Is Stuxnet a threat to NPPs?21 January 2011
Although the recently-discovered malware appears to pose little threat to nuclear installations, its presence throws light on the recent cyber security standards the nuclear industry has developed. By Caroline Peachey
Stuxnet was first detected in July by an antivirus vendor, VirusBlokAda, based in Belarus. Within two months enough was known about it for German security researcher Ralph Langner to present his findings on Stuxnet at the Applied Control Solutions’ Control System Cyber Security Conference in Rockville, Maryland. His presentation lead to sensational headlines that suggested it was a cyber-attack on Iran.
Stuxnet is malicious software code, or malware, that is able to manipulate and control processes at industrial facilities using Siemens SCADA (supervisory control and data acquisition) systems. SCADA systems are used in many industrial facilities, including those for manufacturing, production, power generation, fabrication, and refining.
Stuxnet is able to influence the processing of operations of control systems that use Siemens SIMATIC WinCC or SIMATIC PCS7 software. This software is used, respectively, for monitoring automated processes and in the programming configuration of Siemens programmable controllers.
Joe Weiss, cyber security expert and managing partner of Applied Control Solutions, organized the conference where Stuxnet made such a splash. He told Nuclear Engineering International how the malware could affect Siemens programmable logic controllers (PLCs). “A programmable logic controller is a computer that takes instructions to perform various functions such as opening, closing or modulating a valve; turning on, off or adjusting the speed of a motor et cetera. It takes input from process conditions such as temperature and pressure.” Weiss added: “From everything we can tell, given specific process conditions, Stuxnet has been designed to cause physical damage.”
On its support website, Siemens has echoed this theory. “The malware is able, under certain boundary conditions, to influence the processing of operations in the control system,” the company said .
Stuxnet is believed to be targeting a specific facility. In late September, Kevin Hogan, senior director of security response at Symantec, told Reuters that 60% of the computers infected by Stuxnet were in Iran, indicating industrial plants in that country were the target. This led to press speculation that the target has been the Bushehr nuclear power plant or Iran’s uranium enrichment facilities.
The Siemens support website said: “The behavioural pattern of Stuxnet suggests that the virus is only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns, which apply to a specific production process...This means that Stuxnet is obviously targeting a specific process, or a plant, and not a particular brand or process technology, and not the majority of industrial applications.”
Weiss said that the concern is that not just Siemens PLCs could be vulnerable. Stuxnet could have been targeted at a control system designed by GE, ABB, or Rockwell. Siemens PLCs were chosen because they are used at the target facility, which according to press speculation, in late September, could be in Iran, where the fuel loading at the Bushehr nuclear power plant has been delayed by around a month.
In late September Iran admitted that Stuxnet had infected personal computers of some Bushehr staff, but head of the country’s Atomic Energy Organization, Ali-Akbar Salehi said the reactor’s main systems were not affected. In October, the official state IRNA news agency blamed the delay loading fuel into the reactor on a ‘small leak in a pool near the reactor,’ which has now been fixed, and echoed the fact that the delay was not due to Stuxnet. Fuel loading at Bushehr is now due to start in mid-October, with first electricity production expected by mid-December, a month later than Iranian officials announced in August.
On 1 October, Siemens’ support website said that the company knew of 15 systems that had been infected worldwide. In all cases the malware was removed and it did not have an adverse impact on the automation systems. Siemens also stated that since the end of August there had been no new infections registered. A spokesman from Siemens told Nuclear Engineering International that to its knowledge no power plant has been affected to date. He also said that Siemens is not involved in Iran’s nuclear programme, directly or indirectly.
The North American Electric Reliability Corporation (NERC) said in a press release dated 14 September that there had been no reported instances of Stuxnet in the United States, but it recommended that the industry take precautions in advance. NERC collaborates with the US Nuclear Regulatory Commission on cyber security requirements for nuclear power plants.
How does it infect?
Portable USB flash drives appear to be a primary infection mechanism and Weiss says this means that Stuxnet can affect systems that are not connected to the Internet. It can also infect systems through networks and SQL databases.
According to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the US Department of Homeland Security, the malware uses a so called ‘zero-day vulnerability,’ (or un-patched security hole) in Microsoft Windows processing of shortcut files and exploits systems after users open a USB drive with a file manager capable of displaying icons (like Windows Explorer) .
The malware installs a Trojan (a harmful piece of software that looks legitimate) that is activated whenever WinCC or PCS7 software from Siemens is installed.
Two of the four zero-day vulnerabilities have been patched since Stuxnet’s discovery and Microsoft has released security updates. In August, Siemens outlined on its support website a recommended procedure for detecting and removing Stuxnet.
However Weiss was more pessimistic about the removal of Stuxnet from PLC software. “Once Stuxnet gets into the controller only thing you can do is try is figure out if it is in, and if it is then that controller is no longer trusted. It’s not clear what you could do once the controller has been affected,” Weiss said.
A Siemens spokesman confirmed that in the cases it was aware of where Stuxnet had been detected and removed, it had not been activated.
ICS-CERT says that the actual impact of Stuxnet on control environments is not yet known and is currently being investigated.
