Schneier on Security

Clive Robinson • January 17, 2011 3:13 PM

The point the artical glosses over is that the US had both P1 and P2 centrfuges they had captured from various activities stoping the stuff getting to Libya etc.

The point is the US had no need to go to Israel and that's where the whole story falls flat on its face...

Clive Robinson • January 17, 2011 4:56 PM

@ many questions,

"... says that the Russian technicians at Bushehr are worried about Stuxnet"

I suspect it's a little lost in translation. The Russian technicians should be rightly worried about a similar worm or virus affecting any PLC system they are using.

Nagering a few centrifuges will not cause an earth shatering issue. However most nuke reactors do not like a lack of cooling etc and can if fritzed such that various safeties and interlocks are removed could potentialy go bad and release radiological contamination in large quantities.

The question is "if" money were to be saved by cutting corners, one place to do it would be in safety systems. A system could be designed to be tolarant of two failures but not say three. However any one who controls the PLC's effectivly controls everything and can induce three faults simultaneously....

Clive Robinson • January 18, 2011 12:39 AM

@ Brian W,

"Given that Stuxnet was so specifically targeted at one single setup (which included a certain number of a certain type of centrifuge controlled by a certain SCADA system), that means whomever designed Stuxnet almost certainly had to have a similar system to design and test it. Especially if i was intended to have a real effect"

And this is the nub of the question that the whole article fails on...

First of the P1 centrifuge developed by AQ Khan from the plans he had stolen was a very unreliable system. It was fraught with many problems one of which was stability in use.

How do we know this?

Because AQ Khan set up his own "sell the atom secrets" company out of Switzerland (Khan Laboratories) to make money. It is said that something like 24 countries bought Khan Labs technology blue prints. We certainly knew that Libya did because it was impounded prior to delivery.

Thus the US actually had working units plus design documents etc to characterize the P1 centrifuge.

We also know that Khan had partialy solved some of the P1 issues in the P2 design.

Now the Israelis developed (supposadly on their own) a cascade system to perform enrichment a long time prior to the Khan P1, the US and others likewise (South Africa supposadly had a vortex design without moving parts that used about 50 times the energy of other more conventional designs).

So getting back to the NY Times article the question arises,

"Why would Israel have a working P1 cascade?"

They didn't need it, they wouldn"t want it in a production system and it would have taken a fair few resources to set up and quite a bit of time

Now we know the Khan P1 centrifuge system was effectivly sold to "Axis of Evil" countries, the US would have the spare resources Israel would ordinarily have lacked to setup a P1 centrifug cascade to test and evaluate it.

The important question that has not been answered is "why would Israel have a working P1 cascade and the US not?".

Unless a rational explanation comes forward the story will fall flat on it's face just like most conspiracy stories.

The apparently most rational explanation is that Israel wanted to build the cascade to identify weaknesses in the system Iran was supposadly using.

But it is both a very expensive and lengthy process, so you have to ask why? what advantage does it give them? to build it as opposed to simulate it?

One answer is that the US paid Israel to do it (possible but unlikely).

Another is Israel had a long term plan to develop a method by which the vulnerabilities of the P1 system could be exploited via either the manufacturing chain or via an info weapon.

But you have to ask why, with Iraq they simply bombed the plant (an act of war), so why not do the same again with Iran?

So is Iran tacticaly to far away from Israel to carry out such an attack? (possibly). Or perhaps Israel lacks the technology to carry out such an attack? (unlikley). Or perhaps is it not politicaly viable to carry out such an attack any longer? (quite likley).

But all that aside why would Israel admit the existance of such a set up to the US what advantage does it give them?

The answers to that are possibly not something either the US or Israel want known.

For instance it raises the possibility of Israel actually being in the driving seat not the US.

Also the fact that the US has effectivly been spying for Israel. That is Siemens prorpriatary information was obtained from Siemens in confidence and the US just handed it over to Israel.

The implications of that are quiet large in that Israel would inherited the title of "knock off capital of the world" from Taiwan except that China threw their weight around to wrest the title from Taiwan.

The effect is that EU companies will increasingly ask themselves should we cooperate with the US if all the US are going to do is hand our trade secrets over to our competitors?

Clive Robinson • January 18, 2011 7:44 AM

@ Davi,

"I'm sure you have found also that Iranians know the story very well."

Not just Iranians, mot in the middle east know about it. Many blaim the fear that the same will happen to their country if the do not aquiesce.

