This just in from a Jane’s newsletter:
Nation state may be behind computer worm attack on Iranian nuclear plant. The first known example of a computer worm designed to target major infrastructure facilities has infected the personal computers of employees in Iran’s Bushehr nuclear power station. The malware, known as Stuxnet, is capable of taking control of an industrial plant by targeting weaknesses in systems designed by German company Siemens that are used to manage water supplies, oil rigs, power plants and other utilities.
I pretty much thought this had to be the case. The problem is, this is a double edged sword. Stuxnet has been seen in the wild enough to be picked up and reported on by Symantec. That means it has also been picked up by white and black hats alike and will be reverse engineered and used for other ‘payloads’. This is the inherent problem with the viral software attack. Once you use it, you might as well have posted the source code with a Gnu Public License on it.
So, now that we have proof by example that embedded process control systems can be hijacked by a virus, we had better start worrying who else is going to get targeted by slightly modified versions.
That means it has also been picked up by white and black hats alike
If the US federal government is using it then the blacks hats have already picked it up.
I saw this reported last week (in the general press, not a specialty publication like Jane’s). Query: if Stuxnet is already known to Symanetc et al, why isn’t there already protection from it in the antivirus software? Or do these large industrial facilities think they are immune to hacking and so don’t bother with antivirus protection?
Why would anyone in their right mind use Windows in an embedded system in a nuclear plant (or any other “mission critical” system?
Which nation state is the most likely culprit? My money would be on Israel. They are very tech-savvy, and have the biggest motive of all to want Iran’s nuclear economy buggered.
And if Germany was to suffer also, well, in the words of the sergeant in It Ain’t Half Hot Mum: Oh dear, how tragic.
So, for once, I blame the Jews. Or rather, I don’t, because in their position, I’d be wanting to do just this sort of thing too.
Other stuff I’ve read says that the Iranian chain of command is tying itself into twenty kinds of knots about this. Paranoia on the rampage. Score.
If it was Israel, I presume they will have asked all the questions about the same thing coming back at them in a modified form that Dale asks in his posting. If any nation state is behind this, they would have spent years preparing such a stunt. Wouldn’t they?
By the way, Dale, thanks for posting about this, if only because I look forward to seeing what our commentariat has to say. For that reason alone, I’d been thinking about posting on this myself. True, I know zilch about it, but I’ve never let that stop me. I just scatter question marks on it.
“we had better start worrying who else is going to get targeted by slightly modified versions.”
Shouldn’t that be “with modified versions”?
The Windows documentation says, or it used to say, not sure if it still does, I might be talking nonsense, that it should not be used for mission critical applications including specifically nuclear power stations.
BMS systems of this type have dedicated outstations that do all the actual controlling, and one or more supervisor PCs that act as monitors and send them instructions but do not themselves control the plant directly. It should not be possible for the supervisor to instruct the outstations to do anything dangerous, since there should be hardware interlocks to prevent that. That is, a virus could infect the supervisor and tell it to shut the plant down, but it should be impossible to just shut down the cooling systems so that the reactor blows up or something. If safety is dependent on any software, however custom-made, isolated and hopefully bulletproof, that is a major design flaw. It should be impossible for the plant control systems to cause anything more than annoyance if they send out the wrong instructions to the plant.
Maybe someone should be thinking outside the box for once.
My bet is China; they may not like the US/West trying to stifle Iran overly much but China has a large, restive Muslim population. A nuclear armed Iran, showing it’s ability to thumb its nose to the West over such a critical issue will be a beacon of ‘hope’ for those Muslims eager for something different than China’s heavy hand.
This move so far has not been traced back to any state so China stands able to decry the attack, insinuate it was the US or Israel, and still slow Iran’s march to nuclear weapons. Pretty much win, win for them. God knows they have the ability to make such strikes.
I first heard about this on ESR’s blog, where there is some good discussion and speculation in the comments.
Ian may be correct about nuclear plants in the US and some other places, but the key to this virus is that the payload does not work on the Microsoft level. The MS machine is simply a vector. It takes over the controller itself and modifies the code.
It would be best if you read the info directly from Symantec
This could be an attack vector for just about anything. Can you imagine what a mess you could make of a rolling mill?
I first learn’t about it on In From the Cold, here:
http://formerspook.blogspot.com/2010/09/worm-that-ate-bushehr.html
Like I said Dale, any properly designed plant will be physically and electrically interlocked to prevent a wayward controller telling it to do something dangerous or impossible. Controllers go wrong, they can lose power, and so on. You would never trust the software controller to be reliable. I have some experience with these systems as I used to be a maintenance engineer.
You don’t use software to open a safety valve on an overpressure boiler due to a sensor reading. The valve must react physically. If a critical cooling system shuts down for whatever reason (failed pumps perhaps) whatever it is cooling will shut itself down, not wait for a controller to tell it to. That is how plant is designed. Basically, controllers politely ask the plant to do things; the limits on what it can do in response to those requests are built in at the hardware, not the software level.
If they did that, then Allah help them if they forgot to label the worm “GNU/Stuxnet.” Richard M. Stallman’s lack of a sense of humor makes me tremble in ways that an aerosolized Ebola Zaire would not.
Whilst we’re talking about suspects, we also should not forget their northern neighbours, the russians. They also would not be too happy about Iranians trying to control oil supplies.
Come to think of it, you could make a shorter list of countries that aren’t suspects. North Korea, Cuba, Venezuela, and (because it is ardently pacifist) Costa Rica. any others?
Can I say “triple” edged sword? Since its known, how to deal with it is also probably being discussed, not just how to use it. This is the beauty of decentralized security. You dont have to wait for “the man” to act. Millions of hackers can work on defanging the worm’s structure themselves and submit the solutions to security firms or release it themselves. This is how genuine first-best security works in the real world. Not by a centralized bureacracy responding to myriad decentralized attacks, but a decentralized dilettante/hacker community along with profit-motivated security companies going toe-to-toe with bad guys 24/7. The war never stops and never will.
Nobody seriously doubts Stuxnet was done by a state actor, although there are always other possibilities. In particular the use of codenames (a module named “guava” being a branch of the “myrtus” project, broadly following botanical taxonomy) suggests, in my view, not some kind of Kabbalistic message (as discussed ad nauseam) but is evidence of a quite sophisticated operation. “Normal” programmers do like to use funny names for their projects, but filenames are generally named according to their purpose and are not obfuscated in that way – at least in my limited experience. The willingness to blame Israel on such slender grounds as the “Esther” connection suggests to me it was US Cyber Command.
However, whoever dunnit, the vector into Iran seems to have been on a Russian engineer’s laptop. This may well have caused the organic fertilizer to hit the wind-farm. Being a DebkaFile article, who knows if it’s true, but I so wish it were.
As for the code being leveraged by “normal” hackers, some of the vulnerabilities have already been patched, and anyway you’d have to have been sharing needles — I mean USB sticks or networked printers — with someone to get infected. We’ll probably have to wait till (at least) this month’s Patch Tuesday to get the remaining issues fixed, but I really wouldn’t worry about Stuxnet — there’s a whole black market in Windows 0day vulnerabilities (I suspect GCHQ, Cyber Command, NSA, etc. have long lists of them — if not they should do by now), and besides there are plenty of other bits of software that can be exploited — what about the recent Windows DLL issue? None of us have any real control over this, and you just have to trust software vendors to write good software and hope nobody dislikes you enough to pay to hack your PC/website. Or you could use Linux, which makes illegal entry more of a challenge but is ultimately hackable too.
