Last July we started following Stuxnet, a sophisticated worm that targets industrial computer controllers manufactured by the German engineering conglomerate Siemens. Siemens is the world’s largest manufacturer of Supervisory Control and Data Acquisition (SCADA) systems, which control the machinery involved in industrial and infrastructure processes, including water treatment facilities, power plants, and factories. Last summer, no one knew who was behind Stuxnet or what its intended purpose was. Then, in November, Iranian uranium enrichment facilities suffered a major setback when nearly 1000 centrifuges were destroyed by the malware.
Earlier this week, The New York Times published a compelling article attributing the creation of Stuxnet and it’s highly targeted attack on Iran’s uranium enrichment program to a joint effort between the Israeli and US governments. The article concludes that the sophistication of the code and its high level of precision would have required resources and knowledge way beyond the reach of any private operation:
“The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.”
However, an article form eSecurity Planet last Tueday questioned the sophistication of Stuxnet as a whole, noting that while the core program in Stuxnet is highly sophisticated, the dropper component that actually targets and infects networks and machines reflects only an amateur level of sophistication. This, in addition to the multiple versions of Stuxnet floating around, suggests that the malware was developed by several different groups over a period of two or three years. Perhaps, as the eSecurity article speculates, the advanced parts of Stuxnet were written by a third party and sold to the programmers who “put the wrapper around it.” That we know what we know about Stuxnet suggests that key elements of its design were not highly sophisticated.
In spite of the imperfections in Stuxnet’s design, the backstory involving Siemens’s vulnerability testing in collaboration with the US Government, the sophisticated insider knowledge required to pull of such an attack, and the political expediency of doing so makes a strong case for US and Israeli backing. In addition, the Times contends that Stuxnet was actually tested at Israel’s Dimona nuclear weapons development facility in the Negev. The cumulative result: it now appears that Iran’s nuclear enrichment program has been set back by several years.
Of course, we are also attentive to what Stuxnet means for cyber security management and cyber warfare as an emerging reality.
Last Monday, The Data Center Journal published an article describing Stuxnet as the first known form of weaponized malware ever developed. They report:
“The traditional, malicious approach to damaging the [Iranian] facility would have been to use a conventional weapon (i.e., a bomb). The astonishing difference is that this malware was attempting to do mechanical damage to the facility without supplying the destructive mechanical force on its own. In other words, this was malware designed specifically to accomplish the work of a weapon. It has therefore earned the nefarious classification of weaponized malware.”
The article goes on to scrutinize how Stuxnet gained access to its target systems by exploiting up to 4 zero day vulnerabilities in Microsoft operating systems and using digital certificates to authenticate itself. It then analyzes the risk management landscape this malware portends:
“It is unquantified and unmanaged risk that allows Stuxnet to propagate and operate on a network. This situation represents bad management practice of a critical part of a layered security model. Digital certificates are widely used to authenticate and identify entities in a network. Poor management practices render digital certificates ineffective for their intended purpose. In fact, poor management in some cases creates an exploitation opportunity.”
From a management perspective, Stuxnet certainly emphasizes the vital importance of robust and forward thinking security management policies.
How worried should we be about malware like Stuxnet disrupting infrastructure here in the US? eSecurity Planet’s reporting echoes that of The Data Center Journal in suggesting that protecting SCADA systems demands strong security management policies and physical perimeters—measures that were either poorly developed or easily subverted in Iran. In general, US security measures are more sophisticated, and it is generally considered unlikely that Stuxnet itself would be able to infiltrate a high security US facility.
What exactly Stuxnet says about the future of cyber warfare in the 21st century, and our vulnerability on that front, is still an unfolding story. What we can say is that we have entered an era in which highly sophisticated and covert software, likely developed or funded by governments, can destroy physical targets with a precision equal to or greater than a mechanical weapon.
ISSA-LA and the Los Angeles OWASP Chapter will be co-hosting a Stuxnet update and demonstration on March 17th. More information will be posted on the organization’s websites as we get closer to March.