Philip MaxonThe Mystery of Stuxnet

One of the strangest and most interesting stories of the last week has been the apparent cyber attack on Iranian computer systems that may have targeted the nuclear plant at Bushehr. The malware virus, Stuxnet, also struck parts of China, Indonesia, India and Pakistan, but was largely focused in Iran.

The malware, Stuxnet, attacks Siemens Windows OS software and is incredibly aggressive. Stuxnet, unlike other forms of malware that extract information, allegedly can take control of an automated system and change it. What makes Stuxnet frightening is the level of sophistication.  It is complex, targeted and massive, a completely new virus that has the feel of a cyber warfare weapon.

Iranian officials stated the malware had infected 30,000 computer systems, including personal computers for personnel who work at Bushehr. Officials stated it will take a month or two to root it out.  It is unclear if the virus directly attacked the power facility or if the virus attacked other Iranian nuclear facilities. It is also unclear if it is the main reason for the now three month delay for startup at the Bushehr plant.

What makes the story interesting is the level of sophistication is only possible by a government or a highly trained group, leaving speculation that the attack came from the United States or Israel. However, no government or organization has claimed responsibility. So, the question remains, who dunnit?

The immediate response is the United States or Israel committed the attack. This morning John Markoff and David Sanger of the New York Times authored a piece offering the idea that perhaps the Israelis, specifically their Technology Intelligence section Unit 8200, launched the virus.  However, the sole link to the Israelis is the mysterious word “Myrtus”, embedded in the virus, a possible reference to the Biblical Book of Esther, and a Jewish preemption of a Persian attack. The evidence is mere speculation, but offers some possible clues.

There have been previous reports of efforts to covertly sabotage Iran’s nuclear program, which may explain the decline in the number of Iranian centrifuges at the Nantanz plant.  These efforts involve stories of faulty centrifuge parts and stopping shipments from arriving in Iran. The NYT story today did not directly link the virus to the Natanz facility, but linked it to an ongoing effort by Western governments to covertly sabotage the Iranian program.

But, maybe laying blame at the U.S. or Israel is too quick a judgment. Other states like India, Russia, an Arab state like Saudi Arabia, or a European state could have also created Stuxnet. Each has their own motives for slowing an Iranian program. Also, while not outside the realm of possibility, highly sophisticated Iranian dissident groups could have created and launched the virus.

There are many unanswered questions, like the true target of the attack, if the virus just spiraled out of control, which led it to affect other systems in other countries, and extent of the damage. There is not enough information to accurately pinpoint the guilty party or the true motivation.

However, if the Stuxnet attack was government sponsored and not a third party, then perhaps it is an example of the impact of cyber warfare. The debate for potential containment of Iran  is usually framed in a kinetic military component, military strikes, arms deals to Saudi Arabia, etc.  Perhaps, this latest attack is a glimpse of the behind the scenes world of cyber warfare and exploiting another country’s infrastructure.

In moving forward with discussions on the Iranian nuclear program, the Stuxnet virus may provide analysts another variable in calculating  possible deterrence and containment with Iran.  If it is a cyber attack weapon, what are its implications on military strategy? On diplomatic strategy?  Is an attack fully untraceable, or can Iran attribute an attacker? How would Iran respond to a cyber attack on its nuclear facilities? Would Iran immediately assume Israel or the U.S. launched an attack even if both did not launch the virus?  All are interesting questions looking forward.

Comments

  1. Michael Flagg (History)

    I would strongly suggest checking out this evaluation of Stuxnet: http://frank.geekheim.de/?p=1189

    I think the author of the analysis at the link has good point – the nature of SCADA systems used at a power plant and the nature of the systems used at an enrichment facility would tend to favor the enrichment facility as the target.

    I would also be shocked beyond words of a non-state actor pulled this off. This thing was multi-pronged and appears to have been very clean code, which implies a solid QA arm to the development group.

  2. Anthony (History)

    By the way, Jeff Carr from forbes makes a good point about not hyping up this “mystery” :

    Reality Check: Is Stuxnet’s Iran Connection The New Iraqi WMD?

    http://blogs.forbes.com/firewall/2010/09/28/reality-check-is-stuxnets-iran-connection-the-new-iraqi-wmd/

  3. Major Variola (ret) (History)

    The Esther reference is just too good. Could be
    misdirection but how scholarly.