Every time one of these bits of malware gains prominence, someone says “Oh no, am I at risk?” but the truth is there’s never been complete security in computing and never will be. Go into a darkened room, wrap yourself in a towel and scribble on a piece of paper backed by a hard surface like a mirror if you’re that bothered, or better yet become a Trappist monk.
Second everything Ian said.
Back in ’94, I was building a control system for BART (heavy commuter rail). They asked me to put in a feature where I could have software control over a piece of safety interlock, in a way that the software could create an unsafe condition. I blew a gasket and said the ‘F’ word (fatality). When we were done, every safety critical aspect was controlled by “Vital Relays”.
Fly-by-wire scares the hell out of me.
What Dishman and Ian B said – PLCs of the type that this virus affects will not have sole control over safety-critical functions. It’s been suggested that the worm may have a specific payload for specific PLCs – to override safety-critical limits, for example, and cause the controlled plant to self-destruct – but that should not be possible in a well-designed system.
I know we’re talking Iraq here, but they are plenty good at this and most likely got their kit from France and Germany anyway.
Besides – whoever let this thing out probably doesn’t want a spectacular failure of a nuclear plant – who wants another Chernobyl? What they want is a plant that the operators can’t get running. And then to suck up man-centuries of highly-skilled effort trying to fix it. You don’t want to shoot the soldier dead – you want to wound him just badly enough that it takes two orderlies, four nurses, a houseman and a surgeon 4 months to patch him up again.
So – even with the limitation that a sickened PLC can’t cause the turbines to spin off their shafts, a worm that scrambles your PLCs can still do a tremendous amount of damage. You don’t have to destroy a plant to render it useless. A really elegant attack would involve having various PLCs report differing and conflicting responses, causing the hard safety systems to prevent plant operation – IOW, using its own strength to defeat it. Even a skilled team of PLC gurus might well have to spend months untangling the mess before having sufficient confidence to say ‘OK, start it up again, it won’t choke out this time.’
The beauty of this attack is that so many people have plausible reasons for doing it (just look at this thread alone) that any one of them can plausibly deny it. You don’t have to false-flag it – there’s so many real flags available.
It’s a masterful piece of alternative warfare. FWIW, I’d say it was the Israelis – they’re the only ones with a committed central purpose to doing this AND the political culture that would get it done. It’s so-obviously an excellent good thing for US policy that I can’t believe the current US administration could ever get it done – they’d spend two years just in legal wrangling about how this would play under international law, and whether the UN would approve.
llater,
llamas
“who wants another Chernobyl?”
Well, maybe one in Iran isn’t such a bad idea . . . .
As I wrote on my work blog on the subject – http://threatstop.wordpress.com/2010/10/06/the-scada-threat/ – I think the proliferation issue is indeed very serious here.
It doesn’t help that I quote someone who should know saying that security measures will be poor and that the post-event government reaction will be wrong….
This virus story is being spun by everyone with any kind of anti something agenda!
The truth is that Stuxnet is designed specifically to attack one factory – everything else is a bonus. It works by attacking 4 different zero day flaws, and hopes that the factory is using default passwords on the PLC’s. It even has a switch off feature to stop it being dangerous.
The point is, it got into the system through being left on a USB stick and waiting for an innocent employee to take it in to the factory – where it starts to work. There is a policy in every decent sized company to stop this virus dead – don’t plug in USB’s which are unauthorised. Most government agencies are locking down their USB ports for this reason.
If someone decides to modify the virus, it won’t make any difference if people follow the policy – is that too difficult to manage?
Stuxnet has been around since 2009 and was written by a government agency – nobody else has any reason to build something so specific.
If you really want a virus to worry about – read up on Zeus 3 – now that is scary!
