A major supplier of industrial sorting systems based in the Netherlands has repelled two attacks by the dangerous Stuxnet worm, while separately, the Dutch nuclear power plant Borssele is on high alert.
Reactions to the dangerous Stuxnet worm have varied from company to company. Willem Van der Craats, corporate IT manager at Vanderlande Industries, expressed only a vague notion of what Stuxnet is about. Yet after internal consultation Van der Craats acknowledged that the worm has attacked Vanderlande's systems.
"I have checked, and on our systems in India and England, Stuxnet has indeed been detected. We have resolved it, because the antivirus has caught it," a relieved Van der Craats told Webwereld, a leading Dutch trade publication published by IDG.
Airport luggage systems
Vanderlande has an annual revenue of more than 500 million euros (US$689 million) per year, and has operations in 10 European countries, the U.S., China and India. Vanderlande manufactures automated sorting and distribution systems for industry, transport and airports. Schiphol, Heathrow and Charles de Gaulle airports all use luggage handling systems made by Vanderlande.
The innovative Dutch technology makes full use of process control and monitoring (SCADA) systems made by German manufacturer Siemens, like many other factories, power plants, water managing companies and port operators. Much vital infrastructure, especially in Europe, runs on these Siemens systems, which encompass Simatic Step 7 and WinCC software.
And those systems are the targets of the malicious Stuxnet worm. WinCC visualization software monitors automated processes. Step 7 is used by engineers to create and configure software for Siemens' programmable controllers that operate in factories and manufacturing processes.
Stuxnet has the ability to nest in Step 7 and WinCC. From within those systems it can spy on and manipulate critical business processes.
According to experts, Stuxnet is specifically made to target the Iranian nuclear program. That assessment is based on analysis of the worm's source code and its infection pattern. The malware is considered the most ingenious ever, which raises strong suspicions of connections with Israel or the US
Under the radar
Stuxnet has also infected systems at the Iranian nuclear plant at Bushehr. The opening of this plant has recently been delayed by at least four months, but Iranian authorities have denied any connection with Stuxnet. However, the regime recently admitted that there have been infections and has last reported several arrests in connection with "nuclear cyber-espionage."
The original Stuxnet worm, which is more than one year old, only jumped from system to system via USB sticks. That seems primitive, but it is intentional. Almost all SCADA systems are, for safety reasons, standalone: not connected to a network, let alone the Internet.
Installing updates and copying log files is usually done by USB stick. And since this hampered the spread of Stuxnet, it has long remained under the radar of antivirus companies and industrial system administrators.
Antivirus companies like Symantec suspect that the first version of Stuxnet has not hit its goal. Symantec has just published an extensive analysis of the worm. Because of the failure of version one, a second, more aggressive variant was developed that also has the ability to spread through networks. Instead of the laser-guided missile Stuxnet was before, it now acts more like a cluster bomb.
The result is that currently hundreds of thousands, if not millions of computers are infected, including those of many Chinese factory systems. The worm has possibly even disabled an Indian satellite.
Security experts fear that other hackers will release new variants of Stuxnet. This offspring would be much more infectious, targeting millions of vulnerable Windows systems. Microsoft has already released several patches, but those are not available for older PCs running Windows XP SP 1 or 2. That version of the venerable operating system encompasses approximately one quarter of consumer PCs and nearly half of all office computers. Furthermore, two of the four Windows vulnerabilities that Stuxnet exploits are still awaiting patches and have not been disclosed.
Inquiries by Webwereld into the technical automation market lead to the conclusion that the Stuxnet threat is barely acknowledged in the industry. Some companies have not heard about it at all, while others respond with a knee-jerk reaction: It doesn't pose a threat in our country; our systems are safe.
"Such systems, SCADA and PLCs (programmable logic controllers), are isolated on local systems and networks. They are strictly separated from the Internet," says Wijnand van Asseldonk, operations manager of TASK24, a major provider of technical automation. His response is typical: "We have not heard anything about this from our clients. And we're really not talking about it ourselves."
Nuclear plants do not run on Windows
According to Siemens, the situation really isn't that serious. "We have no problems here in the Netherlands, as far as I know," said a spokesman at Siemens Netherlands. "We have communicated about this with our customers in July and provided an update. Worldwide, there are 15 attacks reported, all without adversely affecting production.
"We are not participating in all this speculation about nuclear plants being hacked. We do not want to downplay it, but there is no solid information about it. Furthermore, we are not directly or indirectly involved in the nuclear program in Iran," the Siemens spokesman said. "And nuclear power plants don't run on Windows anyway."
Does that also apply to the only nuclear power plant in the Netherlands, Borssele? "I cannot provide such details, I hope you understand," said the spokeswoman of EPZ, the owner of the nuclear plant. "But I can tell you that we use Siemens systems." The Dutch nuclear complex was even built by Siemens in the early '70s.
Borssele at Defcon 1
Borssele, an essential part of the Dutch national infrastructure, is a lot more attentive toward Stuxnet. "We have been aware of this virus for some time now. We are informed at the earliest possible stage about such problems. We have taken several precautions to prevent infection," ensures a spokeswoman.
EPZ is an important participant in the Dutch program, National Infrastructure against Cybercrime (NICC). Within the NICC there are various panels currently involved with the worm.
The spokeswoman for EPZ is herself also vigilant: "I use Google Alerts to monitor articles about Stuxnet. It certainly has our attention."
The commercial sector is mostly still oblivious, however. Communication efforts from Microsoft and Siemens about Stuxnet are missed, ignored or not taken seriously by IT companies and administrators. Companies are either not aware at all, or see no need for updates. Van Asseldonk, of service provider TASK24, is not aware of any company that has implemented the important patch from Siemens.
The situation is no different at Vanderlande. Up until now, that is. According to IT manager Van der Craats: "As far as I know, we have not installed the update from Siemens on our systems. But we are currently investigating that. I will be checking this closely from now on."