Saturday, May 26, 2012

Tangled Web

Iran's Bushehr Might Not Be Stuxnet's Target

x
TEXT SIZE - +

November 23, 2010

The Stuxnet computer worm is back in the news, with Iran's Vice President Ali Akbar Salehi saying that it didn't harm the country's atomic program.

An AP report on November 22 cast suspicion on Stuxnet after "major technical problems" had forced the "temporary shutdown of thousands of centrifuges enriching uranium."

Iran's enrichment program has come under renewed focus with the conclusion of cyber experts and analysts that the Stuxnet worm that infected Iran's nuclear program was designed to abruptly change the rotational speeds of motors such as ones used in centrifuges. Such sudden changes can crash centrifuges and damage them beyond repair.

Last week The Register had a piece looking closer at Stuxnet, a worm that infects computers running Windows and is supposedly spread by USB sticks. It then goes on to target industrial control systems, which according to security expert Bruce Schneier, "run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines -- and, yes, in nuclear power plants."

The malware is designed to change the output frequencies of drives, and therefore the speed of associated motors, for short intervals over periods of months. This would effectively sabotage the operation of infected devices while creating intermittent problems that are that much harder to diagnose.

The problem with Stuxnet is that it's very difficult to establish who is responsible, partly because, as Schneier writes, the authors "were uncommonly thorough about not leaving clues in their code," but also because it's not even clear who -- or what -- was the target. 

Schneier:

None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an unusually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates--India, Indonesia, and Pakistan--are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.

If it targets Bushehr, then it must be the United States or Israel, right? Not necessarily.

Schneier points to a number of alternative theories: that it could have been a research project that got out of control or even a dastardly conspiracy to increase funding for cybersecurity in D.C.

Another cybersecurity expert, Jeffrey Carr, has a number of other possible theories about Stuxnet's aims and origins, including that it was targeting states producing rare-earth metals or it was corporate sabotage designed to discredit Siemens (who run the control systems that Stuxnet targets).

It can be almost impossible to find out who exactly is responsible for a cyberattack. Or even, in the Stuxnet case, what the intended target is. My colleague Christian Caryl recently discussed NATO's principle of collective defense and cyberattacks with U.S. Ambassador to the alliance, Ivo Daalder, and the interview raised some interesting questions.

Here is Daalder's answer (read the interview here) to the question of whether cyberattacks would be counted as an attack against all, under NATO's Article 5:

It will be if there's an attack that has consequences that are so vast, then we would, as a council, just as we did on September 12, 2001, come together and decide how will we respond to that. And it is at that time that the question would be raised: is this the kind of attack that is sufficient to warrant an Article 5 response, an invocation of Article 5, or not? Rather than doing that before hand, and saying, by definition, it will or won't be, we're going to have to decide on the spot, in a case by case basis whether, in a cyber case, this is an armed attack.

That seems to me to be a reasonable response. With such an asymmetrical threat it might be hard to do anything but respond on an ad hoc basis. We're very much focused on the "cyber" part of cyberattacks -- the method of delivery -- but instead, when evaluating responses, we should really focus on the destruction and harm that those attacks can cause.

Bringing down a ministry's website and playing with the control systems of a nuclear power plant would seem to be of entirely different orders of magnitude.

Tags: cyberattack , Iran , Stuxnet

This forum has been closed.
Comment Sorting
Comments
     
by: Catherine Fitzpatrick from: New York
November 29, 2010 21:23
Schneier's agenda here as a "progressive" security "expert" is likely to throw people off the trial of believing that Stuxnet damaged. And naturally he will try to re-direct the target of inquiry to Washington and a supposed effort to get a bigger budget for cyber security. This is all a known quantity.

Remember, this is the guy who was most quoted on the recent "don't touch my junk" TSA meme-bomb, and who says that the scanners are basically pointless, that even checking ID is pointless, and that we shouldn't encourage people in the "see something, say something" campaign because that breeds mistrust.

Of course Iran is not going to tell you if they have suffered damage.

And the U.S. is now ramping up its cyber commands and is actively fighting back to the very real and very massive cyber attacks it already experiences from China. One thing that Wikileaks revealed is that all that speculation (from the likes of Schneier) that it really wasn't the Chinese government harming Google, and it was really just freelancers, wasn't true, and it turned out to be an organized government hack. And no doubt we will someday find out the same thing about the Russian attacks on Estonia.

by: Catherine Fitzpatrick from: New York
November 29, 2010 21:31
I should put my scare quotes not on "expert" because Schneier is a CTO, author of books, widely quoted, etc. etc. but put the scare quotes on "security".

Because he's often anti-security, and his writings on the TSA scanner issue illustrates that. If everyone listened to him and followed his advice to the letter, rather than relying on standard security procedures and classic systems, they would rely on something else -- a class of security gurus who would come to have total power over every system. No thank you.
by: Chris Johnson from: USA
December 02, 2010 07:56
Catherine Fitzpatrick: you've characterized Schneier completely wrong -- probably based on a few out-of-context quotes on the TSA scanner issue. Try reading what he has written in more depth, such as his book Beyond Fear. You will find he is very much in favor of security, in favor of people taking charge of their own security, of people becoming educated about security and actual risk (rather than emotional knee-jerk imagined risk). Nothing I've read in his books, columns, blog posts, etc. suggests to me that he wants security gurus like himself to have total power over every system, as you write. In fact, Beyond Fear takes exactly the opposite position.

About This Blog

   


Written by Luke Allnutt, Tangled Web focuses on the smart ways people in closed societies are using social media, mobile phones, and the Internet to circumvent their governments and the efforts of less-than-democratic governments to control the web.