One of the reasons that a number of forward thinking middle east countries are in their current financial crisis is due to knowing the oil is going to run out and when it does they will be just one more asset stripped third world nation.

Iran many be developing nuclear weapons then again it may not, it is currently a viewpoint issue.

What is not at issue is they know that the oil is running out and if they don't have an alternative energy source they are in trouble.

They also know that if they don't also control the whole energy production process from begining to end then they are in the same position they where in 70 years ago.

By the way it is not just the politicians that know and feel this way it is the people as well. Many Iranians support the energy independant stance of the current crop of politicians even if they do not support them in any other way.

Stuxnet and the associated deaths are as far as the Iranians are concerned a direct attack on their sovereignty by Israel and also the US and other coalition incursions into what they see as their teritorial waters and airspace they see as provication on behalf of Israel.

But further they know that the only thing stoping Israel pushing the Palestinians and other nations of the face of the map (a policy started by David Ben Gurian and still seen clearly in Israleli political behaviour) is the fact that they have something the US want's and needs badly oil. And that the US will to a small extent put preasure on Israel.

They belive beyond what you and I would call faith that the US gave Israel the nuclear weapons they currently have which threaten the whole middle east and as far as many arabs are concerned their very existance.

They also know that possession of independent nuclear weapons gets "respect" from the US politicians. They have seen it over and over again (think Russia, China, India, South Africa, Pakistan and more recently North Korea).

If this is a shock to other readers then I suggest they think about things a little, and then realise that the cause of this is blatent consumerism that can only be sustained by access to raw resources at way below market rate.

Then realise what this requirment actually means in "real politiking".

If you are still in. doubt have a look at the history of India and Africa and the likes of "Clive of India" and "Cecil Rhodes".

Oh and then go and look at what the Chinese are currently upto in raw resource rich areas like Africa to see the old game being played in a new way.

Are China a threat to the western world and in particular the US? you can bet on it 100% the battle will be over the control of raw resources. And guess what we are already seeing it in "rare earth metals". The secondary battle will be on energy and the thrid on food and water.

Around about October this year the world population will reach 7billion human beings, we do not currently have the resources to sustain that sort of population and the US style over consumptive lifestyles people aspire to. The west need to pull their collective heads out of the sand and stop thinking "short term" in politics and other asspects of life. The Chinese in particular think not in years or in life times but in generations and plan accordingly. Unless we start thinking the same way then we are going to be in very very serious trouble before our current children become parents let alone grandparents.

The problem though is not knowing this (it's almost self evident today) but knowing what to do about it in a way that is not going to cause serious blowback etc.

Clive Robinson • January 18, 2011 2:32 PM

@ Dirk,

Just to reiterate what I have said from the begining, my money is definitely on the US for Syxnet, without any real involvment from other nations. Based on the simple premise that Iran was not the only or even primary target for stuxnet (my money is still on North Korea for that).

However on the assumption that the NY Times article had even a slight amount of truth with respect to Israel then this actually put's Israel in the driving seat not the US (which is what a number of people believe and they do have a point to some extent if applying Occam's Razzor).

But... Israel has a history of dealing with technical issues either directly (bombing of Iraq) or by assasination of key personnel (which arguably they are continuing to do). So the question arises why the change to cyberwar especialy as common sense would tell anybody who thinks about it that the worm was going to be found and ripped apart publicly (which is what has happened to just about every major worm since the NSA's Chief Scientists son opened Pandora's box and let them slip.

Things in the article neither add up or balance which makes my "hinky detector" say case not proven which then makes me think "spin/cover up".

Clive Robinson • January 19, 2011 5:29 AM

@ rogerh,

"No competent engineer will leave... ...totally under the control of a computer without some form of... ...shutdown implemented in hardware."

I think you are making a couple of assumptions.

The first and biggie is "competent engineer" you tend not to find them on "black projects" which are run by scientists on behalf of the military or state.

There are two obvious reasons the first being keeping the number of people in the know to a minimum, the second is many senior scientists are not nor ever could be engineers due to their temprement. The result is the scientist employ other proto-scientists as technicians to do the menial side of their bidding and rather than the more open engineering approach where problems are brought to the table for group consideration / input a more fawning if not outright sucking up to get the equivalent of tenure.

The second assumption is about how you close the loop.

The problem with spinning a six foot long less than a foot wide aluminium tube well above it's first critical frequency is that you get a very complex control map. This is what held back US UK and French centrifuge design with the result they traded efficiency for reliability and "belt and braces" solutions in the early days.

The only way to get a more efficient design using less mechanicaly critical parts is to do the control loop with a computer of some form, be it from a microcontroler with a built in DSP function through to a full on PLC system. The issue then becomes one of reliability. A good design engineer would look at the issue and from their experiance in such matters and be able to design a system to do the job reliably with a microcontroller.

However a scientist or technician is not going to have the experiance to make a reliable system, thus they will buy in wherever they can as it almost imediatly removes the very thorny issue of designing a very high reliability drive system.

Also a PLC system gives them the ability to experiment and thus tune the system as they go.

Thus the PLC system is a rational solution for a project that is starting from scratch.

However these AQ Khan centrifuges where "bought in" technology. From the point of the seller (Khan Laboratory) they are selling information not physical product (except as production / test prototypes) thus they are not going to want the liability of manufacture and support of despoke control systems. So their best option is via reasonably well available PLC systems.

Thus I'm not saying your general point is incorrect, it's the atypical circumstances of such projects that makes such a solution impractical.

Clive Robinson • January 20, 2011 3:36 AM

@ fbm,

The article you provide a link to neglects a couple of points.

First up is that you would probably want stuxnet to look as much like "Bulgarian hackers code from the 90's" simply to make identification difficult.

Secondly it is sensible when it comes to info weapons to keep it as low tech as required to do the job, just to protect you and your "friendlies".

I would always work on the theory "it will be discovered" if writing such malware especialy if targeted at systems that are essentialy static and due to high rel requirment should be "hot swappable".

And this is the crux, why was it not discovered sooner.

Prudence would sugest you run a "prototype" or "test network" isolated system that you test all upgrades etc befor putting on the live system.

Further prudence would suggest the test network gets installed from original media prior to testing and that disk images/file signitures be taken so you can do the only reliable check for infection on the semi-mutable media (Fully mutable memory viri are harder to find but a similar system can be used.

The fact that the Iranian scientists and technicians appear not to do this is a significant "tell".

And it is something all administrators of networks with high value should take note of. If the man that cuts the cheques won't stump up for such prototype/test systems then make sure you fully document and go find another job because sooner rather than later the systems will be hit. And as we know the man will point the finger at you and your the one that will get roasted due to simple seniority...

Clive Robinson • January 20, 2011 5:19 AM

@ Robert T,

"From what I have seen, all in simulation, this is not a simple motor control problem. Its a complex multi-variable problem"

It's a bit more than complex you have probably found that it is overly sensitive to certain constants and relations to the point of being considered "chaotic" at some points of the multidmensional operating "plane".

As I noted the isssue is mechanicaly over designed and belt and braces control (the 1950's solution), or more sloppy mechanics and higher efficiency by the use of a microcontroler and DSP (the 2010's solution).

"Personally I'd still be trying to control this with dedicated DSP's and H-Bridge motor drives BUT think it is probably even easier to hack the DSP RTOS, than to attack the PLC controller".

Hmm I'd not be too sure on the last bit, RTOS's can be increadably light and if written properly highly secure (Nick P will give some good examples of off the shelf systems if we ask nicely ;).

The main issue would be "issolation with control". Thus the network stack (if not more sensibly done on a non shared comms system) would need to be made very secure, however it is only needed to implement a single control channel so you can strip out most of the stack functionality.

The issue would then be securley implementing the control channel which "micro manages" the mechanical slop and gets the efficiency out of the centrifuge.

In essence you design the default state of operation to be "safe" not efficient and have various know stable points on the control map.

You then allow the external controler to slowly change the operating state to bring the efficiency of operation up (some high performance fighter aircraft systems work in a similar way).

Over and above "passive monitoring" of various parts of the centrifuge, I would also use drive control sensing. That is you use the fact that all transducers are effectivly bidirectional, that is motors are generators and vice versa, and use the "generator" information to determine other dynamics of the system.

[For those that are curious as to how you do this have a look at the simple systems developed for model railways where the DC motor is "chopper driven" (at twice the voltage with a 50% duty cycle). In the "off cycle" the voltage on the supply rail is "sampled" and this information is used to drive the next "on cycle"].

Also one thing I would be very tempted to do would build in a secure hypervisor to monitor the functioning of the sub parts of the system, that at any sign of problems or incorect control information would kick the centrifuge into the inefficient "safe mode" and take it safely to a known state. This of course requires a certain software development methadology, which is not normaly visable in the majortiy of software projects (though you do see it in a few high rel/avail systems).

All in all it is probably less complex than designing the control systems for high performance avionics platforms. So definatly doable.