As the worm turns ~ malevolent software hits Iran

By Dan Yurman

In July 2010 a software worm, which is malevolent computer code, appeared on the radar screen of cyber security firms when it was found to be targeting computers in Iran and several other countries running industrial control systems.

News reports in the mainstream and computer trade press suggested that the Stuxnet worm was designed to sabotage the Russian-built commercial nuclear power station at Bushehr in Iran and some or all of Iran’s secret and not-so-secret uranium enrichment plants.

German computer security expert Ralph Langer was among the first to report that the worm attacked software used to run a specific model of a Programmable Logic Controller (PLC) made by Siemens. The specific PLC targeted by the Stuxnet worm is the Siemens SIMATIC WinCC/Step 7 controller and its software.

Langer speculated that the Stuxnet worm was designed to disable PLCs installed at nuclear facilities in Iran because those facilities used so many of them. Worldwide, over 60 percent of the reported infections of the Stuxnet worm occurred in Iran. It is likely that there are more inflected PLCs in the country’s various uranium enrichment plants than at the Bushehr reactor.

PLCs are used to run automated processes in factories like auto plants, oil refineries, pipelines that supply them, and nuclear power plants. The Bureau of Industry & Security at the U.S. Department of Commerce lists “complex programmable logic devices” (CPLDs) as items subject to export controls.

The New York Times reported on September 30 that a large shipment of the devices was seized in Dubai last year because it was bound for Iran’s nuclear program. This could have been a case of locking the barn door after the horse escaped, but you really never know. The Wall Street Journal reported in February 2009 that Iran has an enormous global supply chain for its nuclear program.

Was Bushehr reactor affected?

The New York Times reported on September 27 that the worm entered the distributed control system (DCS) of the Bushehr nuclear reactor by way of