Posted by: theoptimisticconservative | September 24, 2010

Stuxnet: Observations on a Worm; UPDATED 26 Sept

It’s early days yet to be making pronouncements about the Stuxnet worm, which appears to have been developed by someone’s national agency(ies) to attack the Siemens-manufactured computerized control systems (and only the Siemens systems) of large industrial plants, electric power plants, or factories.  That isn’t stopping the MSM from running with the story that a nation (us?  Israel?) developed Stuxnet to attack Iran’s Bushehr reactor.

A few observations as we move forward on this.  More information may or may not become available, depending on who did, in fact, develop this thing and why.

First, and most important, if what we’ve been told so far is the extent of what Stuxnet does, it isn’t a very effective tool for sabotaging Iran’s nuclear program.  The worm was first detected on an Iranian computer and reported by a Belorussian anti-virus firm in June 2010.  It’s been studied and tracked intensively in the months since.  Once it’s been found, it can be cleaned.  Siemens has been working on methods to strengthen system security against Stuxnet’s attack path (via a USB drive and automatic, conditions-based activation).

Stuxnet is reportedly very sophisticated – a really exciting piece of malware art – but if it can be reliably detected and dealt with, it can’t present a perpetual risk to Iran’s nuclear program.  It creates a temporary problem that can be recovered from with comparative ease.  The potential is clearly interesting – the concern about similarly sophisticated, undetected worms is obvious – but Stuxnet itself has done what it’s going to (whatever that is).

The targeting of Siemens-manufactured industrial control systems is very pointed, and it does seem, on its face, to argue prior knowledge of the fact that Siemens was (in defiance of UN sanctions) shipping key parts for the Bushehr reactor to Iran through Russia.  Siemens was originally the lead contractor for the Bushehr reactor, but that was back in the 1970s.  The company ceased work on the reactor by 1982, and Russia’s Atomstroyexport contracted in the mid-1990s to complete the reactor with a Russian design.  But Russia’s nuclear firms entered talks in February 2009 with Siemens to establish a commercial partnership – a rather obvious red flag for intelligence – and by the summer of 2010, it had come to the attention of German authorities that Siemens was shipping parts to a Russian middleman who was then forwarding them to Iran.

Wired theorizes that Stuxnet’s target in Iran was not the Bushehr reactor but the centrifuge cascades at Natanz, the main site for uranium enrichment.   (Wired cites a German cybersecurity expert, Frank Rieger, as the source of this theory.) Reportedly, the target the worm looks for is Siemens’ S7 SPS industrial system controller, and it is not clear from information available online if the centrifuges at Natanz are, in fact, controlled by an S7 SPS.  It’s certainly possible; Siemens has been a leader in uranium-enrichment centrifuge technology for decades, and a former senior employee of the company (who became the head of a Turkish electronics company) was implicated in connections with the A.Q. Khan network and the transfer of centrifuge technology and parts to Libya prior to 2004.  The timeline of Natanz’s history makes it unlikely that a centrifuge-cascade controller (i.e., one or more) was bought directly from Siemens.  But the fingerprints of the A.Q. Khan network on Iran’s nuclear program suggest one path for procurement. Iran’s centrifuge manufacturer, Kalaye Electric, has also had a commercial relationship with Siemens that keeps getting the German giant in trouble for selling it prohibited materials and equipment

Frank Rieger’s Natanz theory rests in large part on the timing of some otherwise unexplained incidents in 2009, which he suggests are connected to each other by the introduction of Stuxnet into computers serving the Iranian nuclear program.  Wired summarizes it thus:

The Stuxnet malware appears to have begun infecting systems in January 2009. In July of that year, the secret-spilling site WikiLeaks posted an announcement saying that an anonymous source had disclosed that a “serious” nuclear incident had recently occurred at Natanz.

WikiLeaks broke protocol to publish the information — the site generally only publishes documents, not tips — and indicated that the source could not be reached for further information. The site decided to publish the tip after news agencies began reporting that the head of Iran’s atomic energy organization had abruptly resigned for unknown reasons after 12 years on the job.

There’s speculation his resignation may have been due to the controversial 2009 presidential elections in Iran that sparked public protests — the head of the atomic agency had also once been deputy to the losing presidential candidate. But information published by the Federation of American Scientists in the United States indicates that something may indeed have occurred to Iran’s nuclear program. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred.

