Hacking control systems, switching lights off!

Have you ever heard about “Stuxnet”? “Stuxnet” was a very sophisticated cyber-attack against the Iranian nuclear programme. Like in a spy movie, the attackers infiltrated the uranium enrichment plant at Natanz, arranged for infected USB sticks to be inserted into local PCs, and then the USB viruses did the rest.


Not only did the virus employ four distinct - so far unknown - weaknesses in the Windows operating system, but each weakness could have been sold on the underground market for up to $250,000 each.

The virus was targeted to disrupt Iran's uranium production. At first, it scanned the infected PCs for dedicated SCADA (Supervisory Control and Data Acquisition) software from Siemens. Once the virus hit upon that software, it tried to identify any control system components, i.e. so-called PLCs (programmable logic controllers), attached to that PC. If the PLC matched a certain brand (Siemens S7) and configuration, the virus downloaded additional code sequences into that PLC. Those sequences were lethal: clandestinely and over months, they varied the rotational speed of the uranium enrichment centrifuges. Non-constant rotation deteriorated the uranium enrichment and subsequent wear-out rendered the centrifuges useless. So the attackers achieved their goal…

While this seems to be a far-fetched and unique example, reality is much worse. Standard control systems deployed in power distribution networks and energy generation or employed in almost all production lines worldwide (cars, oil, chemicals, etc.) are completely unprotected. While they use similar techniques as standard PCs – like the Windows operating system, e-mails and www, and connect to similar networks – “security” was never part of their design. Thus, breaking into PLCs is easy and straightforward. Switching off the lights in [put your favorite country here] has never been so easy. Not without reason, Richard A. Clarke, advisor to the U.S. President, stated in 2011 that while the U.S. might be able to blow up a nuclear plant somewhere, a number of countries could strike back with a cyber-attack and “the entire U.S. economic system could be crashed in retaliation… and we can’t defend it today”. Replace “U.S.” with “worldwide” and you get the real picture.

What about CERN? Accelerators, experiments and their technical infrastructure are all based on the same control system technologies with the same drawbacks, vulnerabilities and security risks. Interestingly, colleagues in the former IT/CO group (now EN/ICE) had already created a much less sophisticated variant of “Stuxnet” in 2004. Dedicated tests from 2005 to 2007 showed that one third of the tested control systems could be crashed via a cyber-attack within seconds. Consequently, a strategic working group, the Computing and Networking Infrastructure for Controls (CNIC) group, was mandated to improve the cyber-security of CERN’s control system in 2004. This group brought together representatives from all the LHC experiments, the technical and accelerator sectors, as well as the IT department and the Computer Security Team. The result was a clear control system security policy and actions, e.g. separation of office network (GPN) and control network (TN) and prohibition of USB sticks on the TN. Today, CERN is in direct contact with several vendors and governmental bodies, and collaborates with them to better secure control systems…

So if you are running control systems, check: Is your configuration safe? Do you have proper access control? Do you patch on time? Do you know “security”? If you do not know or have doubts, join the CNIC Users Exchange or contact us at Computer.Security@cern.ch

For further information, questions or help, please check our website.

Access the entire collection of Computer Security articles here.

by Computer Security Team