  4. George William Herbert (History)

    I’d add France to the list of possible perpetrators.

    I have seen some very cleanly coded computer malware in the last 24 years. This is, from what I’ve seen (and I’m not analyzing it myself, just reading analysies), among the best out there. Not all the best is coming out of governments, by any means… the idea that they have huge reservoirs of hackers who are super-capable is often mythical. But they can put together big teams of good people if they need to.

    One additional suspect it the company whose SCADA equipment was diverted into the Natanz facility. They have some motivation…

  5. P.E.T. (History)

    Was it the Stuxnet worm or the Israeli version of the Stuxnet worm?

  6. Alan (History)

    I posted this link on Mark Hibbs’ thread about the IAEA GC.

    http://www.langner.com/en/

    These guys are convinced the attacker will ultimately be revealed by the forensics unearthed from the virus itself (see Sept 16, Ralph’s Analysis points 5 and 6)

    It will be interesting to see if that’s the case.

    He also believes it is also only a matter of time until Stuxnet multiplies, i.e. is adapted by others and new attacks crop up everywhere.

  7. Scott Monje (History)

    This is a case that cries for wild speculation and unsupported conspiracy theories, so here goes.

    What if Iran was a diversion? What if, say, India wanted to target a very specific facility in Pakistan without drawing suspicion to itself? What better way than to dump the virus on Iran? It wouldn’t cost any more, everyone would assume Iran was the intended target, and the Pakistani target would be dismissed (by everyone but the Pakistanis) as collateral damage.

  8. Andrew Tubbiolo (History)

    Can someone inform me why important facilities are connected to the greater internet? With all the extra capacity built during the telecom bubble why not build your own network? Is it really that much to ask for a secure facility to have sealed computers when things matter so much?

    • George William Herbert (History)

      Stuxnet includes the capability to spread itself via infecting flash USB drives. That, unless the facility practices near-perfect drive hygiene practices, will get around nearly any firewalling, even air gaps in networks (fully isolated).

      Some military facilities disable (in some cases, physically) USB adapter ports or disable flash drive / USB drive mount capability with OS driver removals so ports can only be used for mice and keyboards. This was in use at the facility the Wikileaks guy was working at in the Middle East, for example – but they forgot to disable DVD-R / CD-R drives and he snuck data out on writeable disks. A stuxnet variant that could also propogate on those (cough) would be even worse… Adding itself to any disk that was authored on the system, for example.

      Fundamentally, modern computer systems need a method of being updated. That method can be the network, removable drives, USB flash drives, an EEPROM, floppy disk, CD or DVD drive, … All of those methods can be subverted with effort. Some of them are easier than others. Somewhere, you have to trust some external data, from the vendor or whatever. If the attackers subvert that data at the source or in transit, you’re out of luck. If you practice anything but the very best security / data device hygiene practices, you’re very out of luck.

      Computers’ power for solving problems is directly proportional to how interconnected they are. Unfortunately, so is their vulnerability to subversion.

      Do you need perfect security, or functionality?

    • Ben D (History)

      They aren’t Andrew, the story line as I understand it, goes that it is spread to SCADA systems through internet contaminated USB memory sticks being then used on the SCADA system. Now this presupposes that the SCADA system at Bushehr actually employs USB connectors and runs on internet compatible software.

      FWIW, rigorous intuition in this case tells me that this is more to do with psyops than actual reality.

    • Andrew Tubbiolo (History)

      Thanks for the real world explanation. But again if the facility is that important, why not totally seal your computers, no IO ports, use PS/2 keyboard and mouse (heck solder them to the motherboard), no external media. When you need to update a computer you have a stock of spares and you rebuild per the update then redeploy? Compared to suffering real attacks, this sounds cheap to me. In fact, I’d wager that not a few of the updates ‘needed’ are to cover security holes because of the openings you pointed out.

      How often do you really need to reconfigure a power grid or a reactor once it’s declared operational and operating? Even the astronomical systems I build can stay static for as long as 7 years, once it works, why fix it?

    • George William Herbert (History)

      Aircraft use very isolated controllers. So do spacecraft.

      Ground applications usually have fairly interconnect-able ones, because debugging and diagnostics and upgrades are typically seen as more important than maximal security.

      As I said, one can do all upgrades via a new EPROM (chip in socket, change the chip out). But nearly everyone uses removable media of some sort these days.

    • Ben D (History)

      Don’t worry about Bushehr, it could not have been attacked because there is no Siemens equipment installed there. According to the Siemens spokesperson, it is their system that Stuxnet was created to infiltrate and attack if approptriate.

      [quote]A spokesperson for Siemens, the maker of the targeted systems, said it would not comment on “speculations about the target of the virus”.

      He said that Iran’s nuclear power plant had been built with help from a Russian contractor and that Siemens was not involved.

      “Siemens was neither involved in the reconstruction of Bushehr or any nuclear plant construction in Iran, nor delivered any software or control system,” he said. “Siemens left the country nearly 30 years ago.”[/quote]

      http://www.bbc.co.uk/news/technology-11388018

      And BTW, he also said “that according to global security standards, Microsoft software “may not be used to operate critical processes in plants”.

  9. Ben D (History)

    I acknowledge you used ‘apparent’in referring to Stuxnet cyber attack and ‘may have’ referring to Bushehr as a target.

    Good judgement IMO, the more I read about this story, the more flaky it becomes. 🙂

    Stuxnet is supposed to first infiltrate all memory sticks it can on the world wide web, and then infiltrate all plant SCADA systems in the world it can, if and when a person whose memory stick was previously infected from the internet is inserted into the SCADA port, but then will still not infect said SCADA aystem unless it is the one and only target on the planet.

    Quote…

    There is no independent confirmation that Bushehr or Natanz or anyplace else has been attacked by a directed cyberweapon.

    But competing theories are emerging about Stuxnet’s target. Here are two from a cybersecurity duo from Germany who have worked, separately, on deconstructing Stuxnet – and why they think what they do.
    —-snip–

    This week, Mr. Langner became the first person to detail Stuxnet’s peculiar attack features. He explained, for example, how Stuxnet “fingerprints” each industrial network it infiltrates to determine if it has identified the right system to destroy.

    Stuxnet was developed to attack just one target in the world, Langner says and other experts confirm.

    [/quote]

    http://news.yahoo.com/s/csm/20100924/ts_csm/328049_1

    • Mumbojumbo (History)

      There are several points here.
      Firstly, Bushehr is a pressurized water reactor. I think its credible that it would need a clean ph neutral supply of water, so a water treatment and purification plan seems reasonable.

      Secondly, I think the point of the story was that Iran was having trouble procuring equipment due to the sanction regime. Industrial software generally needs relicensing periodically, say once a year. A legitimate software licence would need to come from the west and hence the problem.

  10. G Webb (History)

    Symantec have published their report on Stuxnet.

    W32.Stuxnet Dossier, 49 page PDF available at this link.
    http://www.symantec.com/connect/de/blogs/w32stuxnet-dossier

  11. Paul Woodward (History)

    Ben D said: “Don’t worry about Bushehr, it could not have been attacked because there is no Siemens equipment installed there.”

    This isn’t correct. The reason Langner first suggested that Bushehr was the target was because of a UPI photograph taken at Bushehr in Feb 09 that shows unlicensed Siemens WinCC SCADA software in use at the plant.
    http://warincontext.org/2010/09/26/iran-confirms-stuxnet-found-at-bushehr-nuclear-power-plant/

  12. Ben D (History)

    Hi Paul, I see nothing credible in your blog post that substantiates the speculative claims that Bushehr utilizes a Siemens SCADA system. The reasons are as follows.

    Concerning the UPI image of a control panel with a MS look window superimposed that says..”“WinCC Runtime License: Your software license has expired. Please obtain a valid license”, well it doesn’t prove a thing.

    First of all, the WinCC window could so easily be a photo- shopped overlay on the image of a process control panel.

    Secondly, the Control Panel image is typical of process control panels everywhere and even if the WinCC window was not photo-shopped, what has that got to do with Bushehr. There is nothing else in the image to provide any information whatsoever about the local environment to provide any context as to its locality or purpose.

    Thirdly, UPI does not provide a source for anyone claiming that the UPI Photo by Mohammad Kheirkhah is actually Bushehr, they just provide a narrative to imply that it is.

    Fourthly, Ralph Lagner, who you reference to support your case that Bushehr has been attacked, is not claiming the UPI image is actually genuine or that it is of Bushehr, he merely prefaces his speculative theory with ” If the picture is authentic, which I have no means of verifying,….”. It is only you Paul who make the claim on your blog,…”Siemens might not know that its software was installed at the plant, but thanks to a UPI photograph, we know that Bushehr control systems do indeed run on Siemens’ WinCC SCADA system.”

    BTW, since you use ‘we’ in that statement, who also beside you are claiming to really KNOW for sure,…names?

    • Paul Woodward (History)

      Ben raises some reasonable questions about a UPI photograph and whether it provides evidence that Bushehr uses Siemens WinCC software.

      Based on further analysis of the image and the control system schematic it presents, I can assert with even more confidence that the image has not been doctored and the control system is indeed at Bushehr.

      My argument, but more importantly the evidence, is presented here:
      http://warincontext.org/2010/10/03/stuxnet-bushehr-and-siemens-wincc-software/

    • Ben D (History)

      Thank you Paul for your response and providing an informative post on your blog, but overall it doesn’t strengthen your case but weakens it.

      The post by Dr. Neal Krawetz (Image Analysis, Mass Media, Forensics) on The Hacker Factor Blog you linked to writes that he has problems with that UPI photo, not that it is doctored, but that it has been misrepresented as being from Bushehr/Iran. This is also what my third point was raising.

      http://www.hackerfactor.com/blog/index.php?/archives/396-No-Nukes.html

      [quote]Frankly, I see a bunch of problems with this picture. It really looks fake to me.

      I have trouble believing that a real photo from within an Iranian nuclear plant would be using unregistered/unlicensed code. It makes for a great joke, but it doesn’t seem practical. I mean, seriously, Iran paid Russia $800 million for the facility, and you think it would include unregistered software?[/quote]

      The Hacker Factor Blog’s overall opinion is that while the UPI photo does not provide any clue as to the plant in which it was taken, it does provide a clue as to what the industrial plant was processing,…crap 🙂

      Concerning the text of the Control System schematic…
      [quote]
      Image Text

      Since I can read the text, I can’t help but notice that it has a section for “Sulfuric Acid Storage and Feeding” (center, right) and “Lime Milk Preparation and Dosing” (bottom, center).

      Sulfuric Acid isn’t startling. It is used in most power plants and water treatment facilities. However, Lime Milk is primarily used in water and sewage treatment plants and not power plants.

      Another section discusses “Polyacryl Preparation and Dosing” (bottom, right). Polyacrylamide is primarily used in wastewater treatment. (“Wastewater” as in toilets and street drains.)

      Moreover, the bottom left has a section on “Waste Water neutralization”. This really looks like a schematic for a sewage treatment facility and not a nuclear power plant.[/quote]

      The claim that the UPI photo is of Bushehr is not supported by an expert in forensics and image analysis.

      [quote]Journalistic Excellence

      UPI has the tagline “Journalistic Excellence”. However, I think they failed to research this picture. Is it even showing a nuclear power plant’s schematic? How does UPI know that this image is legitimate? If someone were to get a camera in there, I would think that more incriminating photos would come out besides an error message on a screen…

      Iran is known to release doctored images of old photos and rewrite history. However, this picture does not appear to be doctored. It just looks misrepresented.

      Don’t get me wrong, I get the joke — an error message about unregistered software at a nuclear power plant. Funny. But I think the real joke is that UPI ran with it.

      Posted by Dr. Neal Krawetz in Image Analysis, Mass Media, Forensics[/quote]

  13. Lysander (History)

    Does anyone know if other operating systems are less vulnerable (compared to windows) to attack by stuxnet or other malware? Could Iran, India, China, etc. have avoided this problem by using linux or some other OS? Would that even be practical for running industrial systems?

    Thanks

    • Mumbojumbo (History)

      Yes, Linux and any UNIX based operating system would be less likely to be infected by a virus and would be unaffected by this virus, since it exploits some Windows only weaknesses. There have been no recent UNIX virus that have caused wide spread problems. Linux and other UNIX like system have a much strong reputation for security and MS windows.

      However no system is completely invulnerable. If it is the case that a government agency was behind this hack they would have probably been able to come up with an attack (using different means).

    • Mumbojumbo (History)

      In answer to your second question, there are plenty of UNIX based SCADA systems and some Linux based ones.

    • Ben D (History)

      Hi Lysander, I’m sure they are. As the Siemens spokesperson noted with respect to Stuxnet written for WinCC and Siemens using Win CC on some of their SCADA applications that,.. “according to global security standards, Microsoft software “may not be used to operate critical processes in plants” (see my earlier post above)

      All one can gather from this statement is that those Siemens SCADA systems utilizing WinCC must be limited to non-critical processes such as Sewerage Treatment Plants, etc.,.

      And BTW, since Stuxnet is purported by the experts to only affect Siemens SCADA, and even then only one target in the whole wide world, the media reports of numerous attacks in numerous countries is probably just media beat up/psyops. Sure, the Stuxnet virus may infiltrate non-critical process plants using Siemens WinCC type SCADA if and when a contaminated memory stick were to transfer it, but it wouldn’t actually cause any problems unless it was the one targeted.

  14. Paul Woodward (History)

    Ben – It’s not evident to me that you actually read my post or examined the evidence. Please explain why the same numbering system is being used in the schematic and on the physical vessels which are definitely located in Bushehr. I say definitely located there because they were photographed and reported by UPI, AFP and the BBC at the same time – February 2009.

    Neal Krawetz bases a significant part of his argument on the fact that the close-up shot of the monitor was taken with a camera with some dust on the lens and the other photos taken inside Bushehr were taken with a clean lens. Has he never seen a press photographer carrying more than one camera?

    Thankfully, the photographer whose work is being analysed provided his own explanation about this discrepancy: “I was using two cameras that day, one for my photo tele lens and one for the wide one.” (That’s from a comment by Mohammad Kheirkhah.)

    • Ben D (History)

      Paul, I did read your post but I was impressed with the explanation of Neal Krawetz that the control schematic was not of a power station but of a sewerage treatment plant. This is consistent with what the Siemens spokesperson explained about that Windows is not to operate critical processes in plants, so it can be inferred that the PI photo is from a non-critical plant process.

      For that reason, while the pictures you posted concerning the numbering on the control schematic and equipment are consistent, this does nothing towards proving they come from the Bushehr nuclear plant, but are more consistent with a water/sewerage plant. Now it’s true I’m no industrial chemist to verify the assessment of Neal Krawetz, but unless he can be shown to be misinforming his readers, I’m accepting his explantion on what sort of process the control schematic is involved in.

      BTW Paul, so that we don’t both have to keep cross posting here, let us let us confine our discussion to your blog…
      http://warincontext.org/2010/10/03/stuxnet-bushehr-and-siemens-wincc-software/comment-page-1/#comment-19607

  15. Paul Woodward (History)

    And one more point – just so that we can be clear that Neal Krawetz is not an authoritative source on the operation of nuclear power plants. He blithely asserts: “Lime Milk is primarily used in water and sewage treatment plants and not power plants.”

    According to Siemens, lime milk is used for “water treatment” in “nuclear power stations”. Don’t take my word for it. Read about it here: http://www.wallace-tiernan.de/WT/technische_pdf/WT.330.106.000.IE.PS.0607.A-758-G.pdf

  16. hass (History)

    Ummm…FYI in the story of Ester, the Persians are the GOOD GUYS. Haman was Assyrian, not Persian. Esther marries the Persian King, after all. And, you can visit Esther and Mordechai’s tomb in Iran to this day:
    http://www.youtube.com/watch?v=mhRyAObY8bI

  17. Hairs (History)

    Andrew, you asked “How often do you really need to reconfigure a power grid or a reactor once it’s declared operational and operating?”

    The answer for a power station is: Almost every week! The commissioning process doesn’t get anywhere near to testing and clearing up every possible way that things can go wrong, so in the early days of operation there are a lot of tweaks and fixes that have to be coded and installed. After that, routine maintenance requires insertion of overrides / jumpers / FRIGs / simulations (call them what you will) as well as parametisations and settings every time a component goes in. In addition, there’s an ever running stream of modifications and upgrades, which ultimately forces a complete change of software because you can no longer get spare parts for your hardware (the consumer electronics equivalent would be that you to have an application that runs on MS-DOS 1.0 and now your hard drive fails; all replacement hard drives expect to be run by an operating system a little more advanced). Last but not least, there is a need to change the software in order to optimise the process. In the case of a nuclear reactor it is impractical to calculate / predict EXACTLY how the process will evolve as elements transmute and components age, and therefore it may be beneficial to update the software once the data from a few years of operating experience are gathered.

  18. Hairs (History)

    Ben D:

    I’m not so confident as you that there are no Siemens control systems at Bushehr. As far as I can tell, Stuxnet was designed to attack PCS7 controllers; so unless these have a specific export or end-user restriction, why should these controllers not have been purchased by a Russian contractor and then installed in Bushehr?

    I also think the Siemens spokesman was being (perhaps unintentionally) a little misleading if he said, “according to global security standards, Microsoft software “may not be used to operate critical processes in plants”.

    Until a few years ago the standard Siemens product for running power stations was Teleperm XP – often referred to a TXP. This was a Unix based master control system that controlled most of the process, and which linked to faster controllers (running Simatic S5) for things like turbine supervision. Since this wasn’t regarded as a “failsafe” system there was a separate system in the background (used to be called AG 95F). One of the disdavantages of TXP and its associated controllers was that the S5 software couldn’t be changed while the unit was in operation, so in rsponse to this (and many other improvements that they wished to make) Siemens created an interim product called T2000, which has now been replaced by T3000.

    Why all this history? Well T3000 is Windows based, and it allows changes to be made to the controllers of the turbines (and other fast processes) while they’re running. As far as I know there is still a separate, failsafe “protection” system operating in parallel with T3000 (though I’m sure it’s no longer called 95F). So you can see that if the Siemens spokesman had said that Microsoft products may not be used to provide “protection” (in the sense of its technical, C&I meaning) to critical plant I’d have agreed; but to say that Microsoft based software can’t be used to OPERATE critical processes is incorrect because it already is at many power stations around the world.

  19. Hairs (History)

    With regard to the discussion about the water process on the UPI photograph, it looks a lot like part of the water treatment process for producing demineralised water (or one for maintaining a specific water chemistry). In this process, sulphuric acid and lime are used for regeneration of the ion exchange resins.

    The “polyacryl” in the bottom right hand corner of the screen probably refers to polyacrylate; polyacrylate ion exchangers are particularly good at the removal of heavy metal ions, which would be necessary in the primary circuit of a PWR (such as Bushehr).

  20. Hairs (History)

    For what it’s worth, my opinion is that if Stuxnet was an attack on Iran’s nuclear systems then it was more likely aimed at Natanz (or some similar facility) rather than Bushehr.

    The main reason for this is that nuclear power stations are chock full of secondary and tertiary systems that are designed to trip the reactor and bring things to a halt in a controlled way. These back-up systems are typically independent of software e.g. they rely on a loss of signal and then gravity, natural convection, compressed gases, etc. Therefore in order to create a real disaster at Bushehr it’s likely that several protection systems would have to be disabled at once. This happened, for example, at Chernobyl, where operators knowingly took the plant outside of the range that the protection systems normally would have permitted, but it’s hard to see how Stuxnet could do anything much worse than trip Bushehr unless the operators override other, non-software protection systems. Even if Stuxnet did cause a trip, power stations are designed to start up and shutdown / trip many times in their lifetime, without too much deleterious effect, so the consequence of a Stuxnet attack on Bushehr would be to cause the plant to trip until such time as someone wonders if there’s something wrong with the software.

    In any case, PWRs such as Bushehr are not considered to be the greatest proliferation risk among reactors – partly because used fuel from PWRs contains a lot of Pu-240, which is undesirable in a weapon. Therefore why attack Bushehr when the much more worrying Arak heavy water reactor appears to be continuing its construction? (Having said that, for all I know, Arak IS the target of Stuxnet!).

    Unlike power stations, nuclear centrifuges (particularly if they are supercritical) are very susceptible to damage as they move between standstill and operating speed. Additionally, it takes some days (or weeks) for a centrifuge cascade to reach equilibrium. Therefore if an undiscovered worm like Stuxnet became active on average, say, once per month it is easy to imagine that it would have a serious impact on an enrichment programme.

    If Stuxnet is a cyberattack, then my vote is that it was an attack on Iran’s centrifuges.