NERC said that because various versions of the Windows operating systems are widely deployed throughout the world’s critical infrastructures, including the North American bulk power system, there is ‘the potential for significant impact.’
“NERC is working with the federal government, industry and the security vendor community to develop mitigation strategies focused on bulk power system owners and operators,” said Mark Weatherford, vice president and chief security officer at NERC. “We will continue to have ongoing, internal dialogue to ensure the grid’s security and reliability.”
Where does it come from?
The sophisticated nature of Stuxnet suggests that it is the work of a state. Weiss says that there are probably only 8 or 10 countries in the world that are capable creating it, but narrowing this down to a single candidate is basically impossible.
The Siemens website said: “Previously analyzed properties and the behaviour of the virus in the software environment of the test system suggest that we are not dealing with the random development of one hacker, but with the product of a team of experts.”
Could Stuxnet affect NPPs?
Weiss said that Siemens PLCs are used in balance of plant control systems at US nuclear power plants. On the other end of the scale, Siemens’ Teleperm XS software platform is used in European nuclear power plant reactor controls (see also pp12-16).
Despite the potential risk, industry experts contacted for this article downplayed the threat that Stuxnet poses. At the same time, they were reluctant to provide a detailed explanation on security grounds.
Lasse Reiman, director of nuclear security at the Finnish Radiation and Nuclear Safety Authority (STUK) told Nuclear Engineering International that Stuxnet is targeted at specific industrial control systems, that those systems are only used in very few applications at nuclear power plants in Finland, and that even if there were affected the worst case outcome would be a plant shutdown. “We think that the threat concerns mostly the availability of these plants,” he said.
“Although the threat is not imminent, we will study it and the threat of similar types of attacks seriously. These kinds of risks are a feature of software-based technology and they need to be considered. NPPs have already taken some measures against them and they are continuously being improved,” Reiman said.
Finland is currently preparing to re-evaluate the protection for Finnish nuclear power plants following an IAEA International Physical Protection Advisory Service (IPPAS) mission to the country last year.
Reinman also noted that the situation is changing as an increasing number of units are looking to install digital instrumentation and control systems. In Finland, a total refurbishment of I&C is ongoing at Loviisa, after which the I&C will be mostly digital, and digital I&C will be used from the start at the Olkiluoto 3 EPR. But Reinman said that both Loviisa and Olkiluoto 3 will have manual hard-wired back-up systems for the case that the digital systems are lost.
The US NRC would not confirm where Siemens control systems are presently used in US nuclear plants, but said that it was aware of Stuxnet, and did not believe that it poses a current threat. “The NRC’s cybersecurity team and the Department of Homeland Security have assessed the threat. Currently at this time we do not believe that this poses a threat but we take it seriously and it’s continuing to be assessed,” said NRC spokeswoman Holly Harrington on 4 October.
A spokesman for the Nuclear Energy Institute, Mitchell Singer, gave a similar response: “We have been briefed about the worm by federal intelligence officials and are taking appropriate action. I don’t really think this is something we need to worry about. We are confident that we are well protected against cyber attacks,” he said.
Weiss, however, does not believe that US nuclear utilities are taking Stuxnet, or cyber security in general, seriously enough. He is a nuclear engineer, managing director of nuclear plant standards at the International Society of Automation (ISA), and was previously a technical manager at the Electric Power Research Institute.
Are nuclear standards sufficient?
Weiss is concerned that the cyber security standards used by the nuclear industry are not technically adequate to deal with the risk posed by malware such as Stuxnet.
“Control systems are different than IT systems,” Weiss explains. “They are technologically, administratively, and operationally different than IT. The Windows-based HMI can use some IT approaches with caution. But the field controllers which are not Windows-based require their own policies, procedures, and testing.”
Following the 11 September 2001 terrorist attacks, the NRC ordered its nuclear power plant licensees to enhance their overall security and address cyber security threats and vulnerabilities. And since March 2009, a security rule (10 CFR 73.54) has been in place, requiring commercially licensed nuclear power plants to submit their cyber security plans to the NRC. In January 2010, NRC published a Regulatory Guide  advising licensees and licence applicants on how to meet these requirements. NRC says the requirements include best practices from the ISA, the Institute of Electrical and Electronics Engineers, the Department of Homeland Security and the National Institute of Standards and Technology (NIST) .
Weiss is currently reviewing some of the International Electrotechnical Commission (IEC) such as IEC TC 45  and IAEA cyber security standards. He says those, too, largely focus on IT systems and suggests that the nuclear industry needs to follow standards such as ISA99 , which have been developed specifically for control systems.
“Regardless of Stuxnet, the nuclear industry needs to understand the difference between securing IT and control systems, actively participate in ISA99, and act as prudent engineers in securing their control systems. As for Stuxnet, they have to recognize it is real and apply control system cyber security policies and procedures.”
Related ArticlesCanadian nuclear plants improve cyber security
 Siemens Automation support website: www.neimagazine.com/stuks1, as of 6/10/10  ICS-CERT advisory, â€˜ICSA-10-272-01â€”Primary Stuxnet Indicatorsâ€™, dated 29 September 2010. www.neimagazine.com/stuks2