Stuxnet: Observations on a Worm; UPDATED 26 Sept
posted at 2:14 am on September 24, 2010 by J.E. Dyer
It’s early days yet to be making pronouncements about the Stuxnet worm, which appears to have been developed by someone’s national agency(ies) to attack the Siemens-manufactured computerized control systems (and only the Siemens systems) of large industrial plants, electric power plants, or factories. That isn’t stopping the MSM from running with the story that a nation (us? Israel?) developed Stuxnet to attack Iran’s Bushehr reactor.
A few observations as we move forward on this. More information may or may not become available, depending on who did, in fact, develop this thing and why.
First, and most important, if what we’ve been told so far is the extent of what Stuxnet does, it isn’t a very effective tool for sabotaging Iran’s nuclear program. The worm was first detected on an Iranian computer and reported by a Belorussian anti-virus firm in June 2010. It’s been studied and tracked intensively in the months since. Once it’s been found, it can be cleaned. Siemens has been working on methods to strengthen system security against Stuxnet’s attack path (via a USB drive and automatic, conditions-based activation).
Stuxnet is reportedly very sophisticated – a really exciting piece of malware art – but if it can be reliably detected and dealt with, it can’t present a perpetual risk to Iran’s nuclear program. It creates a temporary problem that can be recovered from with comparative ease. The potential is clearly interesting – the concern about similarly sophisticated, undetected worms is obvious – but Stuxnet itself has done what it’s going to (whatever that is).
The targeting of Siemens-manufactured industrial control systems is very pointed, and it does seem, on its face, to argue prior knowledge of the fact that Siemens was (in defiance of UN sanctions) shipping key parts for the Bushehr reactor to Iran through Russia. Siemens was originally the lead contractor for the Bushehr reactor, but that was back in the 1970s. The company ceased work on the reactor by 1982, and Russia’s Atomstroyexport contracted in the mid-1990s to complete the reactor with a Russian design. But Russia’s nuclear firms entered talks in February 2009 with Siemens to establish a commercial partnership – a rather obvious red flag for intelligence – and by the summer of 2010, it had come to the attention of German authorities that Siemens was shipping parts to a Russian middleman who was then forwarding them to Iran.
Wired theorizes that Stuxnet’s target in Iran was not the Bushehr reactor but the centrifuge cascades at Natanz, the main site for uranium enrichment. (Wired cites a German cybersecurity expert, Frank Rieger, as the source of this theory.) Reportedly, the target the worm looks for is Siemens’ S7 SPS industrial system controller, and it is not clear from information available online if the centrifuges at Natanz are, in fact, controlled by an S7 SPS. It’s certainly possible; Siemens has been a leader in uranium-enrichment centrifuge technology for decades, and a former senior employee of the company (who became the head of a Turkish electronics company) was implicated in connections with the A.Q. Khan network and the transfer of centrifuge technology and parts to Libya prior to 2004. The timeline of Natanz’s history makes it unlikely that a centrifuge-cascade controller (i.e., one or more) was bought directly from Siemens. But the fingerprints of the A.Q. Khan network on Iran’s nuclear program suggest one path for procurement. Iran’s centrifuge manufacturer, Kalaye Electric, has also had a commercial relationship with Siemens that keeps getting the German giant in trouble for selling it prohibited materials and equipment
Frank Rieger’s Natanz theory rests in large part on the timing of some otherwise unexplained incidents in 2009, which he suggests are connected to each other by the introduction of Stuxnet into computers serving the Iranian nuclear program. Wired summarizes it thus:
The Stuxnet malware appears to have begun infecting systems in January 2009. In July of that year, the secret-spilling site WikiLeaks posted an announcement saying that an anonymous source had disclosed that a “serious” nuclear incident had recently occurred at Natanz.
WikiLeaks broke protocol to publish the information — the site generally only publishes documents, not tips — and indicated that the source could not be reached for further information. The site decided to publish the tip after news agencies began reporting that the head of Iran’s atomic energy organization had abruptly resigned for unknown reasons after 12 years on the job.
There’s speculation his resignation may have been due to the controversial 2009 presidential elections in Iran that sparked public protests — the head of the atomic agency had also once been deputy to the losing presidential candidate. But information published by the Federation of American Scientists in the United States indicates that something may indeed have occurred to Iran’s nuclear program. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred.
The attrition-by-Stuxnet theory is weakened, however, by the fact that the worm wasn’t reported on an Iranian computer until June 2010. It could have infected Iranian system controllers in 2009, of course, but if it remained a mystery throughout that time, the number of operational centrifuges would almost certainly have continued to decline. That didn’t happen. The operational number leveled out by the end of the year, and over the past 12 months has been either 3,772 or 3,936 (while additional centrifuges continue to be installed). The latest IAEA report in August 2010 showed a drop from 3,936 to 3,772, but that was after a prior increase from 3,772 to 3,936 – and the Stuxnet worm has been a known quantity throughout this period. I suggested an alternative explanation for the drop in operational centrifuges in February of this year.
One important aspect of Stuxnet is that it apparently activates wherever it is introduced, to look for the condition it is supposed to target; i.e., the presence of the particular Siemens controller. It has therefore infected thousands of computers in at least 115 countries around the world, but the distribution is not even close to random. The great majority of the infections have been detected in India, Indonesia, and Iran.
This frankly doesn’t sound to me like something the US or Israel would cook up. Besides being irresponsible, it’s inelegant, and dramatically increases the likelihood of detection before the worm can achieve its goal. It’s unnecessary – if the goal is sabotage.
The emphasis on eruptions in India, Indonesia, and Iran is also hard to explain. Why not two other nations and Iran? That it could be random seems very unlikely. One’s first thought would be that a set of similar USB drives was shipped to each country for some innocuous, probably even non-nuclear-related purpose. Siemens does business with all three, although if a set of drives was tampered with, the provenance wouldn’t have had to be Siemens. It would, however, have presumably been a company that does business with all three nations.
There is also the weird fact that in the alphabetical (English) list of world nations, India, Indonesia, and Iran occur one after the other in direct sequence. Silly as this seems, it’s a remarkable coincidence, and may lend weight to the theory about a shipment of altered drives. It’s hard to find another link between the nations that would make these three, and no others, overwhelmingly susceptible to the Stuxnet infestation.
Of the nations that could have pulled this off, however, there is one that might have a reason to target the three most-infected countries in particular, and that’s China. Although this week’s reports have all focused on the design of Stuxnet for industrial sabotage, it was clear in July that its design also suits it for industrial espionage. Some tenuous indications have been alluded to that suggest a Chinese link to the worm, but no concrete proof has been unearthed.
In their excitement over the undoubted sophistication of the worm, commentators seem to be missing the operational – as opposed to technical – fact that it has been detected and analyzed, but it hasn’t succeeded in shutting down Iran’s nuclear program, or even in materially hindering it. And now it isn’t going to. Spreading Stuxnet unnecessarily to so many computers doesn’t jibe with a goal of achieving a dastardly and decisive effect against Iran’s nuclear program. The more computers something proliferates to, the more likely it is to be detected somewhere – and detection ends Stuxnet’s career.
So I am unconvinced right now by the argument that the US or Israel designed this thing to attack Iran’s nuclear program. It would make more sense if China designed it to gather and update information on Siemens controllers, and to serve under limited and specific conditions as an executioner. But if Iran was the main target of such a project, that suggests a whole set of fresh analytical factors in the China-Iran relationship.
Perhaps the target was not Iran’s nuclear industry but her oil and gas industry (Siemens controllers are widely used in the major components of the oil and gas industry, from pipeline and pumping control to refining). Or if the target was the nuclear industry, the attacker’s interest may have been a more general one, involving Siemens’ new relationship with Russia’s nuclear firms, and Russia’s burgeoning nuclear business with India, Indonesia, most of the nations of the Middle East, and some in Africa. That spreading network of economic influence – along with Siemens’ deepening connection to Russia’s global oil and gas operations – would be of particular significance to China above all other nations, since Beijing is a competitor for the same effective control of resources. If anything in this whole incident is in character for anyone, it would be China seeking to gather intelligence on, and to be in a position to disable at will, the vital industrial infrastructure of the other cutthroat Asian competitor for global resources.
Whatever happened, we can say two things today. One, Stuxnet does represent a scary capability. And two, regardless of where it came from, it does not represent a successful attempt to take down Iran’s nuclear program.
UPDATE: IT blogs are noting this morning that Iran’s nuclear authority, AOEI, has now acknowledged that Stuxnet has been found on systems in the nuclear program. Iran had denied this earlier. The Iranians still say the Bushehr nuclear plant has not been infected, and Siemens says its software has not been installed there anyway.
These updates don’t actually affect the above analysis or the bottom line. No computer worm can literally bring Iran’s nuclear program to a halt. All it can do is force Iran to reconstitute some elements of the program, and possibly make Iran more dependent on one or two partners/suppliers. This entails extra time and inconvenience, but it doesn’t create a wall Iran can’t get over.
Kinetic destruction would force Iran to replace the equipment, and probably most of the operating environment (housing structures, electrial plant, cooling, etc). A worm, on the other hand, caught at the point this one has been, requires much less reconstitution; there may be no hardware replacements required at all. The exotic “oogly” factor in this tale will keep headlines breathless for weeks. But in the end, widely-reported worm problems and delays won’t put a period to Iran’s nuclear program. Headlines about temporary setbacks — if there are any; we haven’t seen anything proven or material yet — are just that. We should be more encouraged if Iran had not discovered the worm yet. Then it might do more damage at a more significant juncture for the nuclear program.
Cross-posted at The Optimistic Conservative.