Schneier on Security
A blog covering security and security technology.
« The Vulnerabilities Market and the Future of Security |
| Friday Squid Blogging: Mimicking Squid Camouflage »
June 1, 2012
Obama's Role in Stuxnet and Iranian Cyberattacks
Really interesting article.
Posted on June 1, 2012 at 1:08 PM
• 40 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Interesting that they have decided it's ok to make this public knowledge (and assuming it wasn't leaked), especially given the tensions as of late. Hint: The country with the #1 offensive capability and the #20 defensive capability should probably not be lobbing grenades.
The fact that the attack was against a nuclear facility may win us some points with Anonymous :-)
Is this the new normal for our world? Major world powers throwing bits instead of bombs? What is the end result?
What happens if one of our neat little tools decides to escape from it's geographic cages (again) and infect the infrastructures of the wrong enemy?
As a citizen of the USA and a taxpayer I want these state based attacks to cease immediately before we make another mistake and cause WWIII.
Now that the US admits creating and deploying STUXNET do your suppose they'll quit using it as the boogeyman of the cyberterrorism threat?
It's because we are nearing the end of an election cycle and this is a very conscious and deliberate attempt to thwart any narrative from the Republican Party that Obama is "soft" when it comes to the military or national defense.
That's why the NYT is writing about it now
Since the Obama administration considers a "cyber attack" an act of war, is Iran now justified in bombing the US ?
I think you pretty much nailed that. And let's not forget the author wants to sell copies of his book too.
@AConcernedCitizen you are either naive or the biggest pussy out there. What do you think the Chinese, Russians, and who know who else have been doing to us for years? Get informed, get a backbone and let our country fight back, or fight first if need be. Hey wait a minute, is "AConcerenedCitizen," a gamertag for Nancy Pelosi?
Calling someone names? That's really not necessary. Besides, I'm not sure why you have such a negative perspective on pussy but cats can be quite ferocious, especially the biggest ones.
@AConcernedCitizen makes an interesting point worth discussing. Obviously the NYT article has some facts confused and unexplained. For example, why does the US try to take credit for Stuxnet yet admit that changes were made to the code that they were unaware of, which led to it spreading outside their planned target?
What could be more patriotic than a citizen requesting that the federal government stop performing acts of war against sovereign nations.
I say acts of war because this is exactly the kind of action our own government has already declared as acts of war if performed against it.
If we took our infrastructure off the internet and put in some additional layers of protection against critical physical hardware we wouldn't be at risk of external threats.
Doing things because everyone else is already doing them is a life lesson i learned when i was a little kid. It doesn't turn out well, ever.
Encouraging the escalations of state on state attacks against incredibly important systems is not a position i'm interested in taking.
@David Scott & @Michael Brady: It's all leaks. There's no admission or decision that it's ok to make it public. There's not a single named source from inside the US government, except for former CIA Director Hayden, who didn't admit anything.
This was not even close to act of war. It was Cyber Espionage/Sabotage (for simplicity I am going to lump them together). This was NOT Cyber war (ignoring momentarily that "cyberwar" is undefined, or at least as badly defined as "terrorism").
The problem is that everyone wants to use Cyber Attack (bad) and Cyber War (worse). I've commented here, blogged numerous places, and been published in Infosec publications on the Cyber war thing - there are three categories of malicious actors/activities in the internet:
• Piracy/Anarchy – one who fights for other than a sovereign state. These are your Anonymous and Leakis – harass and embarrass.
Probably arrested by civilian authorities, though there is some history of military law.
• Criminal – this covers a wide range from simple thief, bank robbers, and other thugs. They also work to exploit a person’s identity or image in addition to financial gain. Criminal activity is normally covered by existing law enforcement and jurisprudence.
• Espionage – spying is spying. Nations do it. Companies do it. International definition and law is quite succinct here also. Mostly arrested by civil authorities, but also some military law may be involved.
Military actions on the internet should be banned, since the internet is entirely civilian. Military and governments put their important assets behind gateways and on isolated, insulated networks. Likewise, the internet is not a territory or sovereign state, nor is it owned by any. It is multi-national. It borders all states. All entities/locations in cyberspace are equally distant and equally connectable (with exception of a few nations, like China and Iran).
