anti-virus firm, redirected traffic away from those servers, thereby preventing them from controlling infected machines and retrieving stolen information. During a 72-hour period, nearly 14,000 unique Internet protocol (IP) addresses infected with Stuxnet attempted to contact the control and command server, said Symantec blogger Vikram Thakur. The largest percentage of those hits were in Iran, Indonesia and India at 58.85 percent, 18.22 percent and 8.31 percent respectively. Only 1.56 percent were in the United States.

Miller warned during the Webinar, however, that while these numbers “suggest a lot of compromised machines,” various factors can skew the numbers. The use of network address translation devices, which rotate through different IP addresses, can result in over reporting of compromised machines, he said, while IP addresses can underreport compromised machines when many compromised machines share a single address.

In a July 27 blog posting , Industrial Defender Chief Security Officer Andrew Gintner agreed that “IP addresses are not very reliable indicators of how many machines are compromised.” But Gintner notes that “experience with counting IP addresses indicates that the count is usually off by no more than 10x in either direction. What this means is that this is a relatively small set of compromised machines, by the standards of the world’s botnets,” he observes.

While the virus was reportedly first discovered on June 17 by Ukrainian anti-virus firm VirusBlokAda, Stuxnet hit the blogosphere and headlines in a big way beginning on the weekend of July 17-18. There are currently no patches available from Microsoft for the Stuxnet virus. Siemens, for its part, moved quickly after being notified of the virus on July 14, assembling a team to evaluate the situation and work with Microsoft and others, the company said.

Removal tool

On July 22, Siemens said that it was making available a tool—developed by Cupertino, Calif.. anti-virus firm TrendMicro Inc. ( http://us.trendmicro.com)—to detect and remove the virus. However, Siemens advised users to work closely with customer support personnel before using the tool, to avoid any adverse effects on their systems. In product information dated July 26, Siemens said it was only aware of the two customer cases worldwide of infected computers. A production plant had so far not been affected, the company said.

Among various recommendations, participants in the Industrial Defender-sponsored Webinar advised continued vigilance and use of sound cyber-security practices by control-systems users. Byres said it is “highly likely” that there is other malware loose in the wild that targets industrial control systems that has not yet been discovered.

While the Stuxnet virus makes use of a hardcoded default password within the Siemens system that that cannot be changed by users, this is not an uncommon situation with other control systems, the experts said. And in many cases, users fail to change default passwords—even when they can—and they fail to follow other recommended vendor security practices, Webinar panel members pointed out.

In the future, users should push vendors to eliminate the use of hard-coded passwords, said Digital Bond’s Peterson. And he warned that non-Siemens control systems users must also stay on their toes. “There’s a lot of things that could have been in that [virus] payload, and unfortunately for Siemens, at this point, they decided to target them, but the rest of us shouldn’t [rest] easy, whether we’re vendors or users,” Peterson advised.

A replay of the Industrial Defender Webinar is available for viewing on the company's Web site, following registration, here.

Byres Security Inc.
www.tofinosecurity.com

Digital Bond Inc.
www.digitalbond.com

Industrial Defender Inc.
www.industrialdefender.com

ICF International
www.icfi.com

Siemens Industry Inc.
www.usa.siemens.com/industry

Symantec Corp.
www.symantec.com

TrendMicro
http://us.trendmicro.com

Subscribe to Automation World's RSS Feeds for News