Stuxnet: A Chief Executive Plan

Wednesday, October 5, 2011 @ 04:10 PM gHale

By Richard Sale
Stuxnet had its true origin in the waning moments of George W. Bush’s presidency in 2009, said former senior intelligence officials, one of whom worked for the National Intelligence office.

At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Barack Obama accelerated the program, these sources said.

The groundwork for the plan began much earlier though. In 2007, Idaho National Laboratory (INL) inked a development contract with Siemens the purpose of which was to help Siemens study its own computer weaknesses, the sources said. Quite a few suppliers have these types of pacts with INL to test platforms to find and resolve weaknesses.

RELATED STORIES
U.S. to Israel: Don’t Hit Iran Nuclear Sites Alone
Iran Creating Counter to Stuxnet
Stuxnet Report IV: Worm Slithers In
Stuxnet Report V: Security Culture Needs Work
Stuxnet Effect: Iran Still Reeling

In 2008, shortly after Siemens brought in the system for analysis, the Department of Homeland Security got wind of it and teamed with INL to study Siemens PCS 7 or Step 7 platform which runs all sorts of sensors and machines in the process control system, the sources said.

As it turned out the system they were testing was also the same system running the nuclear enrichment plant in Natanz.

Meanwhile, while that analysis was going on, and after much consultation and research, U.S. intelligence officials decided the new target was going to be the P1, a machine for enriching uranium, which was used by Pakistan to manufacture its nuclear bomb. It was also being used in Iran at the Natanz facility. While the P1 centrifuge, which uses an aluminum rotor, can be made without gathering much attention, they can be very difficult to put together.

The United States got a batch of P1’s when Libya gave up its nuclear program in 2003. In 2004, nuclear and computer experts, assembled by the CIA, began to study the P1’s weaknesses, which were “glaring,” one of the sources said.

While they are not sure of the time frame, the sources said Israel at some point also got a hold of one P1. Shortly thereafter, Israel soon had row upon row of P1’s at its Dimona Research Center, which has been the chief site for development of Israel’s nuclear weapons including its Jericho intermediate range missile. They became the “real masters,” of the P1’s centrifuge technology, these sources said.

Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The worm used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.

The worm used at least four zero-day exploits and had Microsoft Windows driver modules signed using genuine cryptographic certificates stolen from respectable companies, contained about 4,000 functions, and utilized advanced anti-analysis techniques to render reverse engineering difficult.

The goal of Stuxnet was to attack hit Iran’s uranium enrichment facility at Natanz, 160 miles south of Tehran. That plan worked as the virus worked its way through the Siemens system and manipulated the arrays of centrifuges, which do the enriching, to self-destruct.

The attack hurt Iran’s nuclear program, which Israel and the United States say is to produce nuclear weapons. Tehran denies that.

A separate source from the Defense Intelligence Agency (DIA) confirmed Stuxnet was a U.S.-Israel program attacking Siemens’ hardware. An additional senior official at DIA said Stuxnet could now be considered a potential weapon of mass destruction (WMD). Both DIA officials requested anonymity.

As a result of Stuxnet, Iran is now in the process of working on a counter to the worm that hit their nuclear enrichment facility causing serious damage over the past few years, said a former CIA official and current Middle East security consultant close to the situation.

Additionally, while the worm still exists in Iran’s nuclear system, cyber experts have found a way to bypass it, said the source who spoke on the condition of anonymity.

Whether the Iranians are working on a counter to strike the various governments they feel are involved or are planning a similar attack on industrial control system are unknown at this time, the sources said.

While the political issues continue to volley back and forth, one of the key lessons from the attack is if someone remains focused and dedicated to get into your system, an attack will happen. It is just a matter of how well a manufacturer can defend that system.

Stuxnet was pure sabotage, security experts have said.

As mentioned, Stuxnet infected systems by exploiting vulnerabilities on Microsoft Windows. Uploaded to the computer through, among other things, a USB drive, shared network files, or SQL databases, Stuxnet targeted Siemens SIMATIC WinCC and PCS 7 control systems.

If this software is running, Stuxnet looked for a particular configuration of industrial equipment and then launched an attack designed to manipulate certain microcontrollers to perform erratically while reporting normal functioning to operators of the system.

Among the zero-day vulnerabilities, it exploited the AutoRun functionality on Windows to infect computers from USB drives. It then used a hardcoded default password for Siemens management application to compromise the machine before taking over the specialized industrial-control computers that ran a proprietary operating system from Siemens.

The worm also hijacked the facility’s monitoring system to falsely show the machines were functioning normally, preventing officials from catching on to what was really happening.

From an industrial control system standpoint, Stuxnet showed just how complex and interconnected a typical control system is. Potential pathways exist right from the outside world, through the Enterprise Control Network and down to the process controllers.

Because of this complexity, Stuxnet had many possible pathways to get to its target process.

In one attack vector, an infected USB storage drive could have first compromised one of the Support Stations and gained direct entrance to Perimeter or Process Control networks. (Support Stations connecting via the Back-Firewall will have a trusted connection to the Process Control Network, whereas the Support Stations connecting via the Front-Firewall typically only get access to the semi-trusted Perimeter Network.) Alternatively, a PLC programming laptop, used and infected at another site, might have gone directly into the Control Network and used to program the target PLCs. In these situations, the worm would have completely circumvented quite a few of the security controls proposed by the Siemens’ Security Concept documents.

While the worm remains persistent and Iranians are finding it difficult to eradicate it, cyber experts there have found a way to bypass it, one source said.

The end result of the Stuxnet attack, though, as reported in an August ISSSource.com dispatch, Iran is still replacing thousands of expensive damaged centrifuges.

One report by the news organization, DEBKAfile, had Iran replacing an estimated 5,000 centrifuges to remove the threat.

Iran may have had 8,700 centrifuges in operation at the Natanz facility when Stuxnet hit sometime in 2009. International Atomic Energy Agency officials said up to 25 percent of those centrifuges were inoperable as of January 2010.

The Institute for Science and International Security released a report in February that said there was limited damage caused to Iran’s uranium enrichment program. Sources told DEBKAfile the opposite. The source said Iran’s nuclear operations will never return to “normal operation.”

In following the worm’s path, security experts believe Stuxnet came about to target and then disable Iran’s nuclear enrichment facilities.

When asked directly in a CNBC documentary that aired May 26 whether the United States was involved with creating Stuxnet, Deputy Defense Secretary William Lynn declined to deny or confirm the charge. “And this is not something that we’re going to be able to answer at this point,” Lynn said.

While it was not the first attack against an industrial control system, the sophistication and power of the attack means manufacturing automation companies, not to mention countries around the world, need to beef up their cyber security capabilities.

While Stuxnet specifically targeted Siemens industrial process control computers used in nuclear centrifuge operations, other industrial process automation and control systems are open for attack. That means network operators have to assess their threat exposure level and how to mitigate it.

Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.