Home > Articles > Security > Network Security

As the Worm Turns: The Stuxnet Legacy

In his ongoing series about the intersections of technology and society, Larry Constantine (an interaction designer specializing in safety-critical applications) discusses the history of the malware known as stuxnet and offers suggestions on how it can be stopped.
Like this article? We recommend

True confession time. In 2003, I was the software architect for a new breed of malware, a precision-targeted virus designed to exploit known vulnerabilities in the Supervisory Control and Data Acquisition (SCADA) systems and the Programmable Logic Controller (PLC) hardware that monitor and operate industrial equipment and processes, including electric generators and the national power grid. Drawing on experience consulting in industrial automation—including as a lead designer on the award-winning Siemens STEP7 Lite PLC programming system—I created a root-kit worm to destroy electrical power generating equipment by throwing it out of synch.

Flash forward. In 2010, the win32.stuxnet worm was discovered in the wild by a small Belarus software security firm, and by September, when the story was widely reported in the press, it was becoming clear that win32.stuxnet was a sophisticated cyber-weapon, a piece of software that crossed the divide between the digital and the physical. This computer program was intended to undermine Iran’s nuclear efforts by destroying high-speed centrifuges at the Natanz uranium enrichment facilities and possibly disabling turbines in Iran’s nuclear plant at Bushehr.

The win32.stuxnet virus was designed, debugged, and deployed; the root-kit worm that I architected was an exercise, a paper proof-of-concept program whose only use was to help drive the plot of a novel, the techno-thriller Web Games (Gesher Press, 2010, ISBN 9780984377220). I finished the manuscript for Web Games in August—just before the stuxnet story broke. While I was busy writing, fact caught up with fiction.

First, let me clarify my credentials. I am neither a software security specialist nor an industrial automation authority but an interaction designer specializing in safety-critical applications—things like industrial automation and medical informatics. In the “elevator speech” describing my work, I say that I design how people and systems interact when it really matters which item in a drop-down is selected or whether the red button is pushed before or after the blue one. In safety-critical interaction, if a nurse makes the wrong entry or misinterprets a chart, somebody could die; if an operator misunderstands a display and takes the wrong action, a city could be without power. Such extreme occurrences are unlikely, of course, but making them even more unlikely is precisely what drives safety-critical interaction design.

My knowledge of industrial automation, SCADA systems, and PLC programming is as a consultant who can talk the talk with clients and collaborators but who is unqualified to walk the walk. This makes my work as a malware designer all the more discomforting. There are people out there who are far more knowledgeable—and not all of them work for Symantec or the U.S. Cyber Command.

What Is stuxnet?

At more than 15,000 lines of code, just short of a half megabyte binary, stuxnet is the most complicated and sophisticated computer software virus yet. German security expert Ralph Langner, who contributed some of the cleverest forensic analysis, described stuxnet as the most “advanced and aggressive malware in history.” Like a real-world guided missile, a cyber-weapon like stuxnet requires a number of subsystems.

Stuxnet was launched on its journey when an infiltrator or unwitting accomplice inserted a thumb drive into a USB slot. Utilizing a zero-day exploit involving LNK files, stuxnet installed a root-kit, hid its files, and began looking around. It infected any removable USB drive encountered and propagated through any attached network. In the process, it sought signatures of specific software and devices, making use of vulnerabilities in Siemens STEP7 and WinCC software, collecting files of interest, and then phoning home to its creators to signal its lock on target and deliver details of PLC programs found.

Once its target was confirmed and its code updated remotely, stuxnet began its dirty work. In Natanz, it employed a man-in-the-middle tactic to insert itself between controlled equipment and the controlling software and between that software and the operator’s console. While temporarily red-lining the centrifuge motors, it fooled the controlling software with false input images and tricked operators with bogus displays. Then, before things got too crazy, it returned into hiding so that operators wandering among the centrifuges would not have time to wonder why things were shaking while the displays were all green.

Who Created stuxnet?

Many reports credited stuxnet to the Israeli Defense Forces (IDF) Unit 8200, famed for sophisticated Signal Intelligence (SIGINT), but sources close to the digital deconstruction of stuxnet suspect Mossad, Israel’s elite intelligence group analogous to our CIA. The very visibility of Unit 8200 (including Wikipedia entry and Wikimedia photos) and the fact that it has a name leads some analysts to suspect an unknown, unnamed unit within Mossad. Parting words by recently retired Mossad head Meir Dagan about the crippling of Iran’s nuclear program along with Mossad-style assassinations of two Iranian nuclear scientists adds to suspicions.

But Israel did not work alone. According to news reports, U.S. participation is all but certain, beginning under the previous administration and accelerating under Barak Obama. Germany’s Siemens AG, which makes the PLC software and hardware targeted by stuxnet, also helped Homeland Security’s Idaho National Laboratory build a replica of its own research facilities in Karlsruhe, Germany, giving U.S. intelligence an inside track. There is no smoking gun, but the precision and sophistication of the code strongly suggests inside knowledge of Siemens hardware and software and even the particular installations in Iran. Absent another WikiLeaks bonanza, the world may never know the full story with certainty.

How Is stuxnet Different from Other Malware?

Stuxnet is different from previous malware in its sophistication, single-minded purpose, and ability to manipulate and damage real-world physical equipment. As weapons go, stuxnet is uniquely cost-effective, yielding a surgical strike at a fraction of the cost of jet fighters and bunker-busting bombs with less risk to life and limb and none of the collateral damage.

The long-term cost of stuxnet is another matter. Software is soft. Code can all too readily be redacted and redirected. A program that searches for Siemens S7-400 modules can be modified to look for Allen Bradley components. Software configured to wreck centrifuges enriching uranium in Natanz can be repurposed to damage pumps delivering water in Los Angeles. The stuxnet code has been distributed widely, and the forensic analysis has been conducted largely in the open. In effect, templates for an entire class of cyber-weaponry have been broadcast over the Internet. The stuxnet success is inspiration and invitation to others, be they unaffiliated hackers or state-sponsored cyber-terrorists.

Software reuse—that elusive agenda of legitimate software developers—is the established norm in the dark world of malware. So-called script kiddies assemble software by cut-and-paste from published pieces of code, while more advanced engineers of evil use viruses in the wild as models for innovative ways to infect PCs and create botnets that pummel us with spam and distributed-denial-of-service attacks. Stuxnet is a dangerous genie released from a virtual bottle.

The U.S. has a long history of lending or unleashing weapons that are then used in retaliation. We start out as weapon suppliers and end up as targets of our own ordinance. The stuxnet worm can be turned far more easily than a Patriot missile. What once targeted Iran can be recoded to attack its creators. Sources in Israel have hinted that Israeli industrial infrastructure has already, at least in part, been hardened against stuxnet-style attacks. Not so here at home.

The vulnerabilities in SCADA and PLC systems have been known long enough that a consultant and sometime novelist could devise a cyber-terrorist attack years ago. For years, industrial security experts have been calling for new standards and regulations and better practices. We can hope that stuxnet serves as a wake-up call.

Can stuxnet Be Stopped?

Now awakened, what can IT professionals do? Reality check is the first order of business. No system can ever be made absolutely secure, but most can be made far more secure. Every organization with industrial equipment and processes under computer control should undertake a comprehensive security audit and thorough risk analysis to locate vulnerabilities in their hardware-software ecosystem. Potential exploits are not just located in the lab or the plant. If a factory and administrative offices are connected to the same network, any potential exploit in the office computers and software is a potential gateway to the factory floor—as Iran now understands. Every open port or connector is a potential hole in the digital dike.

Although some vulnerabilities in USB ports, including the LNK exploit, have already been addressed, others remain. Some security experts have said that nothing short of filling USB slots with epoxy can plug those leaks. Clearly, there are security “solutions” that most users would not find acceptable. Firewalls and anti-virus software aimed at stopping conventional malware are necessary but not sufficient. Added barriers, including new hardware architectures and complete isolation of vulnerable systems, are needed.

There are no easy fixes, no Tuesday patches that will plug all the leaks. Many of the vulnerabilities in SCADA and PLC systems are architectural, hardwired into the very foundations of industrial automation. In Web Games, Richard Talpa, fictional head of a leading software security firm, formulates what he calls the First Law of Cyber-Terrorism:

    Anything that can be turned on under program control can be turned off; anything that can be controlled remotely can be thrown out of control remotely.

The flexibility and ease with which software can be updated and upgraded is also its biggest vulnerability in computer-controlled systems. Ultimately, we may need less reliance on computer-based monitoring and control and more on redundant systems in which PLCs are supplemented with old-fashioned hardwired gauges and safety overrides that have no stored programs whatsoever.

Forewarned is forearmed. Inaction could mean that stuxnet, a sophisticated software smart-bomb, returns to us as a cruder but still effective digital dirty-bomb.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020