If you’ve got a really good memory, you might remember the Defence White Paper of 2009 devoted (comparatively) a fair bit of attention to the idea of “cyber warfare” – computer hacking as a weapon of war. Like I said at the time, I reckon it was overhyped.
Well, it seems we have, in the public domain, a pretty clear example of honest-to-god cyber warfare, or at least cyber-sabotage. The basics are covered in this Christian Science Monitor article:
Cyber security experts say they have identified the world’s first known cyber super weapon designed specifically to destroy a real-world target – a factory, a refinery, or just maybe a nuclear power plant.
The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet’s arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.
More technical (though only partial) descriptions of how and what Stuxnet did are here and here. From the descriptions provided there and elsewhere, Stuxnet appears to be a multi-part plan put together with very considerable skill and not a little inside knowledge.
In its initial phase, it appears Stuxnet was a fairly standard “worm”, using security holes in Windows to replicate itself across as many computers as it can. However, it was notable for two things: Stuxnet used multiple, previously unknown security holes to replicate itself. That’s unusual in itself – finding security holes takes considerable time and effort; to use multiple, previously unknown ones suggests a lot of effort was put into it. Furthermore, unless it finds what it’s looking for, it just sits there doing nothing except trying to replicate itself across new machines (but, interestingly, only within certain limits), and hiding its presence. Unlike a lot of worms and other assorted malicious code, Stuxnet seems to have been very well tested to ensure it didn’t misbehave, and through misbehaviour reveal itself.
Stuxnet was designed to look for software that managed “embedded systems” used to control industrial processes. These “embedded systems” are small, special-purpose computers, and run custom operating systems and software. No Microsoft Windows on these! However, they are connected to PC’s that are running Windows, and connected to networks, for the purposes of monitoring the operation of the industrial process, and transferring updated or reconfigured control software to them. The particular monitoring software that Stuxnet targeted was some software written by Siemens, the German industrial giant.
Once Stuxnet found systems running the control and monitoring software, they used another previously unknown vulnerability (albeit one that’s an example of incredible stupidity on Siemens’ part) to take control of it. When the user transferred updated software to the embedded system itself, Stuxnet checked to see whether the software being transferred contained some key parts, and if so subtly modified them so that at a certain point, the “attack code” would be run instead. When this happens, the behaviour of the industrial device being controlled by the uploaded software, rather than being what its operators want it to be, would be what the authors of Stuxnet want it to be. It’s a pretty safe bet that the Stuxnet authors weren’t trying to make the industrial process in question operate smoothly!
So, to summarize – Stuxnet was a highly sophisticated piece of malicious software. It was designed specifically to spread itself around, but do nothing to most of the computers it infected. When it reached a very specific target – an embedded computer running custom-written software controlling a particular industrial process – it changed the behaviour of that system for its own purposes. The only plausible explanation for that is that some very skilled and well-funded body, with a lot of inside information, wanted to commit industrial sabotage.
It’s impossible to tell, just by looking at Stuxnet’s code, exactly the target was. But the worm infections were centered in Iran, and there’s not that many advanced industrial facilities in Iran, certainly not ones which somebody would go to extraordinary efforts to sabotage. The person who figured out the latest technical details of the worm speculates that it was the Bushehr nuclear reactor, built by Russia for the Iranians. He points to this image of a computer screen from the reactor, noting that a) it’s running the very software targeted by Stuxnet, and b) they’re not even bothering to keep their software licenses updated – the kind of mistake that would have a western nuclear regulatory body screaming blue murder, as it’s indicative of very sloppy IT management. For a variety of reasons, I agree with this guy, who speculates that the Natanz uranium enrichment facility was a more likely target.
Either way, the most likely hypothesis at this point is that Stuxnet was the work of an intelligence agency deliberately trying to sabotage some component of the Iranian nuclear program.
At one level, it’s scary to think that somebody mistakenly inserting a thumb drive into the wrong computer could cause nuclear infrastructure to self-destruct (for what it’s worth, I don’t think they could have caused a catastrophic meltdown at a reactor, even if that’s what the attackers were trying to do). But for what it’s worth, on the information available so far, I find this reassuring. Yes, cyber-sabotage is possible, but this example shows just how hard it is to pull off real damage.