About "Cyber Weapons" - again meant to redefine malicious code in a military mode. ANYthing can be weaponized. I wouldn't get too worked up about it - we've been dealing with this for years. The only difference is the these cyber weapons are (in ref Stuxnet) highly targeted. Therefore the dispersion and collateral damage trends to near 0. General malicious code disperse rapidly (e.g. conficker, sql slammer, etc.) and affect everything they infect.
What should we take a position on?
1. Reject militarization of the internet: internet is non-national, and contains no military assets
2. Protect our infrastructures (why is our power plant on the internet?)
3. Internet policing and protection - multi-national InterNetPol guard to inhibit malicious actions, and track and prosecute the bad actors.
@AConcerend... and @ David O: Look guys, in case you've forgotten or don't know, these people in Iran wish nothing but the destruction of the US and Isreal (I am not jewish but I am big fan of Gabriel Allon). If they could nuke us all right now and get away with it, they wouldn't hesitate. In many ways we ARE at war with them. I say do whatever we can to harass and impede their nuclear plans. in fact, I wouldn't mind a first strike (nuclear or conventional) 1) to keep them from attacking us and 2) just to clear the air about who's got the biggest hammer.
How can one tell whether anything in that article is true?
@brett - a big difference in this case is the attack had a direct physical effect. When you can use computers to kill humans (eg insulin pumps, car control systems), computers become weapons. Also cyber war is more relevant as military hardware becomes more dependent on computers and networks (eg UAVs)
@ Robert Schwartz
"It's all leaks."
My bad. You're right, it's all leaks.
So, now that anonymous sources have leaked fine grain detail of how the US thought about creating and deploying STUXNET do you suppose the administration will quit using it as the boogeyman of the cyberterrorism threat?
There are some interesting parallels between Stuxnet and Aurora. Aurora is the high profile demonstrated attack (60 Minutes and online) physically destroying a generator where as Stuxnet destroys a centrifuges.
Oversimplified, the Aurora attack works by rapidly opening and closing breaks on about a 15 Hz cycle to drive the generator out of sync with the power grid. Once adequately out of sync, cycling the break creators excess torque on the generator and causes it to destruct.
The Stuxnet attack works by causing the centrifuge to rapidly cycle faster then slower before returning to normal speeds. This stresses the centrifuge and can cause a similar failure.
Idaho National Lab demonstrated the attack and produced the video. INL also has a research program aimed at cyber attacks against SCADA Systems (SANS SCADA Security Conference presentation 2007). Additionally, INL has a history of building nuclear reactors and building large centrifuges. Finally, INL has previously been reported to be involved in the Stuxnet Code (NY Times)
According to the on screen date stamp, the Aurora video was taken 3/4/2007. The timing is highly coincidental with the timing of the Stuxnet attacks documented as start late in the GW Bush administration.
It is reasonable to assume that at the same time the attacks were being prosecuted in Iran, it is likely that the team recognized there was the same or similar vulnerability in the U.S. power grid and was raising the alarm to prevent similar use of the code against the U.S.
Consider the possibility that the leaks glorifying the Obama administration are politically motivated. Also consider the possibility that Israel, which actually is able to keep secrets, is more deeply involved than the article suggests.
I'm not surprised by this, during the cold war the americans messed with soviet radar stations. It's not going to be the exact same people but none the less it would still be in the NSA collective consciousness.
Hey Mr. Schneier (and team) forget about stuxnet and save your books, which are available free on flazx.us. No offense, if you can't save your copyright books, then I am sorry to say that you have no rights to publish about attacks on Muslim's soil.
Furthermore, don't ever underestimate Iran's (Persian) power. The graduation gown which you wore on your graduation day was adapted by western nations in recognition to inspirational Persian Scientists (Do some research about it and read some history books as well).
Moreover, cyber war has just started, so don't think your nation and allies won it. Alas, Americans buy your books by paying high cost but wise Iranian and Pakistanis download almost all Americans books free of cost.
Mr. Schneier, do some basic mathematics. If all 300 million Americans started learning dirty cyber attacking tricks by extracting knowledge from your and other author's books then will they conquer the world? How about few clever Iranian, Pakistani? Don't forget, they have access to all US and allies resources in some ways. They know your language. Ask yourself a question. Do you know Persian and Urdu? If not then bear in mind that they can reach you and you can't reach them. They know all dirty tricks. They practice them secretly with different names. Don't ever forget attacks on web servers of FBI, CIA and Home Office of Great Britain. Those are enough lessons for you and your country.
Moreover, you didn't mentioned about Flame Virus. Think about your own computer's security. Are you sure that it was not infected with it? Are you really sure? Think again... and be careful in future.
You owe someone's name on Liars and Outliars title. I have a quote for you Mr. Schneier aka American Security Guru.
"A wise men is one who learn from past, who live for today and who hope for better tomorrow".
I believe you are not a wise man.
(P.S: Don't delete this comment if you support freedom of expression).
@Muhammad I can't speak for anyone else, but I don't actually understand whatever it is that you are attempting to convey in your comment. Could you be more plain, perhaps?
@Tateru -- I'm not sure what he's trying to say either, but it's pretty clear he doesn't actually know Bruce.
There's one part of the article that makes me scratch my head - the NSA seemed to know when an Iranian engineer accidentally let stuxnet out. How on earth could they know this unless they were monitoring the internet for signs of a stuxnet attack? That to me seems like an even bigger issue. And even if they did see stuxnet traffic, how would they know how it got out?
@Neil & Tateru The message is clear. That wise men are those who save their own resources first, then points on others. Probably, Muhammad and his team had noticed that from last few months, schneier.com is delivering messages of insults on internet against sovereign Iran. Dudes, use your mind, if American can build weapon of mass destruction for its own sovereignty then why not Iran? Even Schneier didn't leave pointing finger on his own country's president. It seems to be that he is not on side of Obama's party or that he support Romney or any other, but that is not the point. The point is, he should do something positive to minimize gap between his country and rest of the world rather than doing opposite.
Don't forget that Stuxnet was badly done (serveral excellent analyses on the web) and only had a chance at all, because the defenders were grossly incompetent.
The thing is that in Industrial Control Systems 101 you learn to have a control unit and a safety unit. Both are physically and logically separate. The safety unit observes and has the right to bring the system into a safe state at any time if something is wrong. Now, spinning faster than maximum is certainly "something wrong".
My take is that the Iranians were operating sensitive and precious equipment without an independent safety unit. That would be grossly incompetent and would have made things very easy for the attackers.
Lets face it, there is not "super-weapon" in there anywhere. Stuxnet was badly developed by semi-competents and only had a chance at all because the defenders were thoroughly incompetent.
@Gweihir, "Now, spinning faster than maximum is certainly "something wrong". "
Except that in ICS Cyber security 101 you design the attack to make the systems do exactly what they are supposed to do, spin or despin, ramp up or ramp down, open or close, all standard parameters of operation for the machines and controls, just out of sync or at the wrong times. Then you just tell the sensors and monitors everything is within parameters. Stuxnet may have exceeded maximum speeds, but not design speeds of the centrifuges, so the machines don't know better. So even if Iranians operate incorrectly as you say, any software code attack would still have the system operating with design parameters, with process parameters exploited to show everything was fine. They are using standard operational procedures against us. We need to open our eyes and put them on our target infrastructure. Trust but verify, a very old adage.
Sooner or later, someone will deploy a similar virus/worm against US assets (maybe nuke plants, maybe something else). As we've seen with Stuxnet & Flame, it's hard to figure out where a virus/worm came from. The question is, what happens then?
StuxNet deliberately faked the sensor data so all monitoring processes would see was perfectly valid output signals. As far as any monitoring software was concerned, the systems were operating exactly as designed the entire time Stuxnet was abusing them. Also, it's my understanding that the centrifuges were not spinning faster than maximum, they were spinning in the range designed to cause the most wear possible, leading to premature failure. There are definitely things they could have done to prevent the attack, but the same attack could likely be applied to almost any industrial system on the planet. It took advantage of loopholes most people don't think about. As NVH said: trust, but verify.
This revelation appears to be part of systematic pattern of Top Secret leaks to benefit the Obama reelection campaign.
1. Classified details of the Bin Laden hit were leaked to Hollywood producers to speed the production of a movie about it
2. Obama officials apparently disclosed identity of Pakistani doctor who helped locate Bin Laden -- he's now in prison in Pakistan for 33 years
3. ""Four senior American diplomats -- most likely in the State Department -- as well as senior intelligence officers appear to have leaked a key military relationship between Azerbaijan and Israel... This leak destroyed any capability of a surprise attack by Israel using these bases. And it came from Obama administration officials..."
4. Hillary Clinton bragging about hacking Al Qaeda websites to counter propaganda
5. Stuxnet, et. al.
Link in signature.
