Stuxnet Increasingly Sounding Like A Movie Plot
from the made-for-hollywood dept
Like many people, I've been following the story of the Stuxnet worm with great interest. As you probably know, this worm was apparently designed to infect Iranian nuclear operations to create problems -- and supposedly setting back their nuclear operations quite a bit. The NY Times came out with a fascinating investigative report about the background of Stuxnet over the weekend, and it's worth a read. What I found most entertaining was the rather Hollywood-trickery angle by which Stuxnet did its dirty work:The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.That latter part is, indeed, right out of a movie. I guess sometimes truth does mimic fiction. That said, I'm still trying to figure out how or why Iran allowed any sort of outside code or computers into their nuclear operations.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
How Outside Code Gets In
Software (and configuration) updates are usually delivered to the system (which IS isolated from the Internet) via USB key. But, the systems used to prepare those updates ARE connected to the internet, if only so they can receive emails from the vendor or from the programmers working 10 miles down the road from the plant.
The NSA may be able to go so far as to have a complete air-gap between 'net connected systems and isolated systems, with absolutely nothing even like a USB key ever crossing between them. But most systems aren't like that, even if nuclear.
[ link to this | view in thread ]
Of Course, The Old “Play Back Recorded Footage To Fool The Security Monitors” Trick
[ link to this | view in thread ]
missing questions
What I found strangely missing from the New York Times article was that one aspect of the poisoned PLC code was to intermittently changed the speed of the centrifuges in a way that wouldn't destroy it but kept the uranium from being successfully enriched. Such a problem would be hard to be aware of much less debug.
Another aspect of the story that I haven't seen explained is how the writers of Stuxnet got a hold of the code signing keys for Windows drivers from two separate companies; Realtek Semiconductor and JMicron Technology. The private keys for certificates is not something that should be accessible on the companies' website. In my mind, it doesn't even have to be on a computer connected to the internet. Was there collusion from these companies with the US?
A really good summary of Stuxnet can be found here (warning, it is technical)
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32 _stuxnet_dossier.pdf
[ link to this | view in thread ]
They don't need to get inside a building to load software onto a computer.
[ link to this | view in thread ]
[ link to this | view in thread ]
Fascinating story, but ...
There is no reason to think that pulling this off one time has permanently shut down the Iranian's program. If the perpetrators just kept their mouths shut then perhaps some variation on this could have been used again after Iran got back up and running. Now Iran is forewarned.
So... did it really happen as we have been told, or is this just well-designed rumor intended to help sell the idea that there is an ongoing cyberwar?
[ link to this | view in thread ]
Not the virus technique, just the explanation
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
haha
[ link to this | view in thread ]
Maybe...
[ link to this | view in thread ]
Re: Of Course, The Old “Play Back Recorded Footage To Fool The Security Monitors” Trick
[ link to this | view in thread ]
Re: missing questions
In fact, I believe there was an earlier story that suggested there was.
[ link to this | view in thread ]
What's really interesting is...
If the Iranians (or anyone else) were ever to damage another nations infrastructure...
To be continued I hope.
[ link to this | view in thread ]
[ link to this | view in thread ]
ha ha ha
[ link to this | view in thread ]
[ link to this | view in thread ]
Sure, what is the IP of Iran's nuclear facility again ?
Sure you can LOL, you just have to find an Iranian centrifuge on the intnet, with its very own IP address.
good luck with that !
[ link to this | view in thread ]
Re: How Outside Code Gets In
Most systems ARE just like that, do you think the financial transaction computers at a bank are in any way connected to the internet, or connected to say the home mortgage network ?
they are not, do you think you local electricity company has it accounting system tied to its SCADA control systems ? No ofcourse not, nor are they connected to the internet.
and updates are not done as you explain, with a USB stick with something you use on the internet.
Our local water company uses PC's and servers for it's accounting and billing etc, it is not connected to the internet.
And they have a totally seperate, and not connected to their accounting system, VMS mainframes for their SCADA system, that is ALSO NOT connected to the internet.
Generally any 'updates' you do are updates on software that you yourself have written, that you can assure contains no viruses.
[ link to this | view in thread ]
Re: missing questions
So the only way to introdue a 'virus' on them is if you have physical access to the equipment, and you have a EPROM burner, and the correct software.
[ link to this | view in thread ]
Good point !!
You have to reprogram a EEPROM and physically plug it into the machine.
You cannot remotely program these devices, nor can you override the safeties.
Therefore, if the equipment was functioning out of spec, it would override with a safe shutdown.
The safeties are not a part of the control system, but are a seperate hard wired fail safe system.
For example and overtemperature or overspeed shutoff on a motor.
And just good engineering, will stop that.
But to introduce a virus into a SCADA PLC you need physical access to that PLC.
[ link to this | view in thread ]
Re: Re: How Outside Code Gets In
Yes. I have worked on two financial systems for MAJOR US banks and I can tell you both had internet-connected components that they viewed as potential threats but necessary for communications.
[ link to this | view in thread ]
Re: Re: How Outside Code Gets In
[ link to this | view in thread ]
Re: Re: missing questions
Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabotage the system.
Hides modified code on PLCs, essentially a rootkit for PLCs.
[ link to this | view in thread ]
Re: Fascinating story, but ...
Also, the damage isn't over yet. Current estimates are that it will take over a year to completely remove the program from the facility. In addition to that, two professors working at the facility were recently killed in car bombings and there is speculation that they were the two people leading the effort to remove the worm, although there has been no confirmation of this.
It is possible that Stuxnet was really designed only to buy time, either for political action or to give developers time to develop a more sophisticated and more damaging virus. Some have speculated that Stuxnet was probably a test of the nuclear plants defenses and data gathered by the worm will be used in some other operation.
[ link to this | view in thread ]
Re: Good point !!
You have posted like 5 times in this thread and none of it is correct. You don't need "physical access" to a PLC to reprogram it.
EEPROM: Electrically Erasable Programmable Read-Only Memory
See, it says right in the GOD DAMN name that you can erase it ELECTRICALLY!!!
[ link to this | view in thread ]
Re: Re: Of Course, The Old “Play Back Recorded Footage To Fool The Security Monitors” Trick
Not so hard of a line.
[ link to this | view in thread ]
Re: Re: How Outside Code Gets In
Yes, they are. Ever heard of online banking? The financial transaction computers at the bank have to be connected to the online banking computers, which in turn have to be connected to the Internet. It would not work otherwise.
I am sure this is true for my bank, and for every other big bank in this country.
[ link to this | view in thread ]
CIA Involvment
http://www.npr.org/2011/01/04/132629443/the-fallout-of-the-cias-race-to-get-khan
[ link to this | view in thread ]
Slightly more subtle
[ link to this | view in thread ]
Re: What's really interesting is...
http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage
[ link to this | view in thread ]
JMicron and Realtek have buildings in the same office park in Japan -- the keys might have been acquired via physical access
http://www.computersecurityarticles.info/antivirus/another-signed-stuxnet-binary/
[ link to this | view in thread ]
Re: stolen keys
[ link to this | view in thread ]
Re: stolen keys
[ link to this | view in thread ]
Re: Re: Good point !!
Or prove you do not need physical access to the PLC to reprogramm the EPROM.
The plc's do not have 'eprom burners' inside them, you have to unplug the eprom from the circuit board, plug it into a programmer and you then have to burn the new data onto it.
Its very clear you do not have a clue,
If I DO real the name of EPROM, its and "erasable, programmable, READ ONLY MEMORY.
yes, it is erasable and programmable, but NOT INSITU.
and any idiot who know's anything about electronics, and PLC's and SCADA systems, will be totally aware of how stupid you are sounding..
Perhaps, you need to
LEARN TO LEARN!
[ link to this | view in thread ]
Re: Re: Re: missing questions
Maybey it is why the middle east use an Australian company for its SCADA systems, RTU and PLC's etc.
Look up SERCK.
They have their head office in Newcastle Australia, but they do a HUGE amount of work in the Middle East.
Do you honestly think they would be stupid enough to buy PLC's and RTU's, and employ US engineers to work for them ?
No way, very very few people these days, TRUST US engineering, if there is an alternative, they will take it.
http://www.serck-controls.com/global.html#
[ link to this | view in thread ]
Re: Re: Re: Re: missing questions
Maybe because all of the articles about this say they use Siemens controllers. You are the only one I have seen claiming otherwise. Of course, that doesn't *prove* you are wrong, but I know which side of that bet I'd take.
[ link to this | view in thread ]
Re: Re: stolen keys
[ link to this | view in thread ]
Re: Re: Re: Of Course, The Old “Play Back Recorded Footage To Fool The Security Monitors” Trick
[ link to this | view in thread ]
Re: Re: Re: Re: missing questions
Second, the Iranian's have published reports that they are using Siemens PLCs.
Third, your insanely stupid rants are getting tiring. I'm not sure if English is your 4th language or if you are really just ignorant (of, like, everything) but you ought to spend maybe 5 minutes reading about things before spouting your OPINION about how those things are.
[ link to this | view in thread ]
Re: Re: Re: Good point !!
Well clearly that idiot isn't you. I work with PLCs you dumb ass.
OK, I'm done pointing out how stupid you are, the entire world has published new stories about this issue and not one of them agrees with your insane rambling.
Also, kindly die in a fire.
[ link to this | view in thread ]
Link in article does not work.
This is incorrect.
Please post a link that actually goes directly to the "fascinating investigative report" ASAP. (When clicked, in any browser on any Internet-connected computer, it should display the actual, complete text of the "fascinating investigative report" without any additional steps being required beyond the one link click.)
[ link to this | view in thread ]
Re: Link in article does not work.
[ link to this | view in thread ]
Re: Re: Re: Of Course, The Old “Play Back Recorded Footage To Fool The Security Monitors” Trick
[ link to this | view in thread ]