Critical Infrastructure and Worms

Stephen DeAngelis

October 18, 2010

Perhaps you have been following the story about “computer systems at Iran’s first nuclear-power plant [that] have been infected with a potent worm capable of taking over their control systems” [“Computer Worm Hits Iran Power Plant,” by Siobahn Gorman, Wall Street Journal, 26 September 2010]. It is a cautionary tale full of twists and intrigues. Gorman reports:

“The development further fueled suspicions that the [so-called Stuxnet] worm, which was discovered in July and has disproportionately hit facilities in Iran, was designed to attack Iranian nuclear facilities. ‘Studies conducted show some personal computers of the Bushehr nuclear-power plant workers are infected with the virus,’ the facility’s project manager, Mahmoud Jafari, told Iran’s official Islamic Republic News Agency. He said the virus hasn’t caused major damage and won’t affect the scheduled completion of the plant. … James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies in Washington, said that while it isn’t clear whether Iran was specifically targeted by the Stuxnet worm, leading suspects in mounting such an attack would include Israel, the U.S., and the U.K. In addition, Russia, France and Germany also would have the capability to conduct this type of attack, said Mr. Lewis, who frequently advises the Obama administration. ‘Bushehr is a good target’ to be compromised, he said. ‘The Iranians should be worried.'”

Before returning to the “suspects” in this case, let’s focus on the worm itself. Gorman continues:

“Stuxnet has affected a broad range of targets. Researchers at the U.S. computer-security company Symantec Corp. found that about 60% of the Stuxnet infections have hit computer systems in Iran, with many systems in Indonesia and India also affected. There have been no reports of infections in the U.S. The U.S. Department of Homeland Security has been studying the worm since July, and in its tests so far hasn’t seen the worm actually manipulate or destroy a computer control system, said Sean McGurk, who heads the department’s control systems program, at a briefing Friday. The worm has targeted the Siemens industrial control systems that are used in Iranian and other countries’ facilities by exploiting a security gap in Microsoft Windows. Siemens AG and Microsoft Corp. have issued patches to close that gap.”

Gorman reports that, if not eliminated, “the worm is capable of reprogramming the systems controlling the [Iranian nuclear] plant.” According to John Markoff, “Computer security specialists have speculated that once inside the factory and within the software that controls equipment, the worm [could reprogram] centrifuges made by a specific company, Siemens, to make them fail in a way that would be virtually undetectable.] He goes on to note that the Stuxnet worm is at once both sophisticated and amateurish [“A Silent Attack, but Not a Subtle One,” New York Times, 27 September 2010]. He continues:

“The most striking aspect of the fast-spreading malicious computer program — which has turned up in industrial programs around the world and which Iran said had appeared in the computers of workers in its nuclear project — may not have been how sophisticated it was, but rather how sloppy its creators were in letting a specifically aimed attack scatter randomly around the globe. The malware was so skillfully designed that computer security specialists who have examined it were almost certain it had been created by a government and is a prime example of clandestine digital warfare. While there have been suspicions of other government uses of computer worms and viruses, Stuxnet is the first to go after industrial systems. But unlike those other attacks, this bit of malware did not stay invisible. If Stuxnet is the latest example of what a government organization can do, it contains some glaring shortcomings. The program was splattered on thousands of computer systems around the world, and much of its impact has been on those systems, rather than on what appears to have been its intended target, Iranian equipment. Computer security specialists are also puzzled by why it was created to spread so widely.”

Markoff reports that the Stuxnet worm is not the first malware aimed at critical infrastructure. He explains:

“Security specialists contrast Stuxnet with an intrusion discovered in the Greek cellphone network in March 2005. It also displayed a level of skill that only the intelligence agency of some foreign power would have. A two-year investigation by the Greek government found an extremely sophisticated Trojan horse program that had been hidden by someone who was able to modify and then insert 29 secret programs into each of four telephone switching computers. The spy system came apart only when a software upgrade provided by the manufacturer led to some text messages, sent from the system of another cellphone operator, being undelivered. The level of skill needed to pull off the operation and the targets strongly indicated that the culprit was a government. An even more remarkable set of events surrounded the 2007 Israeli Air Force attack on what was suspected of being a Syrian nuclear reactor under construction. Accounts of the event initially indicated that sophisticated jamming technology had been used to blind the radar so Israeli aircraft went unnoticed. In May 2008, however, a report in an American technical publication, IEEE Spectrum, cited a European industry source as raising the possibility that the Israelis had used a built-in kill switch to shut down the radar. A former member of the United States intelligence community said that the attack had been the work of Israel’s equivalent of America’s National Security Agency, known as Unit 8200. But if the attack was based on a worm or a virus, there was never a smoking gun like Stuxnet.”

That’s a good segue back to the list of suspect governments that might have created the worm. The United States is on that list because it has championed the opposition to Iran’s growing nuclear ambitions. Gorman reports, however, that “the U.S. would be a less likely suspect because it uses offensive cyberoperations infrequently and usually only under specific circumstances when officials are confident the operation will affect only its target, current and former U.S. officials said. It has opted against cyberattack proposals when the effect was unpredictable, as it did when it considered then rejected the possibility of a cyberattack on Iraq’s financial system before the 2003 invasion.” Gorman continues:

“U.S. officials have said they are alarmed by the worm’s emergence because it represents the first publicly acknowledged set of attacks targeting computer -control systems. It is a very sophisticated worm, having has the capability also to steal data about a system and adapt on its own to evade detection. ‘It’s almost like what we did in the aviation world, where we started with rudimentary manned vehicles dropping bombs out the window,’ said a U.S. military official. ‘Now we’re using unmanned aerial vehicles [like drones]. It’s almost like the war on the net has done the same thing.'”

Gorman noted that the United Kingdom was also a suspect government, but I’m assuming it is not a serious contender for many of the same reasons that the U.S. is being given a pass. That leaves only Israel. Here’s where the story gets intriguing [“In a Computer Worm, a Possible Biblical Clue,” by John Markoff and David E. Sanger, New York Times, 30 September 2010]. They report:

“Deep inside the computer worm that some specialists suspect is aimed at slowing Iran’s race for a nuclear weapon lies what could be a fleeting reference to the Book of Esther, the Old Testament tale in which the Jews pre-empt a Persian plot to destroy them. That use of the word ‘Myrtus’ — which can be read as an allusion to Esther — to name a file inside the code is one of several murky clues that have emerged as computer experts try to trace the origin and purpose of the rogue Stuxnet program, which seeks out a specific kind of command module for industrial equipment. Not surprisingly, the Israelis are not saying whether Stuxnet has any connection to the secretive cyberwar unit it has built inside Israel’s intelligence service. … In interviews in several countries, experts in both cyberwar and nuclear enrichment technology say the Stuxnet mystery may never be solved. There are many competing explanations for myrtus, which could simply signify myrtle, a plant important to many cultures in the region. But some security experts see the reference as a signature allusion to Esther, a clear warning in a mounting technological and psychological battle as Israel and its allies try to breach Tehran’s most heavily guarded project. Others doubt the Israelis were involved and say the word could have been inserted as deliberate misinformation, to implicate Israel. … There are many reasons to suspect Israel’s involvement in Stuxnet. Intelligence is the single largest section of its military and the unit devoted to signal, electronic and computer network intelligence, known as Unit 8200, is the largest group within intelligence.”

Markoff and Sanger report that “Ralph Langner, a German computer security consultant … was the first independent expert to assert that the malware had been ‘weaponized’ and designed to attack the Iranian centrifuge array.” They also report that “it was Mr. Langner who first noted that Myrtus is an allusion to the Hebrew word for Esther. The Book of Esther tells the story of a Persian plot against the Jews, who attacked their enemies pre-emptively.” They continue:

“Carol Newsom, an Old Testament scholar at Emory University, confirmed the linguistic connection between the plant family and the Old Testament figure, noting that Queen Esther’s original name in Hebrew was Hadassah, which is similar to the Hebrew word for myrtle. Perhaps, she said, ‘someone was making a learned cross-linguistic wordplay.’ But other Israeli experts said they doubted Israel’s involvement. Shai Blitzblau, the technical director and head of the computer warfare laboratory at Maglan, an Israeli company specializing in information security, said he was ‘convinced that Israel had nothing to do with Stuxnet.’ ‘We did a complete simulation of it and we sliced the code to its deepest level,’ he said. ‘We have studied its protocols and functionality. Our two main suspects for this are high-level industrial espionage against Siemens and a kind of academic experiment.’ Mr. Blitzblau noted that the worm hit India, Indonesia and Russia before it hit Iran, though the worm has been found disproportionately in Iranian computers. He also noted that the Stuxnet worm has no code that reports back the results of the infection it creates. Presumably, a good intelligence agency would like to trace its work.”

Experts may never be able to finger the real culprit who created the Stuxnet worm, but for me the bottom line is that this episode underscores the fact that concerns over coded Trojan Horses is not just grist for conspiracy theorists. The Economist believes that the Stuxnet worm could represent a turning point in cyberwar [“The meaning of Stuxnet,” 30 September 2010]. It writes:

“This is … a new kind of cyber-attack. Unlike the efforts to disrupt internet access in Estonia or Georgia (blamed on Russia), or the attacks to break into American systems to steal secrets (blamed on China), this was a weapon aimed at a specific target—it has been called a ‘cyber-missile’. One or more governments (the prime suspects are Israel and America) were probably behind it. After years of speculation about the potential for this sort of attack, Stuxnet is a worked example of cyberwar’s potential—and its limitations. Much of the discussion of cyberwar has focused on the potential for a ‘digital Pearl Harbour’, in which a country’s power grids and other critical infrastructure are disabled by attackers. Many such systems are isolated from the internet for security reasons. Stuxnet, which exploits flaws in Microsoft Windows to spread on to stand-alone systems via USB memory sticks, shows they are more vulnerable than most people thought. The outbreak emphasises the importance of securing industrial-control systems properly, with both software (open-source code can be more easily checked for security holes) and appropriate policies (banning the use of memory sticks). ‘Smart’ electricity grids, which couple critical infrastructure to the internet, must be secured carefully. Stuxnet is also illuminating in another way: it reveals the potential for cyber-weapons that target specific systems, rather than simply trying to cause as much mayhem as possible. It infected several plants in Germany, for example, but did no harm because they were not the target it was looking for. Such specificity, along with the deniability and difficulty of tracing a cyber-weapon, has obvious appeal to governments that would like to disable a particular target while avoiding a direct military attack—and firms interested in sabotaging their rivals. But the worm also highlights the limitations of cyber-attacks. … The attack will only have delayed Iran’s nuclear programme: it will not have shut it down altogether. Whoever is behind Stuxnet may feel that a delay is better than nothing. But a cyber-attack is no substitute for a physical attack. The former would take weeks to recover from; the latter, years.”

The magazine concludes that cyberwar is here to stay, “Get used to it.” Since the global economy remains susceptible to virtual attacks in sectors like energy, finance, and transportation, countries and companies must be more vigilant. Bruce Schneier got it right when he wrote, “The mantra of any good security engineer is: ‘Security is a not a product, but a process.'” The weakest link in that process continues to be the human operator.