This is going to be a Stuxnet week with more information and some larger issues, opinions and questions to follow.
How did Ralph Langner and his team determine Stuxnet was targeted at a specific target and process? Well first of all it helps a great deal to have Simatic Manager and the PLC in the lab and years of experience with Siemens equipment. Then it involves detailed analysis of the communication between Stuxnet on an infected Simatic Manager and the PLC.
Here is more of the fantastic work by Ralph and the team at Langner Communications — full credit to them.
In regular circumstances, Stuxnet reads the main routine on the S7 PLC [OB1]. If Stuxnet determines that the PLC is not running the process it wants to attack/affect, it stops. No more communication between Stuxnet and the PLC. Again – – it is targeted at one process / facility and does not want to affect anything else.
This behavior actually stumped the team at Langner Communications for a while. Then Ralph decided to test the Stuxnet infected Simatic manager with a PLC that had the memory erased, so there was no OB1 present. After failing to read OB1, Stuxnet accessed a specific Data Block. This is a repeatable, deterministic behavior that is probably a bug in Stuxnet. It should realize OB1 is not present and stop.
This led to a full set of information, and they have all the behavior and fingerprinting of the process being attacked – the DBs, OBs, SDBs, FCs and all the dependencies and timings. This combined with their Siemens and process knowledge has me convinced of the analysis.
Does Siemens know any of this? There has been an eerie silence throughout this from Siemens when it comes to the issue of the impact on their affected applications and PLC’s. Plenty on cleaning out the Microsoft vuln, but nothing more than contact vendor on the Siemens front. I have only have second hand information on what Siemens is telling their customers about cleaning out the PLC, but it is not detailed or accurate if you believe Ralph’s analysis as I do.