Stuxnet revisited – perspectives on a game changer

The Stuxnet malware was discovered back in June 2010. It is highly probable that it was a joint initiative by State actors (USA and Israel) aimed at setting back the Iranian nuclear facility. The malware was a worm that spread among PCs, searching for those with supervisory control and data acquisition software (SCADA), specifically to control a particular Siemens programmable logic controller (PLC) that was known to operate on centrifuges in Iran’s uranium enrichment plant.

Nuclear Scientist 101: A quick lesson in uranium enrichment
Enriched uranium consisting of light Uranium-235 isotopes, is required for nuclear reaction. Uranium enrichment is the process of increasing the concentration of the lighter uranium-235 isotopes from naturally occurring uranium. Uranium in gas-form, is fed into a centrifuge, a machine like a washing-machine which spins at high revolutions. As it spins the heavier isotopes fall to the bottom while the lighter ones rise. The lighter isotopes are siphoned from the top, and enter another centrifuge where the process is repeated, improving the concentration of U-235 at each stage. A large number of these centrifuges are arranged in series to produce the quality uranium required.

What Stuxnet did
Stuxnet infiltrated the PLCs that control the centrifuge. Stuxnet caused the centrifuge to spin faster and faster, while sending false readings to the monitoring displays watched by the operators. The plant operator was under the impression that things were running smoothly, meanwhile the centrifuge was red-lining and spinning itself into destruction.

The reasons why Stuxnet was a game changer
Stuxnet had a number of unique aspects. It contained 4 zero-day exploits in some very well-written code. However the aspects that made the malware a game changer were:
a) Stuxnet caused damage to a physical asset outside of the PC. In this it was highly effective – reportedly destroying 1,000 centrifuges in the Iranian plant.
b) Stuxnet was malware developed by State actors.
c) Stuxnet provided proof of concept of the value of malware in cyber warfare. If malware can destroy components in an enrichment facility, imagine what can be done to communication systems and military weapons.

The downside
Whilst it was very successful in setting back the Iranian nuclear programme several years, the problem with releasing malware such as Stuxnet into the wild, is that it represents a blueprint that anyone conversant in machine language can reverse-engineer. The knowledge thus gained on the methods used by Stuxnet can then be employed by others to target our critical infrastructure – water systems, power plants, transport systems, communication systems.

Variants of Stuxnet
Since it’s discovery, a previous variant of Stuxnet (version 0.5) has been found. This previous version was released around 2007 and was designed to control the input/output valves on a uranium enrichment centrifuge, rather than the spin rate. The Flame malware was a pre-cursor of Stuxnet. It’s purpose was to spy. Flame searched for keywords in pdfs and silently reported the results to a command and control (C&C) server. Flame could infect a PC through the Windows update process, a very sophisticated method which must have involved cracking Microsoft’s encryption. The Gauss malware also had as it’s purpose, spying. Gauss targeted Lebanese bank customers. The Duqu malware was created from the same code base as Stuxnet, and was designed for information theft.

Going forward
Critical infrastructure in the West is now under constant attack. Protections and safeguards in SCADA and PLCs needs to be upgraded.

Perhaps State actors can be relied upon to act with some degree of responsibility. For example, Stuxnet targeted the uranium enrichment plant, it did not cause meltdown of a nuclear reactor. Nation states have the potential of UN repercussions for proven actions which may in some cases provide some incentive for responsibility. Smaller, non-state actors, such as terrorist groups, do not have this limiting factor. The concern is that we need to protect against all scenarios including deliberate meltdown of a nuclear power plant.

Nation states need to decide how to react to cyber attack. What are the implications of the US/Israel attack on Iran? Is it in effect, a declaration of war? Can Iran legitimately respond with cyber attacks on US/Israeli facilities? Can they legitimately respond with other weapons? Post-Stuxnet, a new paradigm exists for the world.

Leave a Reply

%d bloggers like this: