Stuxnet

Over the past couple of decades, the increasing dependence on information technologies has led to a relatively new form of security threat – cyber-attacks. Numerous advantages of the attackers in cyber space and a lack of attribution and awareness has resulted in an increasing number of aggressive operations in the digital realm. Contrary to the beliefs of many, cyber security is not exclusively a technical issue but also a matter of politics and economics. We can observe an increasing number cyber warfare policies in the international realm, which increases the pressure to establish rules of governance in cyber space. The following essay will be concerned with the Stuxnet worm and its role in Operation Olympic Games, which targeted the Iranian nuclear power plant Natanz. The analyses will provide an overview of the attack, including technical comprehension of the attack, and also looks at the attack in term of its political consequences.

The first section will discuss the origins of the attack, building on Ralph Langner’s article published in ‘IEEE Software’. Even though numerous cyber offences took place before, it will explain what made Stuxnet stand out. The second part of the essay analyses the political perspective of the attack and two competing theories explaining the presence of malware in the nuclear facilities. The following section analyses the role of cyber warfare as viable military strategy. It will be argued that cyber offences appear to be more applicable as an offensive rather than defensive strategy, due to the attacker’s advantage. The last part of the essay will discuss if it is possible to prevent an advanced persistent attack like Stuxnet.

Origins of the attacks Since the 1980’s, Iran’s nuclear power program has been continuously questioned by the International Energy Agency as well as the United Nations and the international community; mainly the U.S and Israel. The discovery of the computer worm in the Iranian nuclear power plant facility challenged the perception of cyber capabilities in the physical realm worldwide. In 2007 the international community learned about the existence of the Iranian nuclear power facility Natanz. Policy makers immediately began questioning the purpose of Natanz, which was producing enriched uranium. Even though Iran continuously claimed that it was not developing a nuclear weapon, the international community remained rather sceptical. High political stakes and the absence of any financial profit from the resulting cyber-attack indicate that the origins of Operation Olympic Games were mostly political. Both technical and political analyses are therefore equally important. The role of Stuxnet in Natanz was to compromise the process of uranium enrichment by targeting computers controlling the productivity of centrifuges. The goal of Operation Olympic Games was to prevent a war between Iran and Israel. The virus was able to carry out a zero-day attack due to the vulnerability in the Windows system, lack of awareness in this type of attack, and a fake security certificate.
One of the main questions that Stuxnet presents is, “How was the worm delivered to the nuclear facility?” Even though Ralph Langner mentions the USB delivery technique on his article, he does not further elaborate on how the virus was delivered. The challenge was that Natanz’s systems ran in a so-called ‘air gapped’ environment meaning it was an environment that was not connected to the internet or any other outside networks. The most feasible theory states that the virus was delivered via a USB key, as a result of sophisticated social engineering likely to be organized through state secret services. Once Stuxnet was in the system it was able to collect information on how the plant’s computers were configured and transmit that data back to the intelligence agencies. The data was used to design a “worm” that could effectively locate targeted PLC (programmable logic controlled) controllers via lateral movements in the network and take control of them. The level of Stuxnet’s sophistication can be seen through the complexity of the code as the malware was designed to target only two types of PLC Siemens controllers. Researchers pointed out that the level of intelligence and resources needed for designing such a virus clearly points to an involvement of a state with the U.S and Israel being the prime suspects.
Ralph Langner analysed the attacks on the two types of PLC controllers targeted by the virus. In the attack on PLC 315 the legitimate code was paused for a period of time while the attack on PLC 417 interrupted the communication between the legitimate controller and turbines, and provided the legitimate program with fake data. The virus was designed to only be triggered by very specific settings identifying the controllers. For example, the virus would only act if “a PLC is attached to 33 or more frequency converter drives—devices used to control the speed of certain equipment (i.e., the rpms of a motor)”. (Falliere, 2010) Stuxnet also sets a specific registry value of “19790509” to alert new copies of Stuxnet that the computer has already been infected. (Schneider, 2010) Interestingly Stuxnet did not manipulate with the data in Windows or any other system; it only went after the targeted controllers. The Stuxnet attack can be classified as a sort of man-in-the-middle-attack since the main attack was to compromise the communication between the legitimate controller and the control program.
Security firms have two main theories explaining the presence of Stuxnet in Natanz. The first theory is based on the findings of security companies Symantec and ISIS and focuses on Stuxnet’s short-term effects. The first theory argues that the ultimate goal of the operation against the Iranian nuclear plant was to slow down the process of uranium enrichments. Stuxnet was able to damage approximately 1000 of the turbines, which had to be consequently replaced. Advocates of the first theory therefore stress that the replacement of the turbines directly contribute to “Iran delaying the expansion of its enrichment operations.” (Albright, 2010) As a result Stuxnet succeeded in its goal as it had direct impact on Iran’s nuclear programme. The second theory argues that Stuxnet was not simply designed to damage centrifuges in a short term, but to cause relatively small damage that would be noticed only after a period of time. The second theory is supported by the fact that Stuxnet’s presence in Natanz was discreet, as it did not dramatically change the fake data. The virus was in the Natanz’s network for years and no one had noticed. Attackers must have been aware that the disruption of Iranian nuclear program would be a multi-year campaign. The second theory appears to be more convincing than the first theory because the attackers were likely to design Stuxnet as a long-term campaign as they must have invested significant resources and intelligence gathering over a period of time to develop the malware.
The unique design of this worm makes Stuxnet a perfect example of the type of cyber-attack referred to as Advanced Persistent Threat (APT). “It is the first virus that was designed to achieve a kinetic effect. It was not designed to steal data or to deny access. It was designed to manipulate an industrial control system to operate outside its intended instructions. Someone had the intent to weaponize a virus.” (Hopkins, 2011) The natural question follows, “Who was behind the attack?” As mentioned previously, the lack of financial profit, high political interest and the amount of resources and intelligence invested in the design of Stuxnet clearly point to the involvement of an advanced state. When approached on the matter, Israel and the US did not confirm or deny any involvement in the development of this worm. Both states have strong political motivation to stop Iran from pursuing its nuclear program. The use of weaponized code by Israel and the US resulted in an important debate on the viability of cyber offences as part of military strategies. Cyber warfare
Cyber space is now perceived to be the 5th military domain after land, air, sea, and space. China’s recent admissions to their cyber army, and ongoing establishments of cyber army units around the world demonstrate that cyber space has become a prominent battlefront. Cyber warfare is becoming an increasingly viable military strategy due to its numerous advantages as compared to kinetic warfare. Operations in digital space are cheaper not only in monetary terms but also in human lives. If both cyber and kinetic attacks are able to destroy the target, the natural choice would be to destroy the target via cyber space and avoid the risks that come with operations in physical realm. However, despite Stuxnet’s capability to create a kinetic effect, cyber-attacks still appear to have limited direct effects. Digital offences should be therefore not seen as an end but as an influential means to create a military advantage for campaigns.
Cyber warfare appears to be more applicable in terms of an offensive rather than defensive military strategy. Defence in cyber space is difficult because attackers often exploit zero-day vulnerabilities, like in the case of Stuxnet. If the vulnerability is not yet discovered, an attack exploiting such a vulnerability cannot simply be prevented. In terms of proactive defence strategies such as deterrence, cyber-attacks do not appear to be a strong deterrent despite its destructive potential. Moreover the lack of attribution in cyber space blurry the line between adversaries. Offensive strategies are more viable as the side carrying out an attack tend to have the advantage. There are several factors that strengthen an attacker’s advantage including growing dependence on information technologies, rise of social media, interconnectivity, and anonymity on the Internet. In cyber space the attackers appear to be one step ahead of its targets and cyber security measures are often only reactive. The main obstacle to digital warfare as offence and defence strategies is the anonymity of the attacker resulting in the lack of attribution. Proxy servers, VPNs and numerous other means allow attackers to stay anonymous, which creates a problem when it comes to prosecuting the aggressors. If an attacker does not fear punishment for his actions he is unlikely to stop malicious activities. The attribution problem is also linked to the fact that cyber-attacks take place in a legally grey area, due to the lack of cooperation between states. As a result, the problem of attribution of cyber-attacks is both a political and technical matter.
How to prevent a cyber-attack
Even though states are eager to protect their assets and critical infrastructures, it is impossible to prevent an attack. If an attacker has significant amount of resources including information gathering, time, and money, nothing will stop an attacker. Computer viruses can be to some extent compared to a normal virus, in sense that if a person is constantly exposed to a flu virus he will eventually get flu. The only thing he can do is to take steps to decrease the chances and mitigate the effects of the disease. Similarly with cyber-attacks, security measures needs to be taken to decrease the chances of a breach. If the security measures are strong enough or they appear to be too time-consuming or complicated, many attackers are likely to move on to another target. However APT attacks are called ‘persistent’ because the attackers are willing to sacrifice significant amount of resources in order to succeed.
In the case of Stuxnet, the virus additionally exploited the previously unknown vulnerability of Natanz’s SCADA (supervisory control and data acquisition) system. Langner points out that the vulnerability is inherent to the Windows system and cannot be simply patched, which shows that the attack could not have been prevented. The best strategy is therefore to be prepared for an attack and have a plan in order to mitigate the damage. Physical users are the weakest link and the easiest point of entry for an attacker. The Stuxnet virus was delivered through a USB stick, which was likely introduced to the computer by an employee. The mistake of an individual in Natanz resulted in a security debate at an international level. Personnel have to therefore be trained to recognize malicious social engineering tactics. When it comes to risk mitigation, one of the key factors is the time of the breach discovery. Stuxnet has possibly been in the Iranian nuclear power plant for numerous years, which eventually lead to the destruction of over 1000 turbines. Clearly, if Stuxnet was discovered sooner, it may have been averted. As a result, companies should be closely monitoring the actions on their networks in order to recognize a breach.
To conclude, the discovery of the Stuxnet worm confirmed that weaponized code can cause the destruction of a physical asset. “After the cyber-attacks on Estonia in 2007 and Georgia in 2008, Stuxnet can be perceived as another cyber security wake-up call to the international community.” (Summer, 2012) States need to cooperate in order to improve the attribution in cyber space because cyber warfare is becoming increasingly popular in terms of military strategy. The essay argued that cyber warfare is more viable as an offensive rather than defensive strategy due the attacker’s advantage. Cyber-attacks alone are still perceived to be rather limited in their effects and more destructive only when connected to a kinetic campaign.
Stuxnet as an APT attack exploiting previously unknown computer vulnerability could not be prevented. In case of advanced cyber-attacks the best strategy for states and companies is to mitigate the damage of those attacks. Societies should enhance their cyber security awareness to prevent and mitigate future cyber offences. The cyber awareness must however start with realization that every single individual with an electronic device is now a threat.