I’ve been standing back awhile to see what others have to say. First off, I do have creds in process control. I was lead designer and manager for a system in the late 70’s that beat the pants off the Johnson Controls and Honeywell systems in building automation (Honeywell Alpha/Delta 2000 I believe was their offering against our hierarchical, 6502 processor networks). I also was lead programmer on a few systems prior to that. I know how badly things can go wrong. I simple miscommunication of a hardware issue from the hardware guys to me started a chain of events that eventually dumped 50,000 gallons of water in the Johns-Manville World HQ helicopter hanger. I have also battled attacks as Tech Director of the first ISP in Ireland and had numerous other run ins with security systems.
Now. Stuxnet. What I am worried about is not the fact that it used a particular entry method (probably the old USB mount script attack) but the fact that they can modify the code in the actual controller. It may well be that systems are all wonderful and none ever have critical functions touchable by the microcontrollers and sequencers. Personally, I doubt such perfection exists. Somewhere some marketing droid had a feature added that sold to upper management on how they can change x an y magically whizbang from their familiar Windows XP Home system. Best practice does not mean it is so everywhere.
Further, saying that people should follow certain procedures and that companies should have those procedures and enforce them looks great on paper but rarely happens in practice. All it takes is the CEO’s 8 year old daughter alone in his office loading games…
When I find an office where the lusers actually follow security guidelines, I’ll let you know. I don’t think I have ever seen one yet.
While everybody is busy speculating on what nation state might be involved, has anybody considered the possibility it might be someone inside the country with ties to the opposition movement?
Laird wrote:
‘”who wants another Chernobyl?”
Well, maybe one in Iran isn’t such a bad idea . . . .’
Well, not a single member of the Politburo or anyone with the slightest seniority in the USSR system suffered any loss or injury as a result of Chernobyl – it was the poor bloody firemen that fried. If the purpose is to de-stabilize the government, a nuclear meltdown ain’t the way to get it done, that would only hurt many innocent civilians.
And if it were to be that this worm created an unplanned failure of the system that caused another Chernobyl – that would be a complete PR disaster that might well strengthen – not weaken – the Iranian regime. “Once again, the Imperialist Crusader forces of the Great Satan rain nuclear destruction down upon the peace-loving peoples of their enemies – only the US is so morally bankrupt that they will poison the very land on which the innocent peasants stand . . . ” and so on and so forth. This sort of propaganda would actually resonate with large numbers of people in the West, especially the squishy Greens and the watermelons, to whom anything nuclear is by definition Of The Dark One.
By contrast, gloomy reports about how they can’t get their reactor to start will be on page 36B, right under the shipping news.
llater,
llamas
Dale Amon: “When I find an office where the lusers actually follow security guidelines, I’ll let you know. I don’t think I have ever seen one yet.”
SQotD!
Gut feeling (with my ignorance of computers it can be no more than that).
The cyber attacks on the Iranian nuke program will fail.
Want to stop the Iranian nuke program?
Then old fashioned methods are going to have to be used.
Either overthrow the regime (and cyber warfare may be a part of that) or just blow the underground based to Hell (yes I know what sort of weapons would be needed to do that).
The US Constitution (section 1 section 8) gives the US Congress power to issue Letters of Marque and Reprisal to privateers. I am humbly proposing we license and bond cyber privateers before the the jihadists spend a little less time on the Quran and a little more time perfecting their hacking skills. My own Linux servers are being attacked daily from Chinese IP addresses. Alas, we’re in the midst of a raging cyberwar where the big guns haven’t yet been deployed.
I’ve been seeing hacks and attacks from China for the better part of this decade. At least two with registration info that specifies ‘Beijing Railway Station’.
I won’t go into details but one of them involved an American executive in a Moscow hotel. That was an interesting hunt!
Schneier is — as always — excellent.
He gives a good overview of both the technical details and the bare facts of this case. It’s not a given it’s a nation-state, but we do know it’s about six months work by 8-10 programmers and that the four zero-day exploits it used are very costly to acquire.
All the vulnerabilities have since been patched. Virus scanners — if kept updated — will detect and remove this virus. It targets a particular model of Siemens industrial control system, but there is little strong evidence that the Iranian facility was the target.