Green Room

Stuxnet: Observations on a Worm; UPDATED 26 Sept

posted at 2:14 am on September 24, 2010 by

It’s early days yet to be making pronouncements about the Stuxnet worm, which appears to have been developed by someone’s national agency(ies) to attack the Siemens-manufactured computerized control systems (and only the Siemens systems) of large industrial plants, electric power plants, or factories.  That isn’t stopping the MSM from running with the story that a nation (us?  Israel?) developed Stuxnet to attack Iran’s Bushehr reactor.

A few observations as we move forward on this.  More information may or may not become available, depending on who did, in fact, develop this thing and why.

First, and most important, if what we’ve been told so far is the extent of what Stuxnet does, it isn’t a very effective tool for sabotaging Iran’s nuclear program.  The worm was first detected on an Iranian computer and reported by a Belorussian anti-virus firm in June 2010.  It’s been studied and tracked intensively in the months since.  Once it’s been found, it can be cleaned.  Siemens has been working on methods to strengthen system security against Stuxnet’s attack path (via a USB drive and automatic, conditions-based activation).

Stuxnet is reportedly very sophisticated – a really exciting piece of malware art – but if it can be reliably detected and dealt with, it can’t present a perpetual risk to Iran’s nuclear program.  It creates a temporary problem that can be recovered from with comparative ease.  The potential is clearly interesting – the concern about similarly sophisticated, undetected worms is obvious – but Stuxnet itself has done what it’s going to (whatever that is).

The targeting of Siemens-manufactured industrial control systems is very pointed, and it does seem, on its face, to argue prior knowledge of the fact that Siemens was (in defiance of UN sanctions) shipping key parts for the Bushehr reactor to Iran through Russia.  Siemens was originally the lead contractor for the Bushehr reactor, but that was back in the 1970s.  The company ceased work on the reactor by 1982, and Russia’s Atomstroyexport contracted in the mid-1990s to complete the reactor with a Russian design.  But Russia’s nuclear firms entered talks in February 2009 with Siemens to establish a commercial partnership – a rather obvious red flag for intelligence – and by the summer of 2010, it had come to the attention of German authorities that Siemens was shipping parts to a Russian middleman who was then forwarding them to Iran.

Wired theorizes that Stuxnet’s target in Iran was not the Bushehr reactor but the centrifuge cascades at Natanz, the main site for uranium enrichment.   (Wired cites a German cybersecurity expert, Frank Rieger, as the source of this theory.) Reportedly, the target the worm looks for is Siemens’ S7 SPS industrial system controller, and it is not clear from information available online if the centrifuges at Natanz are, in fact, controlled by an S7 SPS.  It’s certainly possible; Siemens has been a leader in uranium-enrichment centrifuge technology for decades, and a former senior employee of the company (who became the head of a Turkish electronics company) was implicated in connections with the A.Q. Khan network and the transfer of centrifuge technology and parts to Libya prior to 2004.  The timeline of Natanz’s history makes it unlikely that a centrifuge-cascade controller (i.e., one or more) was bought directly from Siemens.  But the fingerprints of the A.Q. Khan network on Iran’s nuclear program suggest one path for procurement. Iran’s centrifuge manufacturer, Kalaye Electric, has also had a commercial relationship with Siemens that keeps getting the German giant in trouble for selling it prohibited materials and equipment

Frank Rieger’s Natanz theory rests in large part on the timing of some otherwise unexplained incidents in 2009, which he suggests are connected to each other by the introduction of Stuxnet into computers serving the Iranian nuclear program.  Wired summarizes it thus:

The Stuxnet malware appears to have begun infecting systems in January 2009. In July of that year, the secret-spilling site WikiLeaks posted an announcement saying that an anonymous source had disclosed that a “serious” nuclear incident had recently occurred at Natanz.

WikiLeaks broke protocol to publish the information — the site generally only publishes documents, not tips — and indicated that the source could not be reached for further information. The site decided to publish the tip after news agencies began reporting that the head of Iran’s atomic energy organization had abruptly resigned for unknown reasons after 12 years on the job.

There’s speculation his resignation may have been due to the controversial 2009 presidential elections in Iran that sparked public protests — the head of the atomic agency had also once been deputy to the losing presidential candidate. But information published by the Federation of American Scientists in the United States indicates that something may indeed have occurred to Iran’s nuclear program. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred.

The attrition-by-Stuxnet theory is weakened, however, by the fact that the worm wasn’t reported on an Iranian computer until June 2010.  It could have infected Iranian system controllers in 2009, of course, but if it remained a mystery throughout that time, the number of operational centrifuges would almost certainly have continued to decline.  That didn’t happen.  The operational number leveled out by the end of the year, and over the past 12 months has been either 3,772 or 3,936 (while additional centrifuges continue to be installed).  The latest IAEA report in August 2010 showed a drop from 3,936 to 3,772, but that was after a prior increase from 3,772 to 3,936 – and the Stuxnet worm has been a known quantity throughout this period.  I suggested an alternative explanation for the drop in operational centrifuges in February of this year.

One important aspect of Stuxnet is that it apparently activates wherever it is introduced, to look for the condition it is supposed to target; i.e., the presence of the particular Siemens controller.  It has therefore infected thousands of computers in at least 115 countries around the world, but the distribution is not even close to random.  The great majority of the infections have been detected in India, Indonesia, and Iran.

This frankly doesn’t sound to me like something the US or Israel would cook up.  Besides being irresponsible, it’s inelegant, and dramatically increases the likelihood of detection before the worm can achieve its goal.  It’s unnecessary – if the goal is sabotage.

The emphasis on eruptions in India, Indonesia, and Iran is also hard to explain.  Why not two other nations and Iran?  That it could be random seems very unlikely.  One’s first thought would be that a set of similar USB drives was shipped to each country for some innocuous, probably even non-nuclear-related purpose.  Siemens does business with all three, although if a set of drives was tampered with, the provenance wouldn’t have had to be Siemens.  It would, however, have presumably been a company that does business with all three nations.

There is also the weird fact that in the alphabetical (English) list of world nations, India, Indonesia, and Iran occur one after the other in direct sequence.  Silly as this seems, it’s a remarkable coincidence, and may lend weight to the theory about a shipment of altered drives.  It’s hard to find another link between the nations that would make these three, and no others, overwhelmingly susceptible to the Stuxnet infestation.

Of the nations that could have pulled this off, however, there is one that might have a reason to target the three most-infected countries in particular, and that’s China.  Although this week’s reports have all focused on the design of Stuxnet for industrial sabotage, it was clear in July that its design also suits it for industrial espionage.  Some tenuous indications have been alluded to that suggest a Chinese link to the worm, but no concrete proof has been unearthed.

In their excitement over the undoubted sophistication of the worm, commentators seem to be missing the operational – as opposed to technical – fact that it has been detected and analyzed, but it hasn’t succeeded in shutting down Iran’s nuclear program, or even in materially hindering it.  And now it isn’t going to.  Spreading Stuxnet unnecessarily to so many computers doesn’t jibe with a goal of achieving a dastardly and decisive effect against Iran’s nuclear program.  The more computers something proliferates to, the more likely it is to be detected somewhere – and detection ends Stuxnet’s career.

So I am unconvinced right now by the argument that the US or Israel designed this thing to attack Iran’s nuclear program.  It would make more sense if China designed it to gather and update information on Siemens controllers, and to serve under limited and specific conditions as an executioner.  But if Iran was the main target of such a project, that suggests a whole set of fresh analytical factors in the China-Iran relationship.

Perhaps the target was not Iran’s nuclear industry but her oil and gas industry (Siemens controllers are widely used in the major components of the oil and gas industry, from pipeline and pumping control to refining).  Or if the target was the nuclear industry, the attacker’s interest may have been a more general one, involving Siemens’ new relationship with Russia’s nuclear firms, and Russia’s burgeoning nuclear business with India, Indonesia, most of the nations of the Middle East, and some in Africa.  That spreading network of economic influence – along with Siemens’ deepening connection to Russia’s global oil and gas operations – would be of particular significance to China above all other nations, since Beijing is a competitor for the same effective control of resources.  If anything in this whole incident is in character for anyone, it would be China seeking to gather intelligence on, and to be in a position to disable at will, the vital industrial infrastructure of the other cutthroat Asian competitor for global resources.

Whatever happened, we can say two things today.  One, Stuxnet does represent a scary capability.  And two, regardless of where it came from, it does not represent a successful attempt to take down Iran’s nuclear program.

UPDATE:  IT blogs are noting this morning that Iran’s nuclear authority, AOEI, has now acknowledged that Stuxnet has been found on systems in the nuclear program.  Iran had denied this earlier.  The Iranians still say the Bushehr nuclear plant has not been infected, and Siemens says its software has not been installed there anyway.

These updates don’t actually affect the above analysis or the bottom line.  No computer worm can literally bring Iran’s nuclear program to a halt.  All it can do is force Iran to reconstitute some elements of the program, and possibly make Iran more dependent on one or two partners/suppliers.  This entails extra time and inconvenience, but it doesn’t create a wall Iran can’t get over.

Kinetic destruction would force Iran to replace the equipment, and probably most of the operating environment (housing structures, electrial plant, cooling, etc).  A worm, on the other hand, caught at the point this one has been, requires much less reconstitution; there may be no hardware replacements required at all.  The exotic “oogly” factor in this tale will keep headlines breathless for weeks.  But in the end, widely-reported worm problems and delays won’t put a period to Iran’s nuclear program.  Headlines about temporary setbacks — if there are any; we haven’t seen anything proven or material yet — are just that.  We should be more encouraged if Iran had not discovered the worm yet.  Then it might do more damage at a more significant juncture for the nuclear program.

Cross-posted at The Optimistic Conservative.

Recently in the Green Room:



Trackback URL


Critical infrastructure such as water, electricity, and sewer on most Air Force bases is highly vulnerable to cyber attack, Maj. Gen. Richard Webber, USAF’s top uniformed cyber officer, told House lawmakers in testimony Thursday. “Right now, those systems are very much wide open,” said Webber. He added, “We haven’t even taken the low-hanging fruit steps” to address this issue. In most cases, off-site, private entities provide these utilities, said Webber. The Air Force is, however, working with the National Laboratory to identify infrastructure vulnerabilities in order to understand the infrastructure networks better, he said. The Navy faces the same issue. “A lot of this [infrastructure] is single source into a base,” explained Vice Adm. Bernard McCullough, Fleet Cyber Command boss. He continued, “If you take that capacity away, you have some capability on backup power generation, but very little in other resources.” (Webber’s prepared remarks)

BDU-33 on September 24, 2010 at 9:10 AM

Kewl analysis. A dead giveaway of the native language of the writer may lie in the code itself.

Sekhmet on September 24, 2010 at 9:11 AM

Good point, Sekhmet. I’m not sure we’ll ever be told the whole story on this. The media are running with the “attack on Iran” theme, but for all the beauty of the worm itself, this was a pretty inept attack. We’re being invited to marvel over it even though it didn’t work — at least not to achieve the implied goal of “attacking Iran’s nuclear program.”

J.E. Dyer on September 24, 2010 at 12:05 PM

Author is clearly not in the least bit technical.

Kenosha Kid on September 24, 2010 at 12:27 PM

Wow. This is really great stuff, J.E. You should consider writing spy novels. Seriously.

John the Libertarian on September 24, 2010 at 5:26 PM

Experts had first thought that Stuxnet was written to steal industrial secrets — factory formulas that could be used to build counterfeit products. But Langner found something quite different. The worm actually looks for very specific Siemens settings — a kind of fingerprint that tells it that it has been installed on a very specific Programmable Logic Controller (PLC) device — and then it injects its own code into that system…

Because of the complexity of the attack, the target “must be of extremely high value to the attacker,” Langner wrote in his analysis…

Langner said he wasn’t yet ready to speak to a reporter at length (“the fact of the matter is this stuff is so bizarre that I have to make up my mind how to explain this to the public,” he said via e-mail) but others who have examined his data say that it shows that whoever wrote Stuxnet clearly had a specific target in mind. “It’s looking for specific things in specific places in these PLC devices. And that would really mean that it’s designed to look for a specific plant,” said Dale Peterson, CEO of Digital Bond.

To this I would just ad that it came out today Microsoft did not close a security hole that Stuxnet exploited despite knowing about it for some time. They claims it was just an oversight. Perhaps it was, but it does not fit their MO.

TheBigOldDog on September 24, 2010 at 5:36 PM

In case people wonder who Langer is:

Last week Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran’s Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm’s attack.

TheBigOldDog on September 24, 2010 at 5:38 PM

For the last thirty years, the logic of industrial systems has been software rather than wires. Of course Windows compatible software was the standard used to program these.
This is simple logic such that
“unless A and B are on, C is off” or “unless A and B are on C requires X to operate”.
Used Motorola chips and low level processors. Then instructions became more complex.
“Temperature range Q means feed rate W applies otherwise, feed Z. If Q exceeded low execute M. If Q exceeded high, execute D.”
For the latter instruction or “code”, a few small changes can produce problems.
Iran being so infected is likely because so much stuff is black market or stolen. India is still corrupt as is Indonesia.

Caststeel on September 24, 2010 at 6:01 PM

Could it lay “eggs” that would be activated at a later date, as when a certain command or PC process happened?

Sounds an awful lot like the premise for the movie Deterrence.

marinetbryant on September 24, 2010 at 6:04 PM

Could it lay “eggs” that would be activated at a later date, as when a certain command or PC process happened?

Perhaps, but now that the AV guys know about it, Siemens is almost certainly sending out a firmware reflasher to make sure those eggs never hatch.

The Monster on September 24, 2010 at 6:23 PM

Don’t need no steenkin eggs.

Somebody opened a whole can of worms on the Iranians, and it damn sure weren’t them Chinese.

Stuxnet is the shot across the bow, the one designed to be noticed.

There’s more bad news coming to Iran and in several other forms as well.

Often, you read what JED prints and you only need to remember for a month or two what it was before it’s proven incorrect.

audiculous on September 25, 2010 at 4:03 PM

A couple of things aren’t apparent.

Iran isn’t necessarily the target. As Caststeel alluded, the black market is the easiest place to embed worms and trojans for “testing the water”. The author now knows quite a bit more about the distribution network, reactions, political play.

Other computer controllers around the globe may be under-reporting due to some inefficiencies. This ain’t over.

And as you said, J.E., as sophisticated as this may seem, you ain’t seen nothin’ yet, buh buh buh, baby, you ain’t seen nothin’ yet. Microsoft chose not to code the hole? Who are they kidding. When seventeen year-olds can shut out entire networks, guess what a couple of real dedicated hackers can do.

Robert17 on September 26, 2010 at 11:33 PM