Thursday, December 2, 2010

Stuxnet again

Reading the heavily technical Symantec report on Stuxnet. It gets stranger and stranger ...

From what I understand first the Siemens PLC needs to be infected via Siemens proprietary Step 7 Windows-based software. Then the PLC needs to connect to "Command and Control" servers via an Internet link. Only then can a programmer change the code in the PLC. Symantec has monitored infections through connections to these Command and Control servers.

The apparent sudden cessation of Iranian infections in August is probably due, according to Symantec, to the Iranians shutting down Internet connections between PLCs and the C & C servers, rather than a real end to infections.

What I haven't fathomed yet is why/how come Iran bought so heavily into Siemens PLC and Step 7 technology and why other countries with the same Siemens PLCs have not been so affected ... is Siemens marketshare so much smaller? ... surely other countries are just as prone to IT security lapses as Iran? ... was Siemens part of the story? ... is there something in Symantec's technical discussion missing e.g. deliberate geographical targetting?

More as I read more ...

No comments: