Part2: Stuxnet was a Weapon, Not a Binary — ICS Principles
In the previous article, I explained the whole story of Stuxnet and why NSA scientists with the contribution of cybersecurity scientists of GCHQ and 1100 unit designed such malicious software to sabotage Iranian Centrifuges which did uranium enrichment in Natanz.
Yeap, You guess right, I didn’t want to continue that story anymore because it is related to security/intelligence services war and I didn’t want to cross the red lines.
Also, I explained why this malware is changed the whole perspective of militarism and national security of countries nowadays. In this article, I am going to discuss the principal concepts and air-gap based networking architecture of an ICS environment. After this article, We will prepare to discuss more advanced concepts.
Introduction to ICS environment
When we are talking about an ICS environment, We have three important sections which they are related to each other and in the result, they can monitor, instrument and control the physical and production line.
Also, I have to mention, when we are talking about ICS environment, it includes places like refineries, nuclear plants, power plants, Automotive manufacturers, Pharmaceutical, Oil & Gas, Transportation & Logistics, Building and etc.
Nevertheless, These three sections in the ICS environment are Information Technology, Operational Technology, and Physical Section. These are the important sections in the ICS environment. In the following photo, you can see the structure of an ICS networking architecture in a simple formation.
Information Technology:
This section includes manageability, informational, networking, and other critical Software-based and IT-based solutions.
This section includes important things like workstations systems that they used to program programmable logic controllers or PLCs and also used to monitor/watch the state of the real-time physical equipment and facilities like centrifuges spin or temperature of physical components. Also, there are Webservices, Active Directories, Mail Servers and other critical it based software in this section which I named a few of them here.
This section is really important for us because if an attacker can compromise to the IT section successfully then he/she can simply cross over the whole network and spread its accessibility.
In addition to this fact, the attacker can modify the instrument and control process of the ICS production line and made some catastrophic events. Because of that, ICS networking environment is designed and implemented based on air-gap architecture (I will discuss it in the later articles).
As you may know, when an environment designed with airgap architecture, no one can access the IT section from outside of ICS environment and also no one can access the outside of the ICS environment from inside of that environment, for this reason, this networking architecture is called isolated environment too.
Operation Technology Section:
This is the most important section for hackers and also security engineers. This section includes all control and instrument-based hardware like PLCs and sensors that they have controlled equipment at the physical section.
As you may know, A programmable logic controller (PLC) or programmable controller is an industrial digital computer which has been ruggedized and adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high-reliability control and ease of programming and process fault diagnosis.
They were first developed in the automobile manufacturing industry to provide flexible, ruggedized and easily programmable controllers to replace hard-wired relays, timers, and sequencers. Since then they have been widely adopted as high-reliability automation controllers suitable for harsh environments.
A PLC is an example of a hard real-time system since output results must be produced in response to input conditions within a limited time, otherwise, the unintended operation will result.
PLCs can range from small modular devices with tens of inputs and outputs (I/O), in a housing integral with the processor, to large rack-mounted modular devices with a count of thousands of I/O, and which are often networked to other PLC and SCADA systems.
They can be designed for multiple arrangements of digital and analog I/O, extended temperature ranges, immunity to electrical noise, and resistance to vibration and impact. Programs to control machine operation are typically stored in battery-backed-up or non-volatile memory.
Before the PLC, control, sequencing, and safety interlock logic for manufacturing automobiles was mainly composed of relays, cam timers, drum sequencers, and dedicated closed-loop controllers.
Since these could number in the hundreds or even thousands, the process for updating such facilities for the yearly model change-over was very time consuming and expensive, as electricians needed to individually rewire the relays to change their operational characteristics.
Nevertheless, when digital computers became available, being general-purpose programmable devices, they were soon applied to control sequential and combinatorial logic in industrial processes.
However, these early computers required specialist programmers and stringent operating environmental control for temperature, cleanliness, and power quality. To meet these challenges the PLC was developed with several key attributes.
It would tolerate the shop-floor environment, it would support discrete (bit-form) input and output in an easily extensible manner, it would not require years of training to use, and it would permit its operation to be monitored.
Since many industrial processes have timescales easily addressed by millisecond response times, modern (fast, small, reliable) electronics greatly facilitate building reliable controllers, and performance could be traded off for reliability.
I can tell you simply this fact: PLCs are the most IMPORTANT equipment or hardware in the ICS Security and Hacking field. Everything in ICS environment strongly related to reliability of the PLCs.
If their operation failed or they are modified with malicious logic, terrible and catastrophic events will occur. believe me, in industrial environment like refineries, nuclear plant or power plant, failness of the PLCs can make a huge catastrophic events.
In these series of articles, I will talk much about PLCs, because they are the most important equipment and facilities for us. Also, I have to mention that fact, PLCs are really complicated and different than PCs.
Physical Section:
Yes. The final section in ICS environment is the physical section. This section includes physical equipment which We have to control them remotely with PLCs. Equipment like centrifuges, turbines, and valves are at this section which controlled remotely with PLCs.
These equipment are really critical and sensitive to the momentary changes. For this reason, PLCs must monitor and instrument them in a real-time fashion.
However, Information Technology, Operational Technology, and Physical sections make an ICS environment altogether. All hardware and software in these sections are connected to each other with industrial protocols which I will talk about them in coming articles.
Nevertheless, if this environment compromised by malicious software like Stuxnet and it can successfully modify the logic of a controller in the operational technology because PLC associated with the physical section equipment, the unexpected change in the PLC logic by the malware will bring disaster.
For this reason, all malicious actor is looking for a way to compromise to an ICS environment and then made some changes on the PLC logic. If they can change PLCs logic, they can sabotage the equipment in the physical section like IR1 centrifuges.
In this article, I discussed the basic concept of an ICS environment like IT, OT and Physical sections. Also, I introduced air gap architecture and PLCs. In the next article, I will discuss PLCs and airgap network in more detail and I will overview the programming and internals architecture of a PLC and How a malicious software can make some modification on plc logic.
Telegram: @miladkahsarialhadi
Email: m.kahsari@gmail.com