The article mentions that at least some (or all) of the attacks comprising Stuxnet had phone-home capability. It's hardly a stretch to figure than once thousands of computers that were not targeted started phoning home to the Americans and Israelis, they were aware that it had ended up where it shouldn't have. Looking through that data they could probably identify the "patient zero."
All these comments about right or wrong, or the (in)competence of the programmers.
But not a word about what Flame might reveal ... THAT is the most interesting aspect of this news.
I have a bad feeling about trolls in this discussion.
If the use of covert operations (including but not limited to the strategic use of worms and targeted drone assassinations) lowers the total casualty rate on both sides (especially -- but not solely -- the civilian casualty rate), it seems quite sensible to use them. After all, covert operations are often used simply because they tend to be better for both sides than an overt war.
But, I also like the use of worms and drones because both are domains wherein the state is arguably less capable than arbitrary groups of hobbyists. When warfare moves out of domains wherein throwing money or bodies (or corpses) at a problem makes it go away, the state is no longer necessarily more powerful than private affinity groups, because the thing that distinguishes a state from a corporation, mafia, or fan club is primarily the scale of wealth.
The thing is that in Industrial Control Systems 101. Both are physically and logically separate.
What they don't teach you in ControlSystems 101 or for that matter later courses is that whilst real systems have a wide bandwidth, most sensing systems sample & average readings thus acting like a low pass filter with quite a low frequency cut off.
Thus if your sensor cut off frequency is around 10Hz (fairly normal) and your malware is actually mucking around up at 50 or 60Hz then there is a reassonably good chance the sensor is not going to see it (this was in effect what Auora was all about).
For those wondering why these sensors have such a low bandwidth, it's due to the total bandwidth of the upstream processing system and the total number of sensors connected to it. In the case of a centrifuge plant with maybe two to four thousand centrifuges that's a lot of sensors and a very very large cost in upstream processing just to catch an error that had never happened when A.Q. Khan and his Swiss based operatives designed and sold the original designs to Iran and other places (the N.Korean system was based on a slightly diferent design that Pakistan had done a "technology swap" on for the delivery system technology).
As I've said before the U.S. were very very familliar with the design as they had access to a set of parts that had been seized on its way to Lybia (google "AQ Khan Lybia wiki" to get some photos of the parts).
This issue of having incorrect bandwidth (or phase) in a feedback system is actually fairly well known in systems design as one of the consequences of getting it wrong is oscillation, or damped oscillation that causes "hunting" in servo loops. There is an old saying in analog electronics about it,
"Oscillators don't and amplifiers do!"
Which is something a lot of digital electronic designers have not heard of let alone encountered.
As was observed by another poster to this blog just the other day some of us Olduns can teach those young upstarts a thing or two :-)
"This issue of having incorrect bandwidth (or phase) in a feedback system is actually fairly well known in systems design as one of the consequences of getting it wrong is oscillation, or damped oscillation that causes "hunting" in servo loops. There is an old saying in analog electronics about it,
"Oscillators don't and amplifiers do!"
Which is something a lot of digital electronic designers have not heard of let alone encountered.
As was observed by another poster to this blog just the other day some of us Olduns can teach those young upstarts a thing or two :-)"
I seem to recall taking a three credit hour course in feedback control back in the '70s. If this is not being taught any more the engineering schools are doing a disservice to their students.
It seems me that the state is actually quite capable in both drones and worms.
While I get the general idea of your post, I still don't understand what exactly oscillators don't :)
BTW, smoothing/averaging sensors data seems very reasonable to me... unless the fluctuation are not random.
Seems to me the way to kill a turbine or a centrifuge is to cause it to run at a critical speed. Turbines generally run above their 3rd critical, the centrifuges probably above their 10th critical. You don't overspeed the machine, you drop it back to it's last critical by changing a sensor constant so it appears to run at the design speed. If that's not how it was done they missed an obvious opportunity.
Among other views, Mike Masnick at Techdirt expressed doubts about a Stuxnet-type attack being applicable to such infrastructure as airliners or power grids-the systems targeted by Stuxnet were highly specific and also had non-trivial vulnerabilities. (For that matter, there is the issue of Stuxnet being used as "proof" in claims of "cyberwar" or "cybersecurity" issues, and official responses that may not be worth the cost.)
le I get the general idea of your post, I still don't understand what exactly oscillators don't :)
It's an old design engineers joke from back in the days when an OC71 was considered exciting....
