Stuxnet 'an accident waiting to happen'

News by Steve Gold

Stuxnet was targeted 'inside-out' not 'outside-in' infiltration of air-gapped system says new book.

The mystery of Stuxnet deepened this week after it emerged that the worm was apparently tested on a series of selected targets, before being unleashed on Iranian uranium enrichment systems.

As previously reported, Stuxnet is a worm that was first spotted in June 2010 as attacking industrial programmable logic controllers (PLCs), a technology found on a high-level CNI (critical national infrastructure) systems.

Initially, the worm was found to compromise Iranian PLCs, collecting information on industrial systems and causing the fast-spinning nuclear centrifuges to tear themselves apart.

Reports of the time suggested that the worm was used to target Iranian nuclear systems on an `outside-in' basis - that is, the malware was conceived as using a broad attack vector, but was later refined to target specific Iranian IT systems.

According to a book published yesterday by Wired magazine reporter Kim Zetter, however, the worm was apparently used quite specifically to target Iran's nuclear companies/systems, and then `broke loose' to infect hundreds of thousands of other PLC-based system around the world.

Zetter's book - entitled `Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon' - contrasts with earlier analyses which said that coding errors in Stuxnet resulted in the worm effectively spreading free in the wild.

Zetter claims that, for Stuxnet to be effective and penetrate the highly guarded installations where Iran was developing its nuclear programme, the attackers had a tough problem - how to sneak the malware onto an IT platform which was air-gapped against the Internet.

According to Liam O'Murchu, manager of operations for Symantec Security Response, Stuxnet's code structure allowed for the malware to `learn' where it had been and adapt accordingly. "In fact, as Kim Zetter states, every sample can be traced back to specific companies involved in industrial control systems-type work," he said in his analysis.

Murchu quotes Zetter's book - specifically Chapter 17 entitled `The Mystery of the Centrifuges,' as identifying several companies where she believes the infections originated.

"To get their weapon into the plant, the attackers launched an offensive against four companies. All of the companies were involved in industrial control processing of some sort, either manufacturing products or assembling components or installing industrial control systems. They were likely chosen because they had some connection to Natanz as contractors and provided a gateway through which to pass Stuxnet to Natanz through infected employees," says the book.

This raises the question, notes, as to whether Stuxnet originated from outside of Natanz and spread all over the world with the hopes of eventually entering the Iranian computer system, or did the worm start inside of Natanz and accidentally escape due to a programming error.

According to Rob Bamforth, a principal analyst with Quocirca, the business and IT research house, the key question with Stuxnet is what the worm was originally intended to do.

"I think that, regardless of whether the worm operated on an inside-out or outside-in basis, the security lesson is that you can never rely on an air-gapped system to prevent an IT platform from becoming infected. Most security mechanisms rely on the human element to protect, but the reality is that the human element will always be the weakest link," he said.

It's against this backdrop that Bamforth says that no IT system can ever be secure against an attack, as witnessed by the successful incursion of Stuxnet and the need to develop security systems that must be presumed as vulnerable to attack.

Professor John Walker, a visiting professor with Nottingham Trent University, pointed the finger of blame for Stuxnet's development at the US government, which he says was actively developing the worm to de-stabilise Iran's nuclear capabilities.

"Let's be honest here, no one in their right mind wishes to see Iran aspire to a position of offensive nuclear capabilities, and so my bet is on the fact that the release was both willful and intentional, in the guise of an APT targeting the implicated systems," he said, adding that it is interesting that Stuxnet is capable of compromising a high-security system that would otherwise be viewed as totally secure.

"In the case of Iran, it is clear that the country's nuclear systems are some way off the 99.99 percent security levels needed to defend critical assets. The world is an insecure place, and when it comes to cyber-security, this seems to be the weak point of our times," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews