Today I’m releasing a project I’ve been working on for the past week which I called VirtuaPlant (yeah I now, I suck at giving names).

From the project page:

VirtuaPlant is a Industrial Control Systems simulator which adds a “similar to real-world control logic” to the basic “read/write tags” feature of most PLC simulators. Paired with a game library and 2d physics engine, VirtuaPlant is able to present a GUI simulating the “world view” behind the control system allowing the user to have a vision of the would-be actions behind the control systems.

This first version features a dead simple single process of filling bottles with small pellets (It was supposed to be liquid but I still haven’t figured out how to deal with liquids on the engine) but the fun is guaranteed!

Motivation

The idea came after receiving the billionth email asking for recommendations for a PLC simulator, since I dislike the idea of simply recommending one of the soft PLCs with no logic inside which simply allows the user to read and write stuff, I’ve decided to write something more which contained some logic and also allowed the user to see the effects of their actions.

Then while doing my daily readings I’ve stumbled upon this technical article and thought that it could easily be reproducible over software. Enter VirtuaPlant!

Just shut up, show me the goodies!

The main screen is the “game screen” or “world view” which simulates the real world being controlled by the PLC. This uses the physics engine to render the actions and also features a modbus server “connected” to it.

I’ve also made a poor-man’s HMI to get the field-feel, give feedback on the TAGs status and provide minimum control (Start/Stop). This has a modbus client connected over TCP the modbus server (PLC) on the World View.

And the cherry on top, some attack scripts to make everything a mess! Make the nozzle open all the time flooding everything, or the motor on all the time making all the bottles empty or stopping the whole process.

Demo

Here’s a video of VirtuaPlant in action:

I wanna get it! Gimme!

Rush to the project page to find out more about the project, get the download links and instructions.

Help wanted

If you know pybox2d or are a talented designer, your help is needed in order to make VirtuaPlant even better!

The following improvements are to be made:

• Better UI for World View and HMI
• Move from Chipmunk to Box2d
• Create more plant scenarios

Contact me if you feel like you could help on these matters!

Symantec released an in-depth analysis of W32.Stuxnet, reviewed through IDA-PRO. The analysis shows off the staged infection process, the unusual injection of legitimate services instead of issuing LoadLibrary calls, core encryption and exported functions.

Tofino Security (specialized on SCADA security) has released an excellent white paper on the case (requires [free] registration). If you are a Malware Researcher / Reverse Engineer or just curious, I totally recommend it.

There’s code, great explanation, images, graphs and such explaining it all the process from infection, rooting and the propper malware code.

Microsoft disclosed a zero-day flaw on Windows Shell on Friday and Stuxnet (W32.Stuxnet) is already exploiting it to gain access to SCADA systems through its attack vector.

Since SCADA systems are updated mainly by CDs or pen drives, the attack vector fits as a glove. The malware targets Siemens’ Simatic WinCC software and intends to steal information like projects schematics and upload them to an external website.

From CNet:

Once the malware locates the data it is looking for it encodes it and attempts to upload it to a remote server. The malware waits for a response from the server, which may contain more commands, he said.

Along with the data steal, Stuxnet also provides a trojan backdoor aiming Siemens services and a rootkit (to hide it from the system).

Once the machine is infected, a Trojan looks to see if the computer it lands on is running Siemens’ Simatic WinCC software. The malware then automatically uses a default password that is hard-coded into the software to access the control system’s Microsoft SQL database. The password has been available on the Internet for several years, according to Wired’s Threat Level blog.

Sophos has also released a video on YouTube showing a SCADA system compromised by Stuxnet.

The spreading is done by using stolen/spoofed signed digital certificates:

The malware includes a rootkit, which is software designed to hide the fact that a computer has been compromised, and other software that sneaks onto computers by using a digital certificates signed two Taiwanese chip manufacturers that are based in the same industrial complex in Taiwan–RealTek and JMicron, according to Chester Wisniewski, senior security advisor at Sophos. (Sophos has posted a video showing how a computer is infected on YouTube.) It is unclear how the digital signatures were acquired by the attacker, but experts believe they were stolen and that the companies were not involved.

Adding to this scenario, SCADA admins are not able to change the default password because it would break up software apart.

SCADA systems rely on the fact of being unplugged from networks and as Schneier said, “would YOU like to be the guy that breaks all installed systems controlling valves and such by adding security that nobody demands?”.

It seems that SCADA will demand closer attention from now on since I agree with other professionals that doubts that this is the first SCADA malware.