Pandora's box of the hottest Internet of things op

IOT: Pandora's box opens

in July this year, the British economist published a report entitled "can the mouse and keyboard become new weapons of conflict in the war of the fifth space?" The article mentioned bluntly that the exposure draft of the catalogue in 1976 ~ includes two parts: 1. The catalogue of industries that encourage foreign investment in the country. Thomas Reid, who became Secretary of the U.S. Air Force in 1977, talked about the big explosion of the Soviet Union's natural gas pipeline in his memoirs

on September 26 this year, Iranian media reported that the Bushehr nuclear power plant under construction in Iran was attacked by a virus called Stuxnet, but there were no reports of losses. As the first virus in the world to attack industrial facilities, Stuxnet has attracted extensive media attention. As a result, Kaspersky, the CEO of Kaspersky, an information security company, told the media at the Kaspersky Security Forum held in Munich, Germany: I think this will be a turning point. In the past, it was only cyber crime, but now I'm afraid it has entered the era of cyber terror, cyber weapons and cyber war

Kaspersky believes that the emergence of Stuxnet virus means that Pandora's box has been opened

what is SCADA

unlike general-purpose computing for the purpose of pursuing calculation results, real-time monitoring and control of industrial facilities is the role of industrial control applications

generally, industrial control applications are called supervision, control and data acquisition (SCADA). SCADA monitors and controls the on-site operating equipment according to the established control logic by sensing, collecting and analyzing a variety of environmental data of the operating equipment, so as to realize various functions such as data acquisition, equipment control, measurement, parameter adjustment and various signal alarms

after decades of development, SCADA has developed from the original host control system and distributed control system to today's networked control system. SCADA has also evolved from a closed system with proprietary protocols to a development system with Taihe tcp/ip protocol as the mainstream

on the other hand, SCADA also extends from traditional production process control to infrastructure applications including communication, electricity, oil and gas pipelines, water supply and sewage treatment pipelines, transportation, epidemic monitoring, and facilities applications involving access control, air conditioning, and energy consumption monitoring and control, including houses, airports, ships, space stations, etc

while bringing many benefits to SCADA, the networked open environment also makes information security an unavoidable problem. SCADA is increasingly widely used, most of which involve today's hot information applications such as digital cities and smart cities. Therefore, the information security of IOT has become an unavoidable problem

how PLC makes Stuxnet succeed

although single chip computers (microcontrollers, MCU), single board computers and even industrial control computers (IPC) can find their traces in fields ranging from TV remote controls to industrial control, the programmable logic controller (PLC) is the most widely used in industrial production process control. This is because only PLC can work reliably in complex and harsh industrial production site environments such as large temperature difference, high humidity and strong electromagnetic interference

plc is actually a modular computer control system. Most PLCs use relay logic familiar to electricians, and the programming is extremely simple. The hardware system of PLC adopts modular design, which can easily select different sensor modules and execution modules as needed, and build the required control system together with the central processing module

the so-called relay logic is to realize the control function by using the logical combination of the pull in and break out of different contacts on multiple relays, while in PLC, 1 and 0 are used to form the pull in and break of virtual relay contacts. Different from the control function realized by computer through program, PLC realizes control through the combination of 1 and 0. Usually, developers develop PLC on PC platform, and then transfer the control logic to PCL, which is executed by PLC

it is not enough to describe PLC only by reliability. In fact, PLC is also very honest. Unlike PC, PLC does not have a variety of security software to monitor the operation of application programs. PLC scans and executes in a sequential manner, and there is no security software to detect. To say the least, even with security software detection, malicious behavior cannot be detected from the combined code of 1 and 0 representing the control logic. On the other hand, PLC itself will not be infected with malicious virus. The virus can only be used to replace the original control code with malicious control code when programming PLC through PC, and then the expected destruction purpose can be achieved when executed by PLC

the article "decrypting the PLC infection process of Stuxnet" published by Symantec station gives a detailed description of the complex infection mechanism of Stuxnet. In short, the virus maker uses the vulnerability of windows to transmit malicious control code to Siemens PLC through a variety of complex technical means, and finally destroys it when the PLC is running

overturn the original concept

before Stuxnet appeared, people had misunderstandings about SCADA in Information Security: they believed too much that security could be improved by using special protocols and special interfaces, too much that physically reliable SCADA was also reliable in security, too much that SCADA networks that were not connected to the Internet were safe, so in the design of existing SCADA networks Information security and authentication are ignored in implementation and operation

in fact, safety and reliability are completely different things. There is no doubt that the interconnection is reliable, because the original intention of the construction of interconnection is to establish an unbreakable and explosive communication network, but the information security situation on the interconnection is also becoming increasingly severe. Therefore, although the SCADA network is physically safe, there are security risks due to the existence of the network. Although SCADA is physically isolated from the interconnection, the virus can still launch a leapfrog attack through U-disk and pillar 1, which are generally driven by a lead screw to confirm the location of the moving beam

in the past, viruses always spread on the same operating platform, because the virus takes advantage of the vulnerabilities of the operating system. Stuxnet conducts cross-border attacks across two different hardware architectures, PC and PLC. Usually, the virus actively attacks by executing malicious programs, while Stuxnet passively waits for the PLC to scan sequentially and causes misjudgment by downloading malicious code to the PLC

different from the open software and hardware architecture of PC platform, PLC has different control logic due to different control objects. Therefore, the functions represented by each virtual relay contact are also different. Moreover, PC and PLC are only connected during programming. When PLC runs, windows, which has already focused on graphics, entertainment and network, is too burdensome. After disconnection, for Stuxnet manufacturers who deliberately attack Bushehr nuclear power plant, First of all, we must use the springboard to enter the programming platform of Siemens PLM of the nuclear power plant, and we must also know the circuit diagram of the control system, so that we can decide which executive contacts are broken, and we should also take advantage of the rare connection opportunity between PC and PLC, because only during programming and debugging, the two need to communicate

in short, these technical difficulties are enough to confirm Kaspersky's statement that the manufacture of this virus requires not only technical experts, but also strong financial resources. Therefore, it is difficult to be a personal behavior

link

Kaspersky's industry interpretation of Stuxnet