Sunday, September 26, 2010

Iran and Stuxnet

The Stuxnet malware has finally hit the mainstream media’s radar screen and there is lots of reporting on the Iranian target connection. Many people in the cyber security community are cautioning that the discussion of the Iranian nuclear program being the target of Stuxnet is currently based on circumstantial evidence at best. That makes yesterday’s AP news report about the Iranian reaction even more interesting.

AP notes that “Iranian media reports say the country's nuclear agency is trying to combat a complex computer worm that has affected industrial sites in Iran”. This is a long way from confirming that there have been problems at their nuclear facilities because of the Stuxnet. Of course, since the concept of freedom of the press has never been big in Iran, it would be very surprising if the press, semi-official or otherwise, were to report actual disruptions.

Of course, we already know from Microsoft reports that there have been a significant number of Stuxnet infections in Iran (not the largest number by any stretch, the US still holds that honor). With the recent discussions in the mainstream western press that the Iranian nuclear program was the target, it would be a real head-in-the-sand agency that didn’t worry about what Stuxnet infected computers could do to their nuclear fuel enrichment program.

Iranian Detection of an Attack

If there was an actual cyber attack on Iran’s nuclear program, the government might not have realized that it had possibly been attacked until the Stuxnet discussion hit the mainstream press. The way that Stuxnet apparently works would cause problems that would look like natural process upsets under normal investigations. Process people typically accept that their control systems are doing what they are supposed to do, so it is unlikely that any cyber security experts would have been involved in a process upset investigation.

Since it was just about two weeks ago that the open speculation in the cyber security community in the west started about the Stuxnet target, I doubt that there was wide spread consideration of the attack scenario in Iran. Local cyber security experts wouldn’t have talked much about it because of the black mark it would have left on the appreciation of their capabilities by Iran’s rulers.

With the Stuxnet discussion hitting the mainstream press I think that we can assume that any process problems being experienced in their nuclear program are now going to be re-investigated by cyber security experts. I would bet that the vast majority of those investigations are not going to have any actual cyber component, but the process people will want to be able to explain their process problems on Stuxnet; it would take the pressure off of them.

I don’t expect that Iran has any more cyber security experts than does the United States; probably much fewer. Trying to determine if process problems were caused by Stuxnet, even on systems with an identified Stuxnet infection is going to be very time consuming. It may not actually be possible to make a real determination. If I were designing an attack program, I would include an instruction to erase the offending code from the PLC’s (programmable logic controllers) involved. At this point we don’t know if such a capability was programmed into Stuxnet; we still don’t know that much about all of the capabilities of this malware.

This would not be a good time to be a cyber security expert in Iran. Every process upset over the last year will be blamed on Stuxnet by the process owners (covering one’s butt in a restricted society is a very big thing). The prioritization of investigations is going to be confusing because it will depend so much on the power and influence of process sponsors. Finally, the evidence is probably going to be equivocal at best, so how does the cyber security expert color the final report? Do they admit that they failed the mullahs and allowed an attack to take place? Or do they accept the initial process upset reports as gospel to avoid taking responsibility for the problem?

Iranian Response to an Attack

If and when the rulers of Iran decide that there was an actual attack on their nuclear program, things will start to get interesting. If this were a missile strike on the processing facilities, we would expect navel efforts to close the Straits of Hormuz, Hezbollah terror attacks in Israel and perhaps the United States, and disruptive attacks against US forces in Iraq. Whether a cyber attack would garner the same response is unknown; but it is entirely possible.

There is also the possibility of a more cyber related response to the attack. I doubt that Iran has the current capability to effect a Stuxnet type attack on American or Israeli infrastructure (though you can bet that they are now starting work on such capability). There have been reports, however, of a more conventional cyber attack capability in shadowy jihadist organizations. One should certainly expect that Iran would have that capability in house or in terror organizations that they sponsor.

We could expect to see more denial-of-service attacks against government and private computer systems in the United States and Israel. There would also be more persistent penetration type attacks on IT systems to try to get inside of such systems to damage or disrupt their operations.

We might also see other adversaries of the United States or Israel loan more advanced cyber attack capabilities to Iran. This would allow them to actively test and practice their cyber warfare capabilities with minimal possibilities of direct retaliatory strikes. Whether these capabilities could include attacks on industrial control systems (ICS) is not known; remember Stuxnet was the first such attack, that doesn’t mean it is the only ICS attack vector in existence.

Game Changer

Those of us in the cyber security community (well I’m loosely associated with that community as should be everyone in the chemical security community because of our dependence on computer control systems) has been aware of the potential vulnerabilities of industrial control systems. Because of the lack of apparent attacks on those systems, it has been hard to get the attention of management and regulators. With the public perception of Stuxnet rising, that will no longer be the case. More people are becoming involved in the industrial cyber security debate. It is just a matter of time, for instance, before there is a Stuxnet hearing in Congress.

If we get a response from Iran to an actual, documented attack on their nuclear facilities, then the situation will change once again. There will be a very real, loud, and expensive push to force the industrial control community to secure our cyber boundaries.

No comments:

/* Use this with templates/template-twocol.html */