How Investigators Deciphered Stuxnet 131
suraj.sun tips a story at Wired that takes an in-depth look into how security researchers tracked down and worked to understand the infamous Stuxnet worm. The article begins:
"It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium. But when the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran's enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months. The question was, why?"
My first-hand experience with this (Score:5, Interesting)
In 1993, I was working one Saturday at Pacific Data Images in Sunnyvale. (who later went on to make such classics as "Shrek", but that's another story.) At the time we were one of the leading CG advertising companies in the world.
Anyway, I wandered into the front lobby, and there was a guy there, the husband of the receptionist, that had this very long roll of paper, maybe 20 feet, with a undulating line drawn along it it. He was searching up and down along the line, for quite some time....well, I couldn't help but ask what it was.
He said that it was the fourier transform of the power line going into a plant. He and his company were examining the spectrum to see if they could deduce what was going on inside the plant -- if the machines inside the plant would leak substantial information back onto the power line. Anybody with any electrical engineering experience would know that of course this would be true. I said, OK, that's interesting. What do you see in this spectrum?
And he pointed to a little sinc() shaped (kind of sombrero shaped) area at a particular frequency. And then showed the aliases of that at higher frequencies. He said that these were clearly signatures of many six-pole electrical motors running all at almost exactly the same speed. I looked inquistitive, and he said, "you know, like if you had a bunch of uranium gas centrifuges running." I thought about this for a few minutes....and said, "uhm, OK, but we don't use centrifuges to separate uranium", and he said "no, we don't" and left it at that.
Soon, he was back to Iraq, using a ground-penetrating radar he developed to look for buried weapons. I never saw him again.
Malicious use of a PLC (Score:2, Interesting)
This article was a great read, it reminded me of my own first-hand experience with a time bomb planted in PLC code.
The company I was working for at the time manufactured hydraulic presses, the newest one installed at a long time customer included a touch screen control system running WinCE that was front-ending a PLC to control the machine. We had contracted out the development work on the control system and the owner of the company ended up in a billing dispute with the contractor just as the machine was being brought online. In the days before the dispute came to a head, the contractor had been on-site at the customer "making minor improvements to the interface based on customer feedback".
One day the customer calls and says: "Our brand new hydraulic press has stopped working and the control system guy says he can't fix it until you pay him." After the owner of the company was done swearing at the contractor on the phone and literally kicking a hole in his office door, he calls me in and tells me he needs me to go over to the customer and "undo whatever that a**hole did".
I had a basic understanding of PLC programming and access to a prior version of the touch screen interface and PLC code. It took a few hours of scanning both sets of code by hand on-site at the customer, but I located the very basic checks for system date in the touch screen interface code which would set a value that the PLC would read and trigger a safety interlock which effectively disabled the machine's function. This was easily remedied once discovered.
It was a slightly stressful experience for me as I had no input on this control system until the day it was disabled and I was on the spot to fix it. Once it was resolved, I was quite happy.
I'm pretty sure the billing dispute ended up going to the lawyers.