Forgot your password?
typodupeerror
Security Government

Researcher Offers New Perspective On Stuxnet-Wielding Sabotage Program 46

Posted by timothy
from the back-then-we-tied-an-onion-to-our-belts dept.
An anonymous reader writes with this excerpt from Help Net Security: "Stuxnet, the malware that rocket the security world and the first recorded cyber weapon, has an older and more complex 'sibling' that was also aimed at disrupting the functioning of Iran's uranium enrichment facility at Natanz, but whose modus operandi was different. The claim was made by well-known German control system security expert and consultant Ralph Langner, who has been analyzing Stuxnet since the moment its existence was first discovered. He pointed out that in order to known how to secure industrial control systems, we need to know what actually happened, and in order to do that, we need to understand all the layers of the attack (IT, ICS, and physical), and be acquainted with the actual situation of all these layers as they were at the time of the attack."
This discussion has been archived. No new comments can be posted.

Researcher Offers New Perspective On Stuxnet-Wielding Sabotage Program

Comments Filter:
  • by digitalPhant0m (1424687) on Thursday November 21, 2013 @12:16PM (#45482585)

    Stuxnet, the malware that rocket

    I didn't know it was airborne.

  • by Anonymous Coward

    A grammar nazi dies everytime someone reads TFS

  • Was this put through Google translator? I almost choked on my lunch trying to reach through this.
  • Proof read? (Score:5, Informative)

    by Anonymous Coward on Thursday November 21, 2013 @12:26PM (#45482655)

    They should proof read these posts. It's been bad lately. Good subjects, just makes it hard to read. the malware that "rocket" -> "rocked"

    • Re:Proof read? (Score:4, Interesting)

      by Zontar_Thing_From_Ve (949321) on Thursday November 21, 2013 @01:46PM (#45483459)

      They should proof read these posts. It's been bad lately. Good subjects, just makes it hard to read. the malware that "rocket" -> "rocked"

      You have a good point, but at least it's better than all those people who can't read properly and post articles in a panic saying "This article says X!" when in fact the article says "not X". We can figure out that "rocket" is a bad word choice and get around that but it really sucks when people claim and article says the exact opposite of what it really says because then we get tons of comments about how bad X is and how they can't believe that someone would actually do that and then a few posts follow up (and mostly get ignored) telling people to actually read the article where it is actually against X, so the submitter blew it. It seems to me that quite often about 90% of the posters never read the article in the links, so when the idiot submitter misrepresents what he submitted, that becomes what the article is about in the minds of most people here.

    • by jiadran (1198763)

      Well, the document (from which TFS is extracted) was written by a non-native English speaker (Ralph Langner, who is German). Interestingly, I note that as a non-native English speaker myself I make a number of mistakes that Americans find particularly annoying (this post is probably full of them), while at the same time I have difficulties reading comments with typical American mistakes (theirs / there's, then / than, he's / his, etc.). I think that native-English speakers rely more on how it sounds, while

  • by Chas (5144)

    Hyperbole AND bad grasp of grammar!

    Really wants to make me keep reading...

    *Austin Powers* Really?

    *Doctor Evil* No. Not really.

  • by cold fjord (826450) on Thursday November 21, 2013 @12:42PM (#45482803)

    “Stuxnet is a low-yield weapon with the overall intention to reduce the lifetime of Iran’s centrifuges and make their fancy control systems appear beyond their understanding,” he says, and estimates that the Stuxnet set back the Iranian nuclear program by over two years.

    Interesting description - "low-yield"

    That is a rather different take on it given the uproar over it.

    • by semi-extrinsic (1997002) <asmunder.stud@ntnu@no> on Thursday November 21, 2013 @01:28PM (#45483257)
      Well, what would you say high yield is? I can't bring myself to call a US cyber weapon "high yield" unless it destroys or disables infrastructure on a large cale. Bonus points for egg on faces in Riyadh.

      The reason it has gotten so much attention is the same reason the F117 got a huge amount of press even though it's practically useless.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        I do think the F117 was highly effective in taking out lots of strategic targets in Iraq. Pilots tend to be more precise when they know the SA-5 missiles cannot hit them. Actually, it was the most effective air weapons system until the Iraqi integrated air defence system had been destroyed. And that was done in no small part by the F117s.

    • by plover (150551)

      High yield would have been if it had destroyed the Busheshr reactor, as has been speculated one of the stuxnet payloads would do. The attack was supposed to open the steam valves on the main turbine shaft, while the temperature, pressure, and RPM sensors would continue to play back a recorded loop of pre-attack readings to disguise the failure.

      It would have been a spectacular disaster. Running a 75 foot turbine shaft at wide-open full steam was predicted to be able to cause an explosion as large as a 1 ton

    • I think "low yield" was referring to the nature of the over-pressure attack (vs. the rotor speed attack). Or, that things could have been orchestrated to damage/disable all centrifuges at one time [which would have been detected] instead of just increasing the failure rate [which, as Langner pointed out, would confuse/confound the Iranian engineers].

      Langner talks a lot about avoiding detection circa 2007 but that being less of a concern in 2009 [e.g. "now that the program has achieved its objectives, let's

    • The choice regarding Iran may be between one new Chernobyl versus one or more new Hiroshimas. I doubt Iran will settle for less.

  • by jbmartin6 (1232050) on Thursday November 21, 2013 @01:48PM (#45483485)

    in order to known how to secure industrial control systems, we need to know what actually happened

    False, we don't need to know everything bad that ever happened in order to secure a system.

  • Change of tactics (Score:4, Interesting)

    by jiadran (1198763) on Thursday November 21, 2013 @03:34PM (#45484569)

    I know I shouldn't have, but I read the whole document and it's really interesting. Langner thinks that the tactics (and probably the team as well) changed over time. Based on his observations I propose the following (conspiracy) theory:

    The attacks on the enrichment plants have been going on much longer than anyone so far claims, maybe since the beginning. That's why Iran's progress was so much slower than what the Pakistany managed to do (the first generation centrifigues are supposedly extremely tricky). Instead of discovering the initial attack (described in the document), the Iranian's compensated for the seemingly random problems by including additional control measures not present in the design from Pakistan: shut-off valves to quickly isolate a malfunctioning centrifuge and over-pressure valves. It took them ten years instead of the two years of the Pakistany, but they still managed to get enrichement started. Maybe with their added failure-tolerant design the original attacks didn't work anymore, or there was a leadership change (as Langner speculates). Maybe the Iranian's suspected something and changed procedures also for contractors and workers (Langner thinks that the initial attack was with direct access to the system while the later attack had to somehow find a way in). Maybe then the initial team was the Israelis who wanted to remain hidden, and when their approach didn't work anymore they asked the Americans for help who used the NSA's attack library for a way accros the air gap. The Americans would probably also be less worried about remaining hidden and maybe actively wanted to send a message.

    Altought admittely pure speculation, I think this scenario fits the known facts and observations. I'm curious to see what you think of this ;-)

  • Remember that captured drone in Iran?
    What if someone had 'accidentally' left a click drive on it?
    The Iranian researchers would probably send it to their most secure facility in order to study it.
    That's one way around a secure air gap ;-)

"You need tender loving care once a week - so that I can slap you into shape." - Ellyn Mustard

Working...