True confession time. In 2003, I was the software architect for a new breed of malware, a precision-targeted virus designed to exploit known vulnerabilities in the Supervisory Control and Data Acquisition (SCADA) systems and the Programmable Logic Controller (PLC) hardware that monitor and operate industrial equipment and processes, including electric generators and the national power grid. Drawing on experience consulting in industrial automationincluding as a lead designer on the award-winning Siemens STEP7 Lite PLC programming systemI created a root-kit worm to destroy electrical power generating equipment by throwing it out of synch.
Flash forward. In 2010, the win32.stuxnet worm was discovered in the wild by a small Belarus software security firm, and by September, when the story was widely reported in the press, it was becoming clear that win32.stuxnet was a sophisticated cyber-weapon, a piece of software that crossed the divide between the digital and the physical. This computer program was intended to undermine Iran’s nuclear efforts by destroying high-speed centrifuges at the Natanz uranium enrichment facilities and possibly disabling turbines in Iran’s nuclear plant at Bushehr.
The win32.stuxnet virus was designed, debugged, and deployed; the root-kit worm that I architected was an exercise, a paper proof-of-concept program whose only use was to help drive the plot of a novel, the techno-thriller Web Games (Gesher Press, 2010, ISBN 9780984377220). I finished the manuscript for Web Games in Augustjust before the stuxnet story broke. While I was busy writing, fact caught up with fiction.
First, let me clarify my credentials. I am neither a software security specialist nor an industrial automation authority but an interaction designer specializing in safety-critical applicationsthings like industrial automation and medical informatics. In the “elevator speech” describing my work, I say that I design how people and systems interact when it really matters which item in a drop-down is selected or whether the red button is pushed before or after the blue one. In safety-critical interaction, if a nurse makes the wrong entry or misinterprets a chart, somebody could die; if an operator misunderstands a display and takes the wrong action, a city could be without power. Such extreme occurrences are unlikely, of course, but making them even more unlikely is precisely what drives safety-critical interaction design.
My knowledge of industrial automation, SCADA systems, and PLC programming is as a consultant who can talk the talk with clients and collaborators but who is unqualified to walk the walk. This makes my work as a malware designer all the more discomforting. There are people out there who are far more knowledgeableand not all of them work for Symantec or the U.S. Cyber Command.
What Is stuxnet?
At more than 15,000 lines of code, just short of a half megabyte binary, stuxnet is the most complicated and sophisticated computer software virus yet. German security expert Ralph Langner, who contributed some of the cleverest forensic analysis, described stuxnet as the most “advanced and aggressive malware in history.” Like a real-world guided missile, a cyber-weapon like stuxnet requires a number of subsystems.
Stuxnet was launched on its journey when an infiltrator or unwitting accomplice inserted a thumb drive into a USB slot. Utilizing a zero-day exploit involving LNK files, stuxnet installed a root-kit, hid its files, and began looking around. It infected any removable USB drive encountered and propagated through any attached network. In the process, it sought signatures of specific software and devices, making use of vulnerabilities in Siemens STEP7 and WinCC software, collecting files of interest, and then phoning home to its creators to signal its lock on target and deliver details of PLC programs found.
Once its target was confirmed and its code updated remotely, stuxnet began its dirty work. In Natanz, it employed a man-in-the-middle tactic to insert itself between controlled equipment and the controlling software and between that software and the operator’s console. While temporarily red-lining the centrifuge motors, it fooled the controlling software with false input images and tricked operators with bogus displays. Then, before things got too crazy, it returned into hiding so that operators wandering among the centrifuges would not have time to wonder why things were shaking while the displays were all green.
Who Created stuxnet?
Many reports credited stuxnet to the Israeli Defense Forces (IDF) Unit 8200, famed for sophisticated Signal Intelligence (SIGINT), but sources close to the digital deconstruction of stuxnet suspect Mossad, Israel’s elite intelligence group analogous to our CIA. The very visibility of Unit 8200 (including Wikipedia entry and Wikimedia photos) and the fact that it has a name leads some analysts to suspect an unknown, unnamed unit within Mossad. Parting words by recently retired Mossad head Meir Dagan about the crippling of Iran’s nuclear program along with Mossad-style assassinations of two Iranian nuclear scientists adds to suspicions.
But Israel did not work alone. According to news reports, U.S. participation is all but certain, beginning under the previous administration and accelerating under Barak Obama. Germany’s Siemens AG, which makes the PLC software and hardware targeted by stuxnet, also helped Homeland Security’s Idaho National Laboratory build a replica of its own research facilities in Karlsruhe, Germany, giving U.S. intelligence an inside track. There is no smoking gun, but the precision and sophistication of the code strongly suggests inside knowledge of Siemens hardware and software and even the particular installations in Iran. Absent another WikiLeaks bonanza, the world may never know the full story with certainty.
How Is stuxnet Different from Other Malware?
Stuxnet is different from previous malware in its sophistication, single-minded purpose, and ability to manipulate and damage real-world physical equipment. As weapons go, stuxnet is uniquely cost-effective, yielding a surgical strike at a fraction of the cost of jet fighters and bunker-busting bombs with less risk to life and limb and none of the collateral damage.
The long-term cost of stuxnet is another matter. Software is soft. Code can all too readily be redacted and redirected. A program that searches for Siemens S7-400 modules can be modified to look for Allen Bradley components. Software configured to wreck centrifuges enriching uranium in Natanz can be repurposed to damage pumps delivering water in Los Angeles. The stuxnet code has been distributed widely, and the forensic analysis has been conducted largely in the open. In effect, templates for an entire class of cyber-weaponry have been broadcast over the Internet. The stuxnet success is inspiration and invitation to others, be they unaffiliated hackers or state-sponsored cyber-terrorists.
Software reusethat elusive agenda of legitimate software developersis the established norm in the dark world of malware. So-called script kiddies assemble software by cut-and-paste from published pieces of code, while more advanced engineers of evil use viruses in the wild as models for innovative ways to infect PCs and create botnets that pummel us with spam and distributed-denial-of-service attacks. Stuxnet is a dangerous genie released from a virtual bottle.
The U.S. has a long history of lending or unleashing weapons that are then used in retaliation. We start out as weapon suppliers and end up as targets of our own ordinance. The stuxnet worm can be turned far more easily than a Patriot missile. What once targeted Iran can be recoded to attack its creators. Sources in Israel have hinted that Israeli industrial infrastructure has already, at least in part, been hardened against stuxnet-style attacks. Not so here at home.
The vulnerabilities in SCADA and PLC systems have been known long enough that a consultant and sometime novelist could devise a cyber-terrorist attack years ago. For years, industrial security experts have been calling for new standards and regulations and better practices. We can hope that stuxnet serves as a wake-up call.
Can stuxnet Be Stopped?
Now awakened, what can IT professionals do? Reality check is the first order of business. No system can ever be made absolutely secure, but most can be made far more secure. Every organization with industrial equipment and processes under computer control should undertake a comprehensive security audit and thorough risk analysis to locate vulnerabilities in their hardware-software ecosystem. Potential exploits are not just located in the lab or the plant. If a factory and administrative offices are connected to the same network, any potential exploit in the office computers and software is a potential gateway to the factory flooras Iran now understands. Every open port or connector is a potential hole in the digital dike.
Although some vulnerabilities in USB ports, including the LNK exploit, have already been addressed, others remain. Some security experts have said that nothing short of filling USB slots with epoxy can plug those leaks. Clearly, there are security “solutions” that most users would not find acceptable. Firewalls and anti-virus software aimed at stopping conventional malware are necessary but not sufficient. Added barriers, including new hardware architectures and complete isolation of vulnerable systems, are needed.
There are no easy fixes, no Tuesday patches that will plug all the leaks. Many of the vulnerabilities in SCADA and PLC systems are architectural, hardwired into the very foundations of industrial automation. In Web Games, Richard Talpa, fictional head of a leading software security firm, formulates what he calls the First Law of Cyber-Terrorism:
Anything that can be turned on under program control can be turned off; anything that can be controlled remotely can be thrown out of control remotely.
The flexibility and ease with which software can be updated and upgraded is also its biggest vulnerability in computer-controlled systems. Ultimately, we may need less reliance on computer-based monitoring and control and more on redundant systems in which PLCs are supplemented with old-fashioned hardwired gauges and safety overrides that have no stored programs whatsoever.
Forewarned is forearmed. Inaction could mean that stuxnet, a sophisticated software smart-bomb, returns to us as a cruder but still effective digital dirty-bomb.