Basicaly an oscilator can be viewed as an amplifier with frequency selective feedback, to keep it oscilating. Amplifiers on the other hand usually hav NON frequency selective feedback to "flaten the gain" across the required bandwidth.
The joke is when you design an amplifier it was more than likely to oscillate, however try to design an oscillator and it won't oscillate...
Whilst still true of many old "tin top" devices such as the BC109, 2N2222 etc and before transistors most valves, modern devices have such high gain bandwidth products (ft ~6GHz) that the worry these days is not getting them to work as designed but getting the packaging and layout right such that they are not suceptable to interfering signals in the VHF and low microwave frequencies.
A clasic issue is when you have a power supplie with several protection feed back loops one for say "over voltage" and another for "over current". Often these are done with "poor mans instrumentation amps" such as an ordinory Op-Amp or Norton Amp. which then get summed together into the series pass element control circuit. The problem is the Op-Amp and Noron Amps will have very different gain bandwidth products. If you get the sensing the wrong way around as one starts to provide an error signal the other will provide a faster correcting signal in the oposit direction... The result is oscilation, which may or may not be seen at the output. I remember one quite experianced engineer seeing the expected 5V on his multimeter at the output of the series pass device, but seeing 7.5V at the output terminals after a "protection diode" and "low pass filter" and spending some time scratching his head. It only became clear that the output of the series pass device had a nice 150Hz sawtooth oscillation on it which the diode happily peak rectified and the lowpass filter acted as a nice "hold" circuit...
So just to reiterate for "digital era" engineers,
The important thing to remember when designing any kind of device with "feedback" is to ensure that the feedback has sufficient bandwidth to stop eronious behaviour either naturaly or having been induced some how.
So if you have a motor that will respond to changes at a 50Hz rate and a driver circuit that will change the rate quite happily at 50Hz but the feedback to your control and monitoring station only has a 15Hz bandwidth to speed changes then all it will see is the "average" speed not the fastest or slowest, or indead it's being changed at all (unless theres a fractional frequency difference between the sampling frequency and sampled frequency that gives the "Wagon Wheel" effect).
Now it's way over my head :) Thanks for the explanation!
Forgive my crashing the party. But the chatter seems to be about several aspects, mainly the technological aspects, but also discussing the implications of the State Department's actions - and the implications for Obama's reelection.
I wanted to say that I don't know whether a cyberattack is an act of war when it is against another nation, but that's important - not only that I do not know, but that no one does - yet. If this technology were used on the American people (and I gather from the Wired article that it was, however unintentionally), it would definitely be considered an act of aggression. That it might have been caused by the actions of a foreign ally like Israel makes it highly contentious, and an unthinkably irresponsible breach of security on the part of the US government.
I think when technology, no matter how disassociated it seems from war, has the ability to cause death, it should be considered an act of war. Stuxnet was targeted to specific machinery but we are being told that similar cyberattacks have potential deadly outcomes, when we are warned by alarmist language in new cyber-information gathering laws, laws proposed as part of the government's crusade launched theoretically against hacktivists and online privateers, but more practically against quotidian online privacy.
As such, our hawkish president and electorate are perfectly comfortable not defining the terms around their actions before engaging in them - I am not. There is no harm in a policy delimiting what is an act of aggression and what is not, unless you consider accountability a bad thing. If the government feels I have broken a law, they will have no problem tracking me down despite any lame attempts on my part to remain hidden. Inversely, if we think our government has done something illegal, immoral or unConstitutional, we have to rely on the seditious acts (of whistleblowers or hacktivists) to even be aware of it, nevermind stopping or punishing them. And look at what becomes of people who take that route. The rare exception is the timely journalist, like Sanders, who is poised when the propaganda machine decides to change its tune - and trickles out a story like this like, as if its some kind of non-event. 'Yeah, we did it - didn't we say?' The internet is a series of one-way streets that lead to us (assuming the people here identify as users as well as developers and engineers). The cyberworld is policy makers newest weapon and biggest new market. But for the people carrying out their civic duties, it's a source of information and organization. So, if we love our country, we should not be content to let them foul it up with propaganda, aggression and malware.
In the wake of all this PR about Obama's role in Stuxnet, I'd love to hear the security expert perspective on the trend towards zero psuedonymity /information gathering by the government and its contractors.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.