in 2004, ANSI, IEC and the main vendors adopted an Ethernet-based global standard for communications and system architecture in substation automation and power distribution systems, providing interoperability between intelligent electrical devices (unfortunately given the acronym “IED”), engineering tools and a flexible and open architecture. And so IEC allocated the next number in their standards list, and called it IEC61850, uniquely – so that industries will not be confused with other standards, for example the functional safety standard, which is of course IEC61508.

Having developed the electrical interfaces to substations and switchgear to IEC61850, an interface module built for the AC800M controller allows the standard System 800xA to provide operator control of process electrification, substation automation and power management. ABB reports the supply of over 800 substation automation projects based on IEC61850. More important is that the same 800xA system can use another standard interface module in the AC800M to communicate with instrumentation fieldbus networks, and provide process control as well. One common 800xA-based operations console can deal with both power and process control, and plant events from either side are recorded on one centralized historian and archive, which also helps track event causality, being on one timeframe.

Twenty projects to date
ABB has combined process and power control systems in this way on over 20 projects to date, primarily in oil and gas plants, but also in mining and minerals, as well as power generation plants. Although overall a small number so far, there was a considerable geographical bias towards such projects in Brazil and South America – coincidentally, the next Automation and Power World event is scheduled for a location in Brazil, in August.
Johan Hansson, the manager of the Control Systems Electrical Integration Centre of Excellence in Sweden, explained some of the advantages of combined control systems in oil and gas plants, where the integral power management system initiates load shedding according to an operator managed priority table, in less than 100msec, whereas previously the selection was hard wired, and much slower. Petrobras have not yet established operational cost savings, but already have saved 20% on training costs by combining the process and power systems: in Petrobras the protection and control relays are a mixture of ABB and Schweitzer IEDs, all to IEC61850.

. . . And so to Instrumentation
ABB in total spends $1bn annually on R&D, employing 6000 scientists. Terwiesch mentioned their recent development of an optical calliper for measurements in the paper industry, monitoring web thicknesses equivalent to 1/ 50th of a human hair, at 60mph. They are also working on energy scavenging techniques for powering wireless enabled sensors, using energy sources such as vibration, solar power, fluid flow, and temperature differences. The major instrument product launch announcements at Houston centred on wireless sensors, with the main product being the loop-powered FieldKey WirelessHART upgrade adapter, which mounts into any available cable gland on an existing HART instrument. As such it follows the same principle as the Emerson THUM adapter (INSIDER, December 2009, page 2 and also Conquering Complexity on this blog) but claims a “small footprint” as it is indeed a smaller package and antenna than the Emerson unit. ABB see the FieldKey as providing the capability to unlock the stranded information held within the 90% of the 3 million HART instruments already installed, whose systems cannot access their intelligence. The data can be accessed, and the devices remotely configured (if needed) using asset management software in 800xA, or with an Asset Vision Professional standalone product. The FieldKey adapters form a self building mesh network, and working to WirelessHART standard specifications can be accessed via any WirelessHART Gateway: ABB demonstrated their system with a new Pepperl+Fuchs gateway, which is shortly to become available. FieldKey is currently submitted for hazardous area approvals, and ABB are still interested in further field testing, for example in European sites.

FieldKey is a basic building block for ABB to incorporate WirelessHART connectivity in various new product developments: so also presented in Houston was an ABB pressure transmitter that has been adapted to become a wire-less transmitter, by incorporating the radio board and a 5 year life battery within the normal transmitter housing, plus a FieldKey antenna mounted in one of the standard conduit connections.

Vibration sensor?

Such battery-powered wireless transmitters are likely to be developed as needed: an example occasionally on display, but mostly kept under wraps, was from the oil and gas development group. This was a prototype of a battery powered vibration monitor, presumably an accelerometer rather than an acoustic emission sensor, built into a housing no bigger than a standard FieldKey. However, the main emphasis of corporate research appears to be focused onto alternative power scavenging techniques to power such wireless sensors, using heat, vibration, solar or process flow energy. Obviously this vibration sensor is work in progress, but judging by the size of the Perpetuum Free Standing (vibration energy) Harvester (68Ø and 63H, delivering 4mA at 5V), launched in May and to be on-show at the Sensors Expo in Illinois in June, ABB will find it difficult to incorporate vibration energy scavenging into the current package size.

