Siemens has presented “official” information on Stuxnet, and Joe Weiss asked me to comment on it. There is a lot that could be said about the presentation slides, but I’ll restrict my comment to the essential technical items. One thing that’s interesting about Stuxnet is the fact that major characteristics of it can be explored by lab analysis. It’s like investigating a crime where the weapon is available for forensic analysis, with blood, hair samples, and fingerprints on it. With that said, let’s take a look at Siemens’ prezo slide 5, “How are Simatic S7 controllers affected?” The diagram that you see is severely incomplete. Basically it says that in a WinCC environment, Stuxnet loads DB 890, FC 1865, and FC 1874 to a PLC. What’s missing? A lot:

1. You cannot understand Stuxnet without Simatic Manager (the S7 engineering tool) in the picture. I have said that repeatedly and extensively, for example at WeissCon 2010, where Thomas Brandstetter (the Siemens employee who prepared the presentation) was present. See also our explanation of a sample diagnostic environment setup from September 14, 2010.

2. The Stuxnet Step7 code and data blocks identified by Siemens are ridiculously incomplete. Compare that to Symantec’s schematics in their Stuxnet dossier, which are very accurate. We have independently reached pretty much the same results as Symantec without receiving or requesting cracked STL code from them and vice versa. (Note: My open letter to Liam O’Murchu addressed ONLY the ill-informed assessment of the threat posed by post-Stuxnet malware. I am sorry if anybody could have interpreted this as a devaluation of their exceptional technical analysis.)

3. The most serious omissions in the Siemens presentation are the Step7 and WinCC project infections and exploits in the h0mSave7 and GraCS sub-folders, the code injections in OB1 and OB35, and the complete ignorance of the S7-417 attack code (what Symantec refers to as “attack sequence C”). The latter is something that I find very disturbing. The 417 is Siemens’ high-end product with 30 megabytes of RAM (IT folks: That’s HUGE for a PLC) and a price tag in the five-digit area. If we take Siemens’ statement serious, they don’t even know about that 417 code. This also leaves asset owners with the possibility of having unidentified 417 infections. Hint: Check for the presence of DB 8062.

Another slide is telling “Siemens is dealing very seriously with this issue”. In the lower left, it highlights the question: “Has also the customer done all he can?”, with the misplaced “also” suggesting that Siemens HAS done all they can, while their customers haven’t. I am aware that more than one person felt embarrassed at this point. I also don’t want to believe that this should be all that Siemens can do. The technical detail they provide tells me that their technical understanding of Stuxnet is minimal, that they did not use their resources, which are much bigger than ours and Symantec’s combined, and that they are deliberately ignoring published and verified lab results from independent researchers. I don’t think that this puts them in a position that would allow them to educate the public on the threat, or to tell customers that they probably didn’t do all they could or should have done.

Ralph Langner