Stuxnet -- More Questions Than Answers

By John Ballard

The Stuxnet cyber-worm story continues to percolate along, just under the mainstream radar, as everyone waits for someone to find the smoking gun. Where did it come from? Who launched it? And why?

Here are a few tasty snacks, ending with Blake Hounshell's best unanswered question of all.

Chris Dodds writes at Focused Fire.

One of the big news stories of the IT security world over the past couple of weeks has been that of Stuxnet, a worm designed to attack industrial control systems.

The discovery of Stuxnet is significant because of it�s complexity; this isn�t your standard 5cr1pt k1dd13 toy. Stuxnet appears to be the end product of a highly competent team of developers who have selected a very worrying target- SCADA systems.

SCADA  [Supervisory Control and Data Acquisition] is used to control everything from oil transportation pipelines to McDonald�s fountain drink robots. Manufacturing and the energy sectors in particular rely on SCADA systems in their day to day operations.

So far, the major target of Stuxnet appears to be Iran�s nuclear power and processing infrastructure, with some spidering off into other Middle Eastern and Eastern countries. That may have some Americans saying, �Heck Ya!�, but personally, it�s got me worried.

In one of my former lives, I performed security audits of SCADA-controlled gas transport systems. After my first project was completed I was left with a big question � Why haven�t we seen any big attacks on these systems? Like a lot of folks, I went in far more optimistic than I should have been. �Being such a core part of our infrastructure, surely the security will be in reasonably decent shape.�

Within a day of working through the audit plan, my mind was blown. This highly critical system was incredibly fragile and incredibly insecure. After studying the system for just a few hours I could see countless attack vectors and vulnerability points. Even worse, when these items were brought up, they were almost immediately dismissed as �unlikely�.

Most SCADA systems I�ve seen wouldn�t need anything nearly as complex as Stuxnet to bring them down. It�s impossible to stress how big of a problem that is. If the McDonald�s drink robots shut down, big deal. But if our power infrastructure is compromised, have fun sitting in the dark.

If certain systems such as compressed gas transports are attacked, there are ways an attacker could reprogram the SCADA system to cause back pressure and explosions. If you�ve got a 30 inch natural gas line running under your city, it might be worth taking note.

Stuxnet wasn�t designed to propagate across the world indefinitely. It was built to attack a single target and dig its hooks in. To do what? � We don�t yet know. But it certainly highlights the possibility that there may already be other similar exploits in the wild or in development with their lasers set on us instead of the Iranians. In fact, our infrastructure could already be compromised and we wouldn�t even know it. In my experience, the culture of security around these systems is too immature to do much good. For a lot of companies and governments, it�s just not seen as a priority.

Seems to know what he's talking about.

Paul Woodward describes himself by nature if not profession, as a bricoleur. A dictionary of obscure words defines a bricoleur as �someone who continually invents his own strategies for comprehending reality.� Woodward has at various times been an editor, designer, software knowledge architect, and Buddhist monk, while living in England, France, India, and for the last twenty years the United States.

Writing in Eurasia Review he quotes from Christian Science Monitor and speculates.

 

On August 5, I reported on the strong evidence that Iran had become the target of a state-sponsored cyber attack.

Ralph Langner envisages that the highly sophisticated attack would have required a preparation team that included �intel, covert ops, exploit writers, process engineers, control system engineers, product specialists, military liaison.�

The Christian Science Monitor reports:

Since reverse engineering chunks of Stuxnet�s massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance � a target still unknown.

�Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world,� says Langner, who last week became the first to publicly detail Stuxnet�s destructive purpose and its authors� malicious intent. �This is not about espionage, as some have said. This is a 100 percent sabotage attack.�

On his website, Langner lays out the Stuxnet code he has dissected. He shows step by step how Stuxnet operates as a guided cyber missile. Three top US industrial control system security experts, each of whom has also independently reverse-engineered portions of Stuxnet, confirmed his findings to the Monitor.

�His technical analysis is good,� says a senior US researcher who has analyzed Stuxnet, who asked for anonymity because he is not allowed to speak to the press. �We�re also tearing [Stuxnet] apart and are seeing some of the same things.�

Other experts who have not themselves reverse-engineered Stuxnet but are familiar with the findings of those who have concur with Langner�s analysis.

�What we�re seeing with Stuxnet is the first view of something new that doesn�t need outside guidance by a human � but can still take control of your infrastructure,� says Michael Assante, former chief of industrial control systems cyber security research at the US Department of Energy�s Idaho National Laboratory. �This is the first direct example of weaponized software, highly customized and designed to find a particular target.�

�I�d agree with the classification of this as a weapon,� Jonathan Pollet, CEO of Red Tiger Security and an industrial control system security expert, says in an e-mail.

Langner�s research, outlined on his website Monday, reveals a key step in the Stuxnet attack that other researchers agree illustrates its destructive purpose. That step, which Langner calls �fingerprinting,� qualifies Stuxnet as a targeted weapon, he says.

Langner zeroes in on Stuxnet�s ability to �fingerprint� the computer system it infiltrates to determine whether it is the precise machine the attack-ware is looking to destroy. If not, it leaves the industrial computer alone. It is this digital fingerprinting of the control systems that shows Stuxnet to be not spyware, but rather attackware meant to destroy, Langner says.

Langer speculates that Iran�s Bushehr nuclear power plant may have been the Stuxnet target. He also writes: �The forensics that we are getting will ultimately point clearly to the attacked process � and to the attackers. The attackers must know this. My conclusion is, they don�t care. They don�t fear going to jail.�

If Bushehr was indeed the target, it may have presented itself first and foremost as a target of opportunity. From the point of view of governments with an interest in sabotaging Iran�s nuclear program, Bushehr would not be the most attractive target, but access provided to Russian contractors may have made it the easiest target.

Last September, Reuters reported: �Israel has been developing �cyber-war� capabilities that could disrupt Iranian industrial and military control systems.�

So let�s assume that using Stuxnet, Israel has indeed launched the world�s first precision, military-grade cyber missile. What are the implications?

1. Iran has been served notice that not only its nuclear facilities but its whole industrial infrastructure is vulnerable to attack. As Trevor Butterworth noted: �By demonstrating how Iran could so very easily experience a Chernobyl-like catastrophe, or the entire destruction of its conventional energy grid, the first round of the �war� may have already been won.�

2. The perception that it has both developed capabilities and shown its willingness to engage in cyberwarfare, will serve Israel as a strategic asset even if it never admits to having launched Stuxnet.

3. When it comes to cyberwarfare, Israel ranks as a major global power. It�s own tiny infrastructure makes it much less vulnerable to attack than is the sprawling infrastructure of the United States. It�s highly developed military IT industry means that it not only has great domestic human resources but that Israeli IT specialists, through research and employment, have the best possible access to most of the leading development facilities and vendors around the world.

4. As a cyber arms race takes off, we should not imagine that it will be like other arms races where power resides more in capabilities than in the use of those capabilities. �Whereas nuclear weapons have been used twice in human history, cyber weapons are employed daily and there is therefore an existential need to create some form of regulatory system that allows more than implicit deterrence,� says Robert Fry.

5. If AQ Khan demonstrated the ease with which a nuclear proliferation network can operate, the fact that the raw material upon which cyberwarfare is based is arguably the most easily transferable object on the planet � computer code � means that in certain ways the era of cyberwarfare may prove to be more dangerous than the nuclear era.

6. In the strategic landscape of cyberwarfare the most dangerous player may turn out to be a small but highly developed fortress-state that feels threatened by much of the rest of the world; that neither trusts nor is trusted by any of its allies; that sees its own stability enhanced by regional instability; that has seen its own economic fortunes rise while the global economy suffers; and that views with contempt the notion of an international community.

This morning Blake Hounshell gets the last word because he asks the best question of all.

Even with all the media attention, much remains mysterious about Stuxnet. We know it's a sophisticated piece of malware, one that experts say could only be produced by a high-powered team with insider knowledge of industrial software. We know it was spread using USB thumb drives. But there's a lot we don't know. Here's my attempt to lay out some of the big open questions.

1. What was the target? Although the worm has affected computers in Indonesia, India, Pakistan, and elsewhere in addition to Iran, security researchers who have been pouring over Stuxnet for months say it appears aimed at a very specific target. According to Siemens, "The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process." Two German experts, Ralph Langner and Frank Rieger, have offered competing theories as to what that target might be, both of them in Iran, where most of the affected machines are.

Langner guesses that Stuxnet is aimed at Bushehr, Iran's civilian nuclear power plant, which is slated to go online this fall. Langner's case rests largely on the fact that Bushehr runs Siemens software and that Russian contractors would have had access to the facility -- and that they would have used USB drives to set up the system.

Rieger counters that Natanz, Iran's uranium enrichment plant, is a more likely target. Not only is it more of a proliferation threat, there's suggestive evidence that it actually may have been affected by sabotage. (More on this later.) He also points out that Natanz is more likely to have the kinds of identical nodes, in this case "cascades" or groups of centrifuges, that would be susceptible to an attack.

2. Who did it? The obvious culprit is Israel, which has both the sophisticated technology and the motive to sabotage Iran's nuclear program, which it deems a mortal threat. An eerily prescient Reuters article published in July 2009 quotes Scott Borg, a U.S. cybersecurity expert, speculating that Israel might want to do so, adding that "a contaminated USB stick would be enough" to cause real damage to Iranian facilities.

Other countries, such as the United States, China, and Russia, probably have the capability, but only one -- the United States -- has a clear motive (some might add France and Germany to this list). One could spin complicated theories as to why Russia would want to sabotage its own facility, but Occam's Razor probably applies here -- and other reporting has indicated that the United States and Israel have, in fact, approved a covert sabotage campaign that may include a cyber component.

3. Did it work? Who knows? Outside analysts have been speculating for years that Western intelligence agencies have been sabotaging Iranian enrichment efforts, but they're usually talking about false-flag operations to sell Iran damaged centrifuge components. They point to signs that the number of centrifuges Iran is operating dropped precipitously last year, or unconfirmed reports of nuclear accidents, or the sudden and unexplained resignation last year of Gholam Reza Aghazadeh, the head of the Iranian nuclear program. For what it's worth, Iran denies encountering any problems as a result of Stuxnet, and there's little evidence to the contrary. But there could be hidden issues that pop up later on, or Iran could simply be lying.

4. What does it do? The reporting on this question has been maddeningly vague. Siemens says that Stuxnet "can theoretically influence specific processes and operations in a very specific automation environment or plant configuration in addition to passing on data," though it has been unable to verify that finding in testing. Supposedly, the worm was designed to send data to a server in Malaysia, which may or may not have been a "command center" that could seize control of PLCs or Programmable Logic Controllers, components used to operate and monitor industrial machinery. The consensus among people who've studied the code seems to be that its aim is sabotage, not simply espionage. But exactly how that was supposed to work remains unclear.

5. Why did it spread so widely? John Markoff, the longtime tech reporter for the New York Times, takes on this question in today's paper. "If Stuxnet is the latest example of what a government organization can do, it contains some glaring shortcomings," he writes. "The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment." He only offers one theory, however: "One possibility is that they simply did not care. Their government may have been so eager to stop the Iranian nuclear program that the urgency of the attack trumped the tradecraft techniques that traditionally do not leave fingerprints, digital or otherwise."

A couple points here. One is that Stuxnet does not seem to have had an "impact" on all those systems, for the reason noted in #1 above: It wasn't aimed at them. Second, it may be that the worm's designers needed it to spread within Iran to be effective -- i.e. from one computer to another within the same facility, or between facilities -- but that there was no way to prevent it from propagating further. Finally, there's some debate among researchers as to whether the virus was programmed to "expire" on a certain date, supposedly in January 2009. In other words, it wasn't supposed to spread, but somehow it did anyway, possibly through Russian contractors.

6. Why would anyone run a nuclear plant using Windows? I've got no answer for this one.

Windows, already!
Why, indeed???