Quiet Waters Blog

Blog archive
SCADA at Yuma, Ariz., wastewater treatment plant.

Did Anybody Hear a Thud?

Remember the fable about a chicken that was hit in the head by a piece of falling fruit? She went around screaming, “The sky is falling, the sky is falling” and got all the animals in a paranoid uproar until a wise old lion showed them how silly they were.

Well, at WEFTEC I got involved in a "sky is falling" issue. It involves a nasty worm called Stuxnet that uses at least four separate vulnerabilities to penetrate a Microsoft Windows operating system.

Once inside a Windows-based system, the worm looks for a specific SCADA software and PLC brand. When Stuxnet finds the target, it adds some programming to the code. It is designed to update itself and spread via USB data sticks.

What the code does, no one is saying. But it is possible that the code would only prove to be detrimental on only one PLC system in the world. The suspicion is that the worm targeted Iranian nuclear facilities. If it hit the facility and caused damage, well … the Iranians aren’t talking (would you, if you were Iran?)

It does not take a lot of speculation to make plant operators fear that their control system is vulnerable and that violations and fish kills are around the corner. Relax. Here is why:

  • Stuxnet was written to penetrate Siemens PLC-based control systems with Siemens SCADA software. Most water and wastewater plants in North America don’t use this brand, so the majority is immune from the worm as it is currently written. Even if it is on your SCADA computer, it is harmless. (Since I work for one of Siemens' competitors, I feel compelled to say that it appears that Siemens was targeted not because of an inherent product weakness, but more likely because it was being used at the facility of interest. Please don’t think I am Siemens bashing.)
  • Only 1.6 percent of all infections occurred in the United States.
  • From a computer security point of view, Stuxnet is not new. It was confirmed in June 2010, and anti-virus vendors have had time to react. Thus, scanning a USB stick should detect the virus.
  • On Oct. 12, Microsoft released a patch to close the vulnerabilities forever.

So what does a utility do? Make sure that your anti-virus protection is up to date and your computers have the latest patches. This might be a challenge for some utilities since these patches come over the Internet, and many facilities keep their SCADA computers off of the Internet for security reasons. Be sure to scan every USB stick that will be used on your control systems. This includes outside contractors.

So the sky is not falling. Yes, SCADA and PLC manufacturers are quickly adjusting their procedures to account for Stuxnet, and possible copycats. But while this is happening, the odds are on your side. Also, if you are impacted by an infection, you can resort to manual control.

Security has become a new concern since September 11. Many plants are looking at it in a new light. We have all learned that a padlock should not be the only answer to facility security. Cameras, access control, chemical handling procedures, and SCADA security must also be part of the picture.

So what was the thud you heard? That was my wife dropping the pizza box on the dinner table. Gotta run.

Posted by Grant Van Hemert, P.E., Schneider Electric Water Wastewater Competency Center on Oct 26, 2010