Pentagon on computer super-worm that’s been attacking Iran’s nuke program: Er, no comment
posted at 9:35 pm on September 27, 2010 by Allahpundit
Easily the most fascinating story of the past week, but it’s so tech-heavy that I don’t trust myself to even summarize it properly, let alone opine on it. Let’s start slow, with the official American non-response:
The Pentagon is refusing to comment on widespread accusations that it is responsible for coordinating a cyber-attack against Iran’s nuclear facilities. Earlier this month the Iranians acknowledged the “Stuxnet Worm” had invaded software it uses at multiple nuclear production plants.
Pentagon Spokesman Col. David Lapan said Monday the Department of Defense can “neither confirm nor deny” reports that it launched this attack…
It’s also important to note that researchers have determined the worm originated sometime in early 2010. Therefore if it was initiated by the United States it would have been done under the Obama administration.
A fine theory, except that Wired claimed a few days ago that Stuxnet was actually first deployed in January 2009. That’s one of many mysteries here — not only who rolled it out, but how long has it been around and what, precisely, is it up to? Rather than drone at you, let me instead recommend this useful primer about the worm at New Scientist explaining how it works and why it’s blowing the minds of cybersecurity experts who deal with it. In a nutshell, it’s fantastically sophisticated, hacking four previously unknown vulnerabilities of Microsoft Windows in order to gain entry to a system. It’s also fantastically specific, targeting industrial machinery operated by the German electronics company Siemens, which just so happens to run a bunch of Iranian nuclear infrastructure. And it’s potentially fantastically dangerous: Unlike most worms, which are used to gather information and spy, Stuxnet is aimed at messing up the timing of heavy industrial machines, which could lead to mechanical breakdowns or even explosions. Wired explains:
Byres agrees and says this is because the malware interjects what’s known as Organizational Block 35 data blocks. OB35 data blocks are used for critical processes that are either moving very fast or are in high-pressure situations. These data blocks take priority over everything else in the processor and run every 100 milliseconds to monitor critical situations that can change quickly and wreak havoc.
“You use this priority for things that are absolutely mission-critical on the machine — things that really are threatening to the life of the people around it or the life of the machine,” Byres says, “like a turbine or a robot or a cyclone — something that’s going very, very fast and will tear itself apart if you don’t respond quickly. Big compressor stations on pipelines, for example, where the compressors are moving at very high RPMs would use OB35.”
A turbine or a robot or a cyclone or … a centrifuge, maybe? The early theory about Stuxnet was that it was aimed at penetrating Iran’s nuclear reactor at Bushehr, but that makes no sense to me. Bushehr, as we’ve explained before, simply isn’t all that important to Iran’s bomb-making abilities. It’s a scary symbol of Iranian nuclear know-how, but as an actual threat, it’s small potatoes. The real threat is the uranium enrichment facility at Natanz; if/when Iran masters the enrichment process completely, the centrifuges there will be churning out the HEU needed for Hiroshima-type bombs. Which explains why Wired thinks it’s Natanz, not Bushehr, that was the real target in all this.
I recommend reading the full NS and Wired pieces above and then this analysis by Greenroomer J.E. Dyer about why it’s probably not the U.S. or Israel who’s behind this. Granted, according to most experts, Stuxnet is so complex and would have taken so long to create that only a nation or a very well-funded group could have come up with it, but of course there are other nations out there who are interested in what Iran’s doing. Nations like, say, China, which has not only developed a reputation for sophisticated hackery in recent years but which, as Dyer explains, is a better fit on the facts here. While most of the computers infected by Stuxnet are in Iran, not all are: Some are in India and Indonesia, which makes no sense for an America that’s worried about Iranian nukes but could make sense for a China that’s worried about Russia’s energy dealings in those countries. Russia began a brand new partnership with Siemens last year so the Chinese obviously would have good reason to want to target Siemens machines. But if this is a Chinese/Russian game, how come more computers in Russia haven’t been infected? (Or maybe they have and the Russians are keeping it quiet? It was a Belorussian security firm that first detected Stuxnet.) And if the Chinese wanted to use this worm as a weapon against an archenemy, why would they tip their hand by dumping it into relatively unimportant systems in Iran, thus bringing it to global attention, instead of holding it in reserve for a true cyberwar with Russia or the U.S.?
Seriously, though, read the pieces above so that you have the background you need as this develops. Apparently some tech firm is rolling out a paper on Stuxnet later this week so we may soon know whose fingerprints are on it. As for the Pentagon’s official no comment, that’s easy: Why tip our own hand one way or the other when this story obviously has Iran feeling paranoid? If we’re not responsible for it, they don’t need to know that. Let ‘em worry.
Blowback
Note from Hot Air management: This section is for comments from Hot Air's community of registered readers. Please don't assume that Hot Air management agrees with or otherwise endorses any particular comment just because we let it stand. A reminder: Anyone who fails to comply with our terms of use may lose their posting privilege.
Trackbacks/Pings
Trackback URL
Comments
Comment pages: « Previous 1 2
Ha ha, there’s an anti spyware ad at the bottom of the post. Classic niche marketing.
loudmouth883 on September 28, 2010 at 5:58 AM
Having (also) read the WIRED story about this…
…it sounds more like industrial espionage at the behest, of course, of politics. In this case, it was appropriately targeted but ethically wrong.
Lourdes on September 28, 2010 at 6:48 AM
It’s not actually a small matter (not that either of you suggest it is) because of the nature of infecting programs that can, when taken to other extremes, actually launch nuclear weapons.
Lourdes on September 28, 2010 at 6:52 AM
Aw, Achy’s toy broke.
Maybe Christine Amanpour can take up a collection to help Achy.
NoDonkey on September 28, 2010 at 7:01 AM
Our intelligence agencies have had the “no comment” policy for decades if not forever. Other nation’s have had the same policy, Russia for instance. That this particular industrial sabotage could be between Russia and China makes a logical argument. I wonder how invested in Iran’s nuclear success the German corporation Siemens really is. After all, should things break down due to Iranian workers’ errors and lack of experience, new sales to replace the old and broken would result. And what better way to test your own equipment with potential/real flaws than at Iran’s expense? I would never underestimate the intellectual German.
JUST WHAT AMERICA NEEDS given green reactionary Obama at the helm. Were industrial terrorists to launch this worm on the Alaskan Pipeline or any American oil/gas industry main central compressors, it would give Obama the excuse to appease his green radical supporters with mandates amounting to closures. Texas City. New Orleans. A worst case scenario, launching the worm abroad before sabotaging our own domestic “undesirables” provides political ID cover for a time.
“America will is not and will never be at war with Islam” — CiC Obama. The theocracy of Iran may be one of our worst enemies, but evidently America is NOT Iran’s worst enemy. We do, however, make the good ol’ easy target hate scape goat. But CHINA holds the upper hand here holding Stuxnet, and can take the hot seat it created by likely sabotaging Indonesia and India with the worm.
maverick muse on September 28, 2010 at 7:26 AM
Lourdes on September 28, 2010 at 6:52 AM
Or detonate the nuclear missiles before they launch.
This super-worm is industry’s and security’s worst nightmare.
maverick muse on September 28, 2010 at 7:29 AM
rob verdi on September 27, 2010 at 9:48 PM
Agreed.
maverick muse on September 28, 2010 at 7:31 AM
C’mon, they’re pushovers.
All talk, no action.
NoDonkey on September 28, 2010 at 7:52 AM
This story is reminiscent of the US/Canadian sabotage of the Soviet gas pipelines several decades ago which is described in Thomas Reed’s book, The nuclear express: a political history of the bomb and its proliferation. This was a major event in the Cold War as it severely damaged the Soviet economy. My recollection of the story is as follows. An AEC scientist, probably at Livermore, recognized that the Soviets would buy a copy of industrial software and make many pirate copies thereof. At the time there were two primary software companies, one in the US and one in Canada, making software to control gas pipelines. The US had an embargo on the sale of such software but Canada did not. It was expected the USSR would purchase a copy of the Canadian software. The US recruited the Canadian government and the Canadian company to but a bug in the software which in pirated copies would cause valves in the pipeline to unexpectedly close without turning off the pipeline compressors. When the valves closed, the pipelines would burst. The closures were timed to happen a few years after the original software purchase so that the software would be extensively deployed in the thousands of miles of Soviet gas pipelines.
burt on September 28, 2010 at 8:42 AM
ONLY if you are using Windows. If you use Linux or Unix it has absolutely NO EFFECT on you. This is using cheap, ignorant IT staff and ignorant security people.
In fact something is very fishy about this story even being ‘out’. Did the Iranians openly admit to this issue???
What a bunch of losers.
Security reviews indicate that you would be surprised how many people would actually follow those instructions…
orbitalair on September 28, 2010 at 8:53 AM
Perhaps the Iranian people are acting to bring down their own hideous government?
The best and the brightest in Iran saw their friends and family being butchered by the regime.
NoDonkey on September 28, 2010 at 9:02 AM
Is it possible that it is a vigilante private corporation? Could Bill Gates, or someone like him, have set it up?
Count to 10 on September 28, 2010 at 9:37 AM
I do security for SCADA systems. Most manufacturers of SCADA systems (in this case, Siemens) dictate what platform their stuff runs on. If it sits on a Windows platform, it’s because the manufacturer put it there. Many times it is up to the same manufacturer to mandate what patches and updates go on that system.
auslander on September 28, 2010 at 10:14 AM
Siemens was foolish to use Windows as a platform for plant control software. It has a 100HZ clock — 1/10th the granularity of Linux’ (or Wind River’s, or RTLinux, or …) 1000HZ (1MHZ) clock. A clock which is 10 times more accurate allows for much more leeway in precise control of attached devices. Their reputation will rightly suffer as a result of having chosen this d-bag OS with its added on — not baked in — security.
unclesmrgol on September 28, 2010 at 11:24 AM
Oops. Not 10 times more accurate — but with 10 times more ticks per second. Sorry there…
unclesmrgol on September 28, 2010 at 11:25 AM
The centrifuges that produced the HEU for the Hiroshima bomb used what is now seventy-year-old technology. Probably not a whole lot of computer control needed.
PersonFromPorlock on September 28, 2010 at 1:52 PM
Haha. Our nerds are smarter than your nerds.
Scrappy on September 28, 2010 at 2:03 PM
I would like to make a point here, being that I am a controls engineer and work with PLCs everyday. No brand of PLC is the same as another. It would be very difficult to make a virus or worm that attacks all PLCs because of this. They don’t use an OS like the one on your home computer. Each manufacturer has their own OS. So the specificity of this worm’s intended target makes more sense then you might think it does.
Because of that it is less clear that this is an actual targeted attack of Iran. The fact that just about all of the machines affected are in Iran though does make a strong case for this. However, I think there is an outside chance that it could also be a competitor to Siemens behind this.
NotCoach on September 28, 2010 at 2:57 PM
I would also like to point out to people that if your system is designed properly this worm should not cause injury or machine destruction. A PLC should never be used as one’s means of safety. Proper process design includes a separate safety circuit that runs concurrently with the PLC and is, at the most, only monitored by the PLC. This separate safety circuit consists of devices that do not run on any software as everything in a safety circuit is hardwired. There are safety PLCs, but they are extremely difficult to penetrate electronically and typically are not networked in any way.
NotCoach on September 28, 2010 at 3:07 PM
They used gasous diffusion not centrifuges at that time.
burt on September 28, 2010 at 3:14 PM
All PLC software, no matter the manufacturer, is windows based. The software is used to program the PLC and set different parameters. Now, people may choose to keep the software continuously online in order to monitor the PLC logic. But it is not necessary to do so. The description of this attack though seems to indicate that the worm goes straight for the PLC without the external software designed for programming it.
NotCoach on September 28, 2010 at 3:17 PM
Didn’t Iran suffer from a number of mysterious gas-line explosions over the past few months? Perhaps there are tow intended targets in Iran: The nuclear infrastructure, but perhaps as well, the gas-line infrastructure. As Iran is effectively totally dependent on imported refined gasoline, one way to disrupt the economy would be to wreak havoc on their ability to transport ans store gasoline. Whatever, the opportunity to speculate is fun and the damage couldn’t happen to a more deserving nation.
vboscaino on September 28, 2010 at 3:33 PM
“A turbine or a robot or a cyclone or … a centrifuge, maybe?”
Or a coolant subsystem or one of hundreds of other subsystems. If the reactor is up, but uncontrolled, bad things will occur.
“NotCoach on September 28, 2010 at 3:17 PM”
I read that also. It just uses the PC to search for the Seimens uController.
dogsoldier on September 28, 2010 at 3:59 PM
Google “linux plant control software” or “linux 61131″
unclesmrgol on September 29, 2010 at 2:55 AM
That is PC control which is not a PLC. Personally I prefer PLCs because of their bare bones OS and durability. They are rugged and proven work horses. Admittedly though I have zero experience with Linux. But Windows PC control, while it does exist, is a nonstarter with most manufacturing facilities.
Actually, I use PACs (Programmable Automation Controllers) for new installs, which are next generation PLCs. The reliability and durability of a PLC with the functionality of a PC. But most equipment and systems are still PLCs.
NotCoach on September 29, 2010 at 8:13 AM
Here is another semi-layman’s explanation. The good part is that you can ask me technical questions and I can give answers. And I will work with you until you are satisfied. The politics? I have speculations.
http://powerandcontrol.blogspot.com/2010/09/plant-breakdown.html
MSimon on September 29, 2010 at 5:44 PM
Uh. In the PLC world PCs are used for data collection (monitoring) and downloading control programs.
Networking them with PCs is real handy for data collection. Downloading control programs to update all the connected PLCs at once is handy. But there are security vulnerabilities. Heh.
MSimon on September 29, 2010 at 5:51 PM
Comment pages: « Previous 1 2