Re: Stuxnet

Working someplace that has a fairly large SCADA installation, definitely something I've been watching. http://www.symantec.com/connect/blog...ection-process is a pretty good write-up on the PLC attack part of it.

Re: Stuxnet

I simply cannot understand the lack of attention to Stuxnet. Could someone explain to me why? Just before the weekend Symantic found out designs of the target system (http://www.symantec.com/connect/blog...t-breakthrough) which appears to confirm the Iranian target speculations ... and still I've heard almost nothing.

A serious threat to a nuclear facility, and hardly even a squeak. Clocks are going to roll over like a speedometer and everyone thinks planes are going to slam into mountains. My local news station just did a report about how dangerous WiFi is to childrens' health. What is going on here?

I understand these forums really only pick up around time of the con, but even on other hacker forums there's not much conversation.

Re: Stuxnet

Most of it is because the SCADA engineers around the world refuse to admit there's actually a problem. Many of them feel that their networks are islands unto themselves and therefore impenetrable. It's been a slow process trying to get the SCADA people to understand basic security issues.

Re: Stuxnet

I am equally perplexed as to the lack of conversation. This is a milestone in the development of malware: rather than one government launching aircraft to bomb a nuclear facility, they decided instead to attack it with malware.

This is bona fide information warfare and a milestone in the development of malware, if you ask me.

Of course, I may be biased by where I think malware is going.

Re: Stuxnet

I know on Reddit and Slashdot the topic of Stuxnet has been beaten like that dead horse I have buried in my backyard. At one point on /r/netsec every other post was Stuxnet related. I avoided the forums for a few weeks because I'm transitioning to a new job, but I was surprised to log in last week and see maybe 4 new posts. While the forum regulars are always here, I think the community dies around this time of the year after the shine of Defcon has faded and the glint from DC19 is so far on the horizon.

I tried to not pay too much attention to it because I got wrapped up in the Conficker nonsense (my network at the time did get infected, however) It's interesting to see that it's a much different class of virus and it took a really long time to figure it out. I enjoyed reading the Symantec writeup on it.

Re: Stuxnet

Several times, I've considered posting something about Stuxnet, but most of what's being bandied about is little more than FUD and other misinformation. Aside from the Symantec analysis much of what has been posted on the SCADA security lists has been mainly wild, unsubstantiated speculation with little or no facts.

So far, the biggest problem that I see with SCADA isn't Stuxnet or another worm, but that the average Process Control/SCADA person is clueless about security. Coupled with the fact that SCADA processes generally required availability above all else, and most SCADA equipment and systems have zero security controls, it makes securing control systems very difficult. The current situation is about equal to 1987 with PC viruses: wide open systems with no security, and clueless users.

While Stuxnet may be a further step in the direction of information warfare, the real milestone was probably on September 6, 2007, when Israel bombed the suspected nuclear reactor in Aleppo, northern Syria. During the attack, Syrian air traffic control was mysteriously unable to see the Israeli aircraft, while normal ATC functions continued.

Re: Stuxnet

Didn't know about that... cool. And what we're seeing here is very similar: Stuxnet has been specifically designed to mitigate collateral damage, looking for very specific types of hardware operating under very specific conditions and then and only then does it attempt its (very subtle) attack.

Re: Stuxnet

Do a search on "Operation Orchard", and you'll find a lot of information about it. There are some conflicting reports that indicate that it was a backdoor, or a 'kill switch' worm, some super-sophisticated variation of conventional radar jamming, or a man-in-the-middle attack on the fiber communication lines between the radar transceivers and the operators' workstations. Richard Clark has a good review of what happened and the possible explanations in Chapter 1 (pages 1-8) of Cyber War. Clark opens the book with that situation because he says "This was how war would be fought in the information age, this was Cyber War."

The very first incident of this type however, was probably close to three decades ago, when the Trans-Siberian pipeline exploded 1982. The controls reportedly had a CIA-designed flaw in SCADA software was stolen by the KGB. The flaw has been described as both a Trojan-horse and a logic-bomb. Whatever the exact technical specifications, the software allegedly caused various pumps, turbines, and valves to exceed normal operational limits, which in turn caused the pipeline to burst and explode. While the end result was not nearly as subtle as Stuxnet's reported target, it certainly did exactly what you describe, in that it was looking for very specific types of hardware operating under very specific conditions and then and only then did it attempt its attack.

Re: Stuxnet

Yeah, I'm well aware of that, but again, that's a trojan, and one which required very specific and purposeful manual actions on the part of the Russians in order to be effective.

Stuxnet is multi-layer malware, which propagates with zero knowledge on the part of Iranians and leverages their computer infrastructure along with normal actions and processes. Obviously there was a huge amount of spy work/intelligence that went into its creation, but after that, they turned it loose in selected places and theoretically it just did its thing. That's the unprecedented part here and what really makes Stuxnet so interesting.

Re: Stuxnet

Perhaps the most detailed analysis of Stuxnet yet:

http://www.langner.com/en/2010/11/19/the-big-picture/

It contains two different payloads designed to attack two different targets. The first payload was designed to destroy the rotors of uranium centrifuges. The other payload was aimed at the approximately 150 foot wide gas turbine of an Iranian nuclear power plant.

"Stuxnet is like the arrival of an F-35 fighter jet on a World War I battlefield."

Re: Stuxnet

This is a month old, moldy dusty bread of a post but, that wont stop me...

"I simply cannot understand the lack of attention to Stuxnet. Could someone explain to me why?"
Hmm well do you want everyone in the world to know that it would be possible to control the nuclear centrifuge possibly causing a nuclear meltdown in a foreign nation already in the middle of a bunch of war nations. Dunno about the rest of ya'll but a nuclear winter doesnt seem to appealing...
Perhaps they fail to realize the complexities of how hard it is to debug the StuxNet source code...

"Most of it is because the SCADA engineers around the world refuse to admit there's actually a problem"
This is true... Can you blame em?

"The controls reportedly had a CIA-designed flaw in SCADA software was stolen by the KGB"
Did ya know the CIA Director was in Nicaragua during the Earthquake in 72...

Re: Stuxnet

Stuxnet can't cause a nuclear catastrophe. The intended target was a gas turbine, centuries old technology which turns steam pressure into torque which in turn drives an electrical generator and produces electrical power.

Rather than affecting the nuclear components of the power plant, Stuxnet could theoretically destroy this turbine and thus the plant's ability to produce electrical power.

Re: Stuxnet

I'd heard that Stuxnet's payload was aimed at modifying the RPMs of nuclear fuel producing centrifuges, rather than a nuke plant's steam turbine. The centrifuges are used to separate U-235 from U-238 for use as fuel (or alternately, bombs.) Apparently, the correct RPMs are critical for both the production of the U-235 and the operation of the centrifuge itself. Incorrect RPMs will cause incorrect fuel extraction and can damage the centrifuge's mechanisms.

However, even destroying the centrifuges still wouldn't cause a meltdown according to what I know. Uranium within a centrifuge is in a gaseous form (technically it's gas uranium hexafluoride). For it to go into the superheated, uncontrolled state that causes a meltdown, the U-235 has to be in a solid state. Now, I am not a nuclear scientist (IANANS ), so I could be off base here, but that's my understanding.

Re: Stuxnet

See the analysis I linked earlier:

http://www.langner.com/en/2010/11/19/the-big-picture/

Stuxnet contains two payloads. One indeed is targeted at centrifuges for enriching uranium. The other one appears to target a power plant's turbine.

Two birds with one stone, so to speak... and as it were apparently the gas turbine payload is substantially more complex than the one that targeted the uranium centrifuges.