Putting together the code for this attack would probably have taken months, and – on top of the expert hackers to write the worm code – would have required an expert in Siemens industrial control systems, and detailed knowledge of how the target system worked. In other words, this attack required an expert insider – not just a janitor who works at the plant – to pull off. The combination of experts with very specific skills prepared to use them for destructive purposes, and detailed inside knowledge, very strongly suggests that it’s the work of a nation-state or states. Your local bunch of malcontents aren’t going to be pulling something like this off any time soon.
Furthermore, in the process of pulling off this attack, the attackers revealed a pile of security holes – both generally within the software being used, and procedurally within the target – that will now be closed. So if they want to repeat the dose, they’ll have to start again from scratch, against a target whose IT security procedures are undoubtedly much more strict this time around. Yes, there are undoubtedly more holes, but the barriers to achieving another successful attack will only get higher.
Whomever was responsible for this – assuming it actually delivered its payload to the intended target, and the payload worked as intended, neither of which have been established – is probably feeling pretty pleased with themselves right now, as they watch people outside their clandestine world admire their cleverness. But this kind of thing is not likely to become a routine weapon of war. It’s the modern-day equivalent of the Vemork raid, not the Eastern Front.
‘Either way, the most likely hypothesis at this point is that Stuxnet was the work of an intelligence agency deliberately trying to sabotage some component of the Iranian nuclear program.’
Gosh, I wonder who that could possibly be?
I don’t feel so reassured. The nature of this attack means the code is out in the wild and do discoverable by undesirable elements. A similar attack at some other time could be turned around and used maliciously and indiscriminately by taking out some of the specificity. Not good.
Yeah, fifty bucks on the Israelis.
Nobody knows yet what Conficker’s supposed to do, but I suppose, from what I’ve read about it, it might have been a precursor to this one, so Stuxnet’s not necessarily the first instance of so-called cyber warfare, or at least espionage. I suppose the distinction in this case is the purported specificity of the infection, although a janitor working at the plant could just as easily have performed the installation as anyone else, regardless of who wrote the code,and probably more so than the CIA or Mossad by remote access. It seems more likely a thumb drive incursion than opening a Viagra email.
Nevertheless, cyber warfare is over-touted, and Stuxnet may be more effective in proving a non-point than in highlighting an actual vulnerability. Even in this case there’s been detection and eradication instead of meltdown, so I worry far less about Die Hard 4.0 scenarios than I do about jihadis in dynamite vests, and I worry about them not at all.
I’ll give you two guesses, Ken.
And frankly I wouldn’t be surprised if they cooperated.
Aidan, the holes in Windows that were used in this attack have now been patched. A new attacker is going to have to find some other tricks to get their way in.
I reckon it’d be the israelis, since the NSA can walk in through the back door any time they want, they’ve got the keys to the house.
Find new vulnerabilities? Inevitable.
My point is that in building this weapon they made something that could have been used for malicious purposes. The same could be true when they build another one. I don’t think it is very smart to make weapons like this.
If you’re an Iranian, you might very well think that it has been used for malicious purposes.
My point is that it took a pretty extraordinary effort to create this attack, and the specifics can only be used once.
So they’re only going to go after pretty high-value targets with it.
Furthermore, you go after civilian infrastructure – by far the most vulnerable – it’s not only an act of war, but a violation of the Geneva Convention.
Robert,
Perhaps it was Siemens. They take their license fee revenue pretty seriously.
The use Windows to control a nuclear reactor — scary.
GregA: cyber-espionage is routine these days.
Yes, the janitor could have shoved a USB stick in the drive. But the janitor wouldn’t have been able to explain the detail of how the target process worked so the sabotage routine could be written in the first place.
If it were possible, Steve Jobs’s grin would be as wide as a 24” monitor.
Have a close look at the image of the control system supposedly controlling a nuclear plant. Looks more like a chemical plant to me, unless they’re using lime and sulphuric acid somewhere in their processing.
Diogenes, if the Iranians were using Macs it wouldn’t have made much difference.
Macs have security holes too, it’s just that they don’t get targeted nearly as much because there’s much less value in it.
If they’ve gone to the effort to find four new holes in Windows, they certainly could have found new holes in MacOS.
Ditto for Linux, by the way, though the nice thing about Linux distributions is that you can strip out a hell of a lot of unnecessary stuff and thus remove a lot of vulnerabilities. If software isn’t installed on a system, you can’t exploit its weaknesses.
Nicely spotted, David.
Two possible explanations:
1) the photo caption is wrong and it’s not from Bushehr at all.
2) Somebody’s playing around with the software (to try to learn how to use it, perhaps) and is using a sample configuration from some other system, or supplied by Siemens, rather than the real configuration at the Bushehr plant. Or maybe that software isn’t in production use at Bushehr at all; they were just playing with it for evaluation purposes at that moment.
Robert,
The first explanation is (IMHO) by far the more likely. If you google the main ingredients on that screen (lime milk, sulphuric acid, acrylic, coagulant etc.) the most likely use for them all is in municipal waste water treatment.
Combine that with the likelihood of someone taking a photo of a computer screen in Bushehr (it is not a screen shot, but a photo) and then smuggling it out to a journalist just so that an article can be illustrated (and, in the process, show that the software is out of date) and the simple use of the English language in the title bar of the windows dialog box when a perfectly good Farsi language pack is available for Windows – and you have a bit of journalistic “gilding of the lily” indicated.
My call? The photo is not what it pretends to be. OTOH, the Iranians could be trying to produce nuclear power from ummm … excrement. Those crazy guys.
I’m guessing not many of you have tech backgrounds or have worked with IT security research people (eg the people who design security for the major banks). Cyber war will have been around as long as cyber- has been.
you know the Peter Gabriel line – ‘if looks could kill they proabably will’
Consider that almost the entire USA rsearch budget is devoted to warfare. The Russians ran an entire parallel science establishment devoted to war – I know this from my Russian Maths/DSP colleagues from years ago.
I have no knowledge of the Chinese programs, maybe they aren’t thinking of this stuff…lol
This isn’t weirdo staring at goats stuff – just normal IT but at a high level of expertise
Gregh, I agree;
I design sophisticated stuff that may have 10,000 lines of “C” coded firmware. This is encrypted.
The only way you can make changes without a complete on site firmware install (32 bit encrypted) is to load values in a particular format into a bounded and protected parameter table. Out of bounds parameter entries are ignored and logged
People can hammer away at this for as long as they wish all they will do is inform us (within 5 seconds) via the real time data logging, that a parameter has changed without authorisation and that our system has disconnected as a consequence.
The SCADA (System Control And Data Acquisition) systems in use by various utilities are run by totally anal and security obsessed IT wonks. They are across these issues.
Only total amateurs would base their system on Windows. Banks run on Unix, Macs run on a version of Unix. Windows is just a pile of steaming shit when it comes to embedded systems and networks. We are happy to use it as a typewriter but that’s it so far as we are concerned.
I doubt very much if Siemens or any-one else would use an architecture or system that allows an unsafe state to be injected into a reactor controller.
Having said that I do know that the US navy did trial a destroyer that was entirely controlled via Windows, they sailed it out of the port , the system crashed and they towed it back.
Huggy
Huggy, which bits of which banks? The one I worked for ran all sorts and stuff, including lots of Windows. Even some of the “embedded” systems were Windows. Then there’s the Diebold ATMs which occasionally show all sorts of amusing Windows failures. There were definitely a lot of ‘nix systems too, but the desktops were largely Windows (and watching Java programmers using Windows is always good for a laugh).
Moz,
Sure; banks use Windows for lots of stuff. I should have said the inter-bank transactions network, so far as I know it runs on UNIX boxes. I know that the Pacific network runs on a server farm of UNIX machines.
The really heavy duty programmers consider windows to be some sort of Joke. Diebold make voting machines, ’nuff said.
Huggy
“Furthermore, you go after civilian infrastructure – by far the most vulnerable – it’s not only an act of war, but a violation of the Geneva Convention.”
It depends on the circumstances, Robert. There’s all sorts of civilian infrastructure that can be a legitimate and legal target under the Geneva Conventions and the law of armed conflict generally. If an enemy unit is advancing towards a bridge, for example, you are perfectly entitled to destroy it.
Likewise, nuclear facilities could be legal targets in some circumstances. Had the Nazi nuclear program been more advanced in WW2, we would have been entirely justified to throw everything we had at it.
Coming back to the main point of this article. There’s one thing I really don’t get about using the internet to attempt to sabotage vital infrastructure. Why is that infrastructure connected to the net in the first place? I would have thought that the key control systems of, say, a nuclear reactor, would be hermetically sealed. What’s the need to have an outside link?
I have often run control rooms during commissioning. It is not difficult for someone who knows the process and has done similar things before on quite different plants – the logic is simple the displays have much in common. The point I am making is that it could be quite easy to do damage without any understanding of the underlying code as long as the passwords could be bypassed.
Many of these control systems can be run/change software remotely. It has the attraction of allowing control room operators to live in places like Perth instead of the Pilbara or run several control rooms at the same time. It also allows programmers and people like me to solve problems and make changes from Brisbane instead of going to Collinsville to do something that may take a few minutes to fix.
I need more reassurance Huggy if I am to be convinced.
Huggy,
I don’t know the details, but it appears that in this architecture the Windows boxes are connected to the PLCs and display a nice UI for monitoring, upgrading firmware and so on.
New firmware has to be digitally signed to be accepted by the PLC.
According to the reports, it appears that whomever constructed the worm, on top of using a collection of new exploits, managed to steal the certificates to sign their hacked firmware.
I agree that the architecture is highly unlikely to be used for anything safety-critical on a standard, safety-audited nuclear reactor. That’s why I suspect the target was something else, such as the enrichment plant, which has been built in a hurry by Iranians who are probably cutting corners to get the thing up and running.
I believe the Pakistan nuclear program saw similar (though less technically sophisticated) sabotage of foreign supplied components.
RM@14: please be cautious with the “Windows machines get targeted more than MacOS/Linux because they’re more ubiquitous/valuable” myth. Microsoft gets targeted more generally because they are more insecure by design. For example, MS introduced the concept of “Autoplay”, where inserting a CD/DVD/USB stick automatically played its contents. Worse, this setting was turned on by default. This has been the sort of easily exploitable feature that gives MS a bad name. Linux doesn’t do Autoplay.
Siemens needs a good lawsuit or ten for this kind of password “policy”. This is just inexcusable.
Blockquote fail by me. The “Siemens” needs a good lawsuit bit is not meant to be blockquoted. Could the admins change it? Sorry.
Nitpick: they are less secure by policy. The Windows NT security model is actually more comprehensive and integrated than your bog-standard Unix model.
Dave Cutler giveth, Bill Gates withholdeth.
That fact is beyond dispute.
The more interesting question is how UPI allowed this blatant misrepresentation to receive its accreditation.
Down and out: sure, the default policies in a Windows box are less secure than the default settings on a Linux box.
However, there are exploitable holes in every desktop operating system out there (have a look at, say, the Ubuntu security updates list), and the attackers clearly had the motivation to find them.
Stopping them (and we don’t actually know whether they succeeded or not) would have been much more a matter of anal-retentive system administrators than anything else.
For instance, having a proper air gap for the secure network, and having much tighter controls for transferring data from the insecure to the secure network.
Not to mention an internal security apparatus who picked up the insiders who were in on it.
I think the good guys will win here.
We all work very hard to secure our systems, we do not rely on any “security” stuff from Microsoft, we consider this to be a totally corrupted medium.
Most of the events are in the end down to carelessness or ignorance.
Like attempting to slew a 2000 tonne dredge through 180 degrees in 3 seconds or allowing a insecure node to gain access to the control software.
Problem is that many bizoid management types do not understand the issues at all and get seduced by salesmen.
Huggy