The attrition-by-Stuxnet theory is weakened, however, by the fact that the worm wasn’t reported on an Iranian computer until June 2010.  It could have infected Iranian system controllers in 2009, of course, but if it remained a mystery throughout that time, the number of operational centrifuges would almost certainly have continued to decline.  That didn’t happen.  The operational number leveled out by the end of the year, and over the past 12 months has been either 3,772 or 3,936 (while additional centrifuges continue to be installed).  The latest IAEA report in August 2010 showed a drop from 3,936 to 3,772, but that was after a prior increase from 3,772 to 3,936 – and the Stuxnet worm has been a known quantity throughout this period.  I suggested an alternative explanation for the drop in operational centrifuges in February of this year.

One important aspect of Stuxnet is that it apparently activates wherever it is introduced, to look for the condition it is supposed to target; i.e., the presence of the particular Siemens controller.  It has therefore infected thousands of computers in at least 115 countries around the world, but the distribution is not even close to random.  The great majority of the infections have been detected in India, Indonesia, and Iran.

This frankly doesn’t sound to me like something the US or Israel would cook up.  Besides being irresponsible, it’s inelegant, and dramatically increases the likelihood of detection before the worm can achieve its goal.  It’s unnecessary – if the goal is sabotage.

The emphasis on eruptions in India, Indonesia, and Iran is also hard to explain.  Why not two other nations and Iran?  That it could be random seems very unlikely.  One’s first thought would be that a set of similar USB drives was shipped to each country for some innocuous, probably even non-nuclear-related purpose.  Siemens does business with all three, although if a set of drives was tampered with, the provenance wouldn’t have had to be Siemens.  It would, however, have presumably been a company that does business with all three nations.

There is also the weird fact that in the alphabetical (English) list of world nations, India, Indonesia, and Iran occur one after the other in direct sequence.  Silly as this seems, it’s a remarkable coincidence, and may lend weight to the theory about a shipment of altered drives.  It’s hard to find another link between the nations that would make these three, and no others, overwhelmingly susceptible to the Stuxnet infestation.

Of the nations that could have pulled this off, however, there is one that might have a reason to target the three most-infected countries in particular, and that’s China.  Although this week’s reports have all focused on the design of Stuxnet for industrial sabotage, it was clear in July that its design also suits it for industrial espionage.  Some tenuous indications have been alluded to that suggest a Chinese link to the worm, but no concrete proof has been unearthed.

In their excitement over the undoubted sophistication of the worm, commentators seem to be missing the operational – as opposed to technical – fact that it has been detected and analyzed, but it hasn’t succeeded in shutting down Iran’s nuclear program, or even in materially hindering it.  And now it isn’t going to.  Spreading Stuxnet unnecessarily to so many computers doesn’t jibe with a goal of achieving a dastardly and decisive effect against Iran’s nuclear program.  The more computers something proliferates to, the more likely it is to be detected somewhere – and detection ends Stuxnet’s career.

So I am unconvinced right now by the argument that the US or Israel designed this thing to attack Iran’s nuclear program.  It would make more sense if China designed it to gather and update information on Siemens controllers, and to serve under limited and specific conditions as an executioner.  But if Iran was the main target of such a project, that suggests a whole set of fresh analytical factors in the China-Iran relationship.

Perhaps the target was not Iran’s nuclear industry but her oil and gas industry (Siemens controllers are widely used in the major components of the oil and gas industry, from pipeline and pumping control to refining).  Or if the target was the nuclear industry, the attacker’s interest may have been a more general one, involving Siemens’ new relationship with Russia’s nuclear firms, and Russia’s burgeoning nuclear business with India, Indonesia, most of the nations of the Middle East, and some in Africa.  That spreading network of economic influence – along with Siemens’ deepening connection to Russia’s global oil and gas operations – would be of particular significance to China above all other nations, since Beijing is a competitor for the same effective control of resources.  If anything in this whole incident is in character for anyone, it would be China seeking to gather intelligence on, and to be in a position to disable at will, the vital industrial infrastructure of the other cutthroat Asian competitor for global resources.

Whatever happened, we can say two things today.  One, Stuxnet does represent a scary capability.  And two, regardless of where it came from, it does not represent a successful attempt to take down Iran’s nuclear program.

UPDATE:  IT blogs are noting this morning that Iran’s nuclear authority, AOEI, has now acknowledged that Stuxnet has been found on systems in the nuclear program.  Iran had denied this earlier.  The Iranians still say the Bushehr nuclear plant has not been infected, and Siemens says its software has not been installed there anyway.

These updates don’t actually affect the above analysis or the bottom line.  No computer worm can literally bring Iran’s nuclear program to a halt.  All it can do is force Iran to reconstitute some elements of the program, and possibly make Iran more dependent on one or two partners/suppliers.  This entails extra time and inconvenience, but it doesn’t create a wall Iran can’t get over.

Kinetic destruction would force Iran to replace the equipment, and probably most of the operating environment (housing structures, electrial plant, cooling, etc).  A worm, on the other hand, caught at the point this one has been, requires much less reconstitution; there may be no hardware replacements required at all.  The exotic “oogly” factor in this tale will keep headlines breathless for weeks.  But in the end, widely-reported worm problems and delays won’t put a period to Iran’s nuclear program.  Headlines about temporary setbacks — if there are any; we haven’t seen anything proven or material yet — are just that.  We should be more encouraged if Iran had not discovered the worm yet.  Then it might do more damage at a more significant juncture for the nuclear program.

Cross-posted at Hot Air.


Responses

  1. Wrong as per usual. What it definitely does represent is a scary capability presented as a threat to the Iranians.

    I assess and analysis it to be not yet an attempt to take down Iran’s weapons program, but a demo of what Iran can expect if it persists in pursuing that program.

    It’s an announcement of a war without boundaries.

    Not all power grows out of the barrel of a gun, or from a barrel of crude. Sometimes sophistication quietly can achieve what bombs can not.

    • I don´t think so. Why an announcement? If it was that it was not really quiet or sophisticated but rather clumsy and badly targeted as well as pointless: Iran is already in a low-level war with Israel. They know it and Israel knows it. Everybody knows mere demos cannot deter them.

      • Everybody knows mere demos cannot deter them.

        Not true. Iran’s behavior can be modified and, as like any other organization of humans, can be altered by either fear of punishment or hope of reward.

        Stuxnet was not clumsy but was a well-placed shot across the bow. Iran can’t advance toward developing nukes or maintain its primary revenue-producing oil industry if other computer sabotage programs are activated.

  2. Despite evidence seen over very long term,
    The pen is not thought by the ravening horde,
    To be nearly as mighty as the terrible swift sword.
    That being the case it will long have to squirm,
    Before fanatical Mullahs fear much the worm;
    One suspects by their techies they are very much bored.

    • I’ll be happy enough when

      fanatical Mullahs are fare for the worm

  3. Interesting about the worm; but I’ve long suspected that the biggest thing worthy of fear by someone building nuclear weapons with only limited technical talent and testing is some table of values in the general physics information in textbooks, papers, etc. that’s applicable only to design of a nuclear weapon, hard and expensive to check and contains just enough misinformation to prompt a serious accident at just the time when the nuclear material has been brought together for fabricating the actual weapon. A criticality accident at that point (like but perhaps greater than one that occurred at Los Alamos when they were testing before assembly) would nicely delay a program.

  4. […] This post was mentioned on Twitter by JT, J.E. Dyer. J.E. Dyer said: Stuxnet: Observations on a Worm: http://t.co/zkTn5FD […]

  5. clinging to an incorrect analysis.

    you were wrong and having to admit that you were is irksome, but clinging to saying that the worm hasn’t destroyed the nuke program is simply pitifully por.

    who said that the object of the attack was destruction?
    I guess that if someone shoots your horse out from under you, you’ll say that the shot missed you.

    How about doing a favor for all of us, opticon, and taking a deep breath and thinking about what the effect on, as well as the damage to, the regime might be.
    Give a thought to the weaknesses of the Iranian regime and whether targeting their technological underpinnings might produce a result without all that mess and noise and blood and bad publicity and obvious criminality that dropping bombs on a sovereign nation produces.

  6. Collapsing the radical Iranian regime by means of the Stuxnet worm is not something that I would lay any money on, let alone my life.

  7. Don’t worry about betting your life, Vinnie. Iran isn’t much of a threat to it, but more importantly, it always ends with a win for the worms.

  8. Annelids, designed by kids,
    Like none before, go off to war.
    As a propellered horde, with none aboard,
    Controlled by boys, who learned on toys,
    Go off to score, making war a bore.
    Thus dissent is shushed, as buttons are pushed.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: