December 2010 Newsletter

CAS Newsletter December 2010


StuxNet Virus – Does It Affect You?

PLC Security

In this article we examine the recently discovered Stuxnet virus.
For more information, consult the Symantec W32.Stuxnet dossier.


The origins of the Stuxnet malware package are unknown, but its sophisticated design has led researchers to speculate that its creation may have been sponsored by a nation-state. Discovered in July, 2010, Stuxnet is the first known rootkit which targets industrial control systems. The most widely affected country is Iran, but the virus has spread across the world and has been found in the the wild. It is believed that it originally spread from laptops belonging to Russian contractors working at the nuclear power plant in Bushehr, Iran.

What it does:

Stuxnet targets frequency converters made by Vacon (in Finland) and Fararo Paya (in Iran). It accomplishes this by subverting the Siemens S7 PLC system, then covertly passeing modified code from the host machine to the controller. Stuxnet sends poisoned instructions to converter drives running between 807 Hz and 1210 Hz. The new instructions cause the drives to spin at different speeds, which could either sabotage regular use or cause irreparable damage to rotor assemblies by driving them at speeds which they cannot withstand. After Stuxnet has installed itself and footprinted the compromised host, it attempts to send the information gathered to control servers via HTTP on port 80. It is possible that custom payloads could be remotely loaded, aside from the built in routines which specifically targets converter drives.

How it spreads:

As a primary method of infection, Stuxnet spreads onto USB keys and removable drives. It can also spread through compromising WinCC databases, network shares, a print spooler vulnerability, and peer-to-peer communication. Additionally, Step7 project files can be infected. Using a driver file digitally signed with a Realtek certificate (revoked as of July 16th), or Jmicron certificate, Stuxnet hides files copied to removable drives. Once the malware has been loaded onto a host, it searches out and hooks the SIMATIC WinCC/Step 7 software used to interface with the Siemens PLC system. Not only does the rootkit hide itself on the infected host, but it also hides the modified PLC blocks, making it difficult to detect.

How to protect your system:

All of the vulnerabilities in the Windows operating system have now been patched. As always, it is important to stay current with security updates. Unix-like hosts, such as Linux, BSD, OSX, etc, are not vulnerable Stuxnet. Going further, disabling USB mass storage on control system hosts (needed for some S7 control functions) would prevent an infected flash drive from loading the malware onto mission critical machines. Segregating SCADA & control system hosts from other infrastructure and using access control lists between zones is a good preventative method, but the most effective protection to this attack is white listing or host intrusion prevention systems. Removing or restricting access to shared network folders is also recommended. Up to date anti-virus definitions can identify Stuxnet, but zipped files must be unpacked in order for scans to be completely accurate. Siemens has provided the Sysclean utility, which can be used to remove the infection from a compromised host. It is also important to apply the SIMATIC security updates. And of course, mission-critical servers/systems should never be used for general web browsing, email, etc.

The CAS Protocol Security Gateway:

Most fieldbuses do not provide any security / authentication. Any one can change a set point or change an operating parameter once they have gained access. The Protocol Security Gateway can stop intruders in their tracks. It does this by prevent ‘write’ commands passing from one side of the gateway to the other unless authorized. Authorization is done for one / any of the following parameters: Destination Node, Memory Address, Source Node, Source IP, Destination IP, Time Interval. You can permit all ‘reads’ or apply the same authorization to ‘reads’. The device provides full audit trails and reports intruder attempts by emailing designated personal when attempts to make unauthorized changes are made.



QuickServer Modbus to BACnet – $775 – 250 points – Free BACnet/Modbus Software

CAS announces the QuickServer Range.

Sample Bundle:

Price: $775

Points: 250

Support: Exceptional Reputation

Software Tools:
Free CAS BACnet Explorer with $595

Free Modbus Software (RTU/TCP)
Proven: Over 15 years of gateway experiencesUseful: Dip siwtches for MAC address


New – QuickServer – Low Priced Gateways

Good news! Buildings and Industrial automation integrators can now use the new, high performance and low-cost QuickServer to interface devices with ease!

FS-QS-1010-XXXX                FS-QS-1011-XXXX

There are two QuickServer designs.

FS-QS-1010 is BTL Marked and it includes two serial ports (up to 115K baud) and one Ethernet port (10/100 RJ45). This allows it to communicate serial to serial, serial to Ethernet or Ethernet to Ethernet.

FS-QS-1011 includes one serial port (up to 115K baud), one Ethernet port (10/100 RJ45) and one FTT-10 LonWorks port. This allow s it to communicate serial to serial, serial to Ethernet, Ethernet to Ethernet, serial to LonWorks or Ethernet to LonWorks.

Key Features:

  • Multi-configuration capability; specific configurations selectable via DIP switches or software.
  • Ability to interface up to 250 points of common BAS protocols.
  • Same firmware as our industry proven devices.
  • BACnet COV support for fast data communication while reducing traffic over a BACnet network
  • Capacity of 250 LonWorks network variables – almost 5 times more than competition – FS-QS-1011 Series
  • Flat panel mount standard, DIN rail mount option
  • Free BACnet Explorer worth $595 with purchase that include a BACnet driver.

QuickServer can configure a combination of drivers such as Modbus RTU, Modbus TCP, BACnet/IP, BACnet MS/TP, LonWorks, JCI Metasys N2 and SNMP.

Modbus TCP Modbus RTU JCI Metasys N2 LonWorks SNMP
FS-QS-1010-0285 FS-QS-1010-0237 FS-QS-1010-0104 FS-QS-1010-0122 FS-QS-1011-0131 FS-QS-1010-0333
BACnet MS/TP FS-QS-1010-0285
FS-QS-1010-0419 FS-QS-1010-0367 FS-QS-1010-0309 N/A FS-QS-1010-0694
Modbus TCP FS-QS-1010-0237
FS-QS-1010-0030 FS-QS-1010-0117 FS-QS-1011-0154 FS-QS-1010-0248
Modbus RTU FS-QS-1010-0104 FS-QS-1010-0367
FS-QS-1010-0038 FS-QS-1011-0085
JCI Metasys N2 FS-QS-1010-0122 FS-QS-1010-0309 FS-QS-1010-0117 FS-QS-1010-0038
FS-QS-1011-0097 FS-QS-1010-0150
LonWorks FS-QS-1011-0131 N/A FS-QS-1011-0154 FS-QS-1011-0085 FS-QS-1011-0097
SNMP FS-QS-1010-0333 FS-QS-1010-0694 FS-QS-1010-0248 FS-QS-1010-0150 FS-QS-1011-0337



Safety Picture

Submit any related pictures to us.

Chipkin Automation Systems
If you liked this post;
  • Please consider subscribing to our RSS feed