Works Cited
Albright, D. P. (2010, December 22). Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? Preliminary Assessment. Retrieved from Institute for Sciense and International Security: http://isis-online.org/isis-reports/detail/did-stuxnet-take-out-1000-centrifuges-at-the-natanz-enrichment-plant/
Falliere, N. (2010, September 21). Exploring Stuxnet’s PLC Infection Process. Retrieved from Symantec: http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process
Hopkins, N. (2011, May 30). Stuxnet attack forced Britain to rethink the cyber war. Retrieved from The Guardian: http://www.theguardian.com/politics/2011/may/30/stuxnet-attack-cyber-war-iran
Schneider, B. (2010, October 07). The Story behind the Stuxnet Virux. Retrieved from Forbes: http://www.forbes.com/2010/10/06/iran-nuclear-computer-technology-security-stuxnet-worm.html
Summer. (2012). Cyber Security without Cyber War. Journal of Conflict and Security Law, 187 - 209. Retrieved from Oxford Journals.

Similar Documents

Stuxnet Worm

Stuxnet Virus

Term Paper on Stuxnet

Brief for the New Cso, Which Will Provide Her with the Basics of Cyber Security, Acquaints Her with the Current Threats Facing Your Organization's Data Infrastructure, and the Legal Issues Related to Protecting the Enterprise.

Security Threats

Nt1310 Unit 3 Assignment 1

Vanity Fair in Cyberwar

Csec 620 Ia

None

Cyber Warfare

Nt1310 Unit 5 Assignment 1

Security in the News

Information Tech

Lab2

Assignment

Popular Essays