Energy scavenging using Peltier techniques was the example featured in a demonstration sensor for temperature monitoring, explained further by Philipp Nenninger from the corporate research labs in Karlsruhe (D). Previously shown at the Hanover Fair this year, a temperature difference of 30K between the process fluid and the electronics housing can create the power to drive the temperature monitoring circuit, and the WirelessHART data transmission. Included within the housing is a standard non-rechargeable battery, which allows the sensor to continue functioning and transmitting data even as the process goes into shutdown, when the temperature difference might drop below the 30 degrees required. While process requirements for this type of specification are difficult to postulate,Nenninger quoted some keen interest in certain applications. Slowly beginning to think like ABB, the deduction is that the planned applications have to be in temperature monitoring of power transformers, or other power industry duties where wired connections are not possible.

Five year average age
Greg Livelli, US Marketing Manager for Instrumentation, presented a review of the total ABB offering, from pressure transmitters right through to sophisticated spectrometers and ion analysers. Several common themes emerged in the product design concepts, which have been rolled out as a result of the continuous investment and development effort, which will result in the average product age being reduced to five years by 2011. The programming format across all microprocessor instrumentation uses the same style, and the operator keypad follows the principles of the mobile phone, resulting in a common and intuitive look and feel, reducing the need for extensive reading of new manuals for each different instrument: learn one and the rest follow. Equally all diagnostics follow the NAMUR NE107 format, whether on a flue gas analyser or a magnetic flowmeter. Significantly most of the more unusual instrumentation from ABB is dedicated to power industry applications, whether these are for trace iron, aluminium, silica or manganese in boiler feed-water, or for SF6 gas emissions monitoring from HV switchgear.

System 800xA
Roy Tanner, global marketing manager for System 800xA, explained the reasoning behind the recent developments to be launched in Version 5.1 of System 800xA in June. “The System 800xA is designed to meet the challenges produced by the emerging trends in the process industries, such as consolidation of control rooms, intelligent field devices, monitoring and reducing energy consumption and unplanned shutdowns. We need to finally end the ‘islands of automation’ and provide information access for all disciplines. You need more than a DCS. The combined automation and power projects we’re doing have seriously increased the number of I/O and tags required.”

So Version 5.1 will run on Windows 7 and Windows 2008 Server, with double the present system capacity, and introduces the new AC800M PM891 field controller with twice the performance, eight times the memory and three times the clock speed of the PM866 version. Advanced alarm management systems will hide alarms to stop alarm overloads: new Alarm Analysis functions are natively accessible to operators based on Windows Presentation Foundation (WPF) graphics. A new “Point of Control” feature in this release allows an operator in a remote location to request permission to control an area or unit from the responsible operator. Once approved, operation is transferred to the requesting operator and captured in the audit trail: any system alarms occurring in that transferred unit are only flagged up to the remote operator. “We now have interfaces for Profinet, DeviceNet via Ethernet IP and WirelessHART. Our Foundation fieldbus interfaces also support EDDL, and we have connectivity to all ABB legacy systems, and to Provox and TDC3000 systems, that act just like a natural part of the 800xA system” said Tanner. Since introducing System 800xA, ABB now claim to have sold over 5750 systems, with 37,500 AC800M controllers and over 24,500 operator workplaces.

Tanner also mentioned the 800xA safety architecture, with the TÜV-approved logical separation of functions between safety and control qualified up to SIL3 (INSIDER April 2010 page 7). Kristian Olsson of the Process Automation Safety Center of Excellence in Norway explains that he has the ideal situation of the SIL3 approval of 800xA and 19 Safety Execution Centres (ie engineering centres capable of delivery and implementation of safety system projects in accordance with international industry standards). In April the centres in Beijing, Shanghai (CN), Bangalore (IND) and Buenos Aires (ARG) were reported as gaining TÜV certification, joining Denmark, Germany, France, Italy, the UK and Singapore in the ABB listing: ten further centres are in the process of applying for the certification, including those in Canada, the USA, Brazil, Taiwan and South Korea. With more experience and engineering resources available than any other supplier, Olsson is looking to expand this activity into other markets and critical safety areas, maybe even as far as machinery safety systems, he suggested.

The ABB Low Voltage Products Group, exhibiting a few feet away from the System 800xA presentations, was the source of one of the A+P World acquisition announcements, confirming the February acquisition of Jokab Safety International AB, a supplier of innovative products and solutions for machine safety, with 120 employees worldwide, 50 in the USA. We’ve clearly reached that point in the economic cycle where those who’ve survived and have the cash are in a position to make significant acquisitions, though nobody seems prepared as yet to go for the big one. Nevertheless ABB is deploying another $1bn of that fabled cash mountain to buy Atlanta, (GA US) based energy network management software provider Ventyx from venture capitalist Vista Equity Partners. ABB is paying approximately four times Ventyx’s annual revenues of $250m for the company whose portfolio includes solutions for asset management, mobile workforce management, energy trading and risk management, energy operations, energy analytics and planning and forecasting of electricity demand including renewables. ABB CEO Joe Hogan described Ventyx as “a cashgenerating acquisition in an exciting growth market.”

Meanwhile, ABB Process Automation has added Louisiana-based K-Tek, a manufacturer of liquid level detection and measurement systems, to their Measurement Products Business Unit. Veli-Matti Reinikkala, head of the Process Automation division, commented that “K-Tek is well established, particularly in the oil and gas industry, which is a growth area for ABB”. K-Tek is quoted as being recognized as a global leader in magnetic level gauges, magnetostrictive level transmitters and laser level transmitters, with sales of $50 million and 250 employees.

This article appeared in the June 2010 issue of IAI

Social networking works! A true story!


So what good is all this social media stuff anyway? It’s a waste of time! All these nerds hunched up over their laptops or iPhones – cometh the iPad?

Everybody can talk to everybody else! (Pic: google code)

Andrew Bond in Industrial Automation Insider comments (February Issue):
Can automation vendors afford to ignore the marketing potential of the ever burgeoning range of social networking tools now available? Almost certainly not, as  Readout editor Eoin Ó Riain’s recent experience demonstrates. He, along with INSIDER, was recently contacted by a mutual acquaintance – he’d better remain anonymous, at least for the time being – who had been asked to develop a small SCADA package for a wind turbine and wanted to pick our respective brains for
suggestions. We responded in the normal way with a few pointers but Eoin put out a call to the Automation Linked In Group as well as flagging up the request on Twitter and on his own blog.

The result, in less than a week, was approaching a dozen replies suggesting a range of potential solutions. Impressive in itself but what is perhaps most significant is that very few were either from or suggested any of the major vendors, despite the fact that Eoin had mentioned that our
enquirer was minded to use one of them.

You can’t help feeling that people are missing out here or, as Eoin put it when we mentioned it, “Maybe they are not social media aware!”

OK fair enough! I’ve been using twitter for around 8 months, and the same with Facebook. LinkedIn also for a while but we can’t say we have warmed to that as much as to the other two. (Though it is becoming more sensitive to user requirements as this development, “Reorder the Sections on Your LinkedIn Profile”  just announced shows!) And then we’re in a few NING sites.

We’ve given one or two thoughts on how we are finding things and progressing during that time. Social Media in July,  and then in November comes “Six months on”  as a sort of “how are we doing” report.

We have also published a few articles which although not specifically on social networking showed how it could, and was used in our business. Reports like Social media writes articles! or the reports on various user group meetings (especially memorable was the 2009 Emerson one partly because it was the first time we  really felt a participant in an event staged in Atlantic lapped Florida while still sitting and looking west thousands of miles across the same Atlantic lapping at the mouth of Galway Bay!) Finally we discovered a guy called Seth Godin whose little book gives a good idea as to what is happening here in Is your marketing out of synch?.

Today we give a small example of what this new thing can do.

In the last week of January an acquaintance asked us for some help. He also asked Andrew Bond of Industrial Automation Insider who commented in the February issue! (See box). We wrote about it on the blog as SCADA help requested! . And tweeted and “facebooked” this blog.

The same request was placed as a discussion on the LinkedIn group called Automation Engineers (5,510 members) with the title “SCADA for wind turbines!”

Within a few days we had eight (8) responses on the LinkedIn Site. We also had two private responses in the and there were four responses to the blog. In all there were fourteen responses, most of which were from people we had not heard of and would not have heard of but for using these platforms.

The quality of responses varied of course form straightforward plugging of a product (though surprisingly little) to the sharing of genuine user experience.

As said at the outset we have been extolling the virtues of social networking but had not used it in this way before and the thing that surprised us was the speed in which these responses came in. Hopefully some of them were helpful to our friend, they certainly gave much food for thought.

What would we have done before? Probably pawned off a general and unhelpful response wrapped in sympathetic language. But now we know, from experience, that if somebody come with a problem we have a whole world out there with people listening out for the call.

What is your social networking experience?