Monday, October 11, 2010

Non-Iranian Stuxnet Targets

Much has been made of the targeting of the Stuxnet worm. The way the worm was constructed it appears by all accounts to target a specific installation with specific Siemens software and a particular hardware configuration. If you are not operating an Iranian uranium processing facility, the popular wisdom is that Stuxnet is nothing more than a minor inconvenience.

There are problems with that assessment. If this was a cyber attack by a nation-state on the weapons program of another nation-state it really seems to be a very poorly directed attack. A covert cyber attack needs to remain covert. If it is discovered, the process upsets can easily be corrected, the computer systems purged of the weaponized worm and the weapons program will proceed with tighter attention to cyber security issues. A publicly identified cyber weapon will delay, but not stop the weapons program; too much time and effort for such a minor effect.

The prolific propagation of Stuxnet is a result of a deliberate design process. The weapon was designed to move through computer systems and networks through a wide variety mechanisms ranging from human intervention (USB drive) to a unique peer-to-peer network updating system. More than anything else it seems to search for computers running either of two Siemens’ software systems used to control a wide variety of industrial control systems.

Everyone has noticed that there appears to be only one specific active target for the worm. If the weapon does not detect a specific programmable logic controller (PLC) configuration, it sits idle; almost as if it is waiting for further instructions. And we know that when ever it contacts (or is contacted) by another infected computer, the one with the older version of Stuxnet gets updated with the newer version’s software instructions.

What if this isn’t a cyber weapon being used by a nation-state to destroy a weapons program? What if this isn’t an incredibly sophisticated yet inept weapon? What if it is something entirely different?

Criminal Tool not Cyber Weapon

Let’s suppose that the most effective portion of the construction of this malware was actually the intended purpose; spread the infection through as many Siemens’ based ICS systems as possible. The attack payload, the instructions ‘targeted’ at Iranian processing facilities, would just be a red herring thrown across the trail. It successfully makes everyone jump to the conclusion that either (or perhaps both) the Israelis or the Americans were behind the ‘sophisticated’ attack so no one is actually looking for the real perpetrators. Even the Americans and the Israelis disbelieve the other’s protestations of innocence. No one seems to be seriously interested in tracking down the perpetrators.

After the initial furor dies down, and the Stuxnet is dissected and analyzed until no one is really interested any more, then a series of new versions could be released at various locations around the world. The new versions would have a slightly different payload and a new C&C address to report to. The new payload would be a set of ‘document and report’ instructions that would collect detailed information about the PLCs connected to the system.

The Stuxnet control organization would then have the necessary information to target attacks against each of the reporting control systems. The programmers would once again modify the payload, this time modifying the instructions for a number of different PLCs at the facility. One of the controllers would be programmed to visibly ‘misbehave’ at a particular time. Shortly there after the facility management would receive a message threatening to disrupt other manufacturing operations unless a fee were paid. The remaining controllers programs would initiate at separate times unless a special stop signal were received. If Stuxnet were ‘cleaned’ from the system then the process upsets would be set to trigger on specific, yet normal, control system commands to the PLC.

How many facilities would pay the protection fee? How many could afford not to? To properly clean this type system, each PLC would have to be taken off-line, erased and re-programmed from a clean system. For most systems this could not be done piece meal, the entire facility would have to be shut down. The reprogramming would also require re-tuning many of the processes a time and resource consuming process.

If the fee were low enough it would certainly look to be a preferable alternative to many managers. After a few facilities inadequately cleaned their control system and had even worse problems after the shutdown, that news would encourage other managers to up their definition of a reasonable fee.

Which is it?

I am certainly not stating that this is the true nature of the Stuxnet worm. I am neither proficient nor connected enough to be able to make that determination. It does seem to me from reading the reports from Symantec and Langner that the obvious answer is just a little off from what we would really expect to see if this were a cyber-warfare tool. I may be expecting too much from a weapon design team, but there are too many unexplained inconsistencies to suit me.

It is time that we considered alternative explanations and tried to determine the consequences of those alternatives. And someone needs to be thinking now about how to deal with those potential consequences. Stuxnet may have been designed as a cyber weapon. If so it was sloppy and left lying around for anyone to pick-up and use.

Anyone that thinks that we won’t be seeing Stuxnet variants targeted at non-Iranian processing facilities is living in a dream world; they need to get ready for the nightmare. The new targets will either be the real targets or just targets of opportunity. It won’t make much difference to the target.

No comments:

/* Use this with templates/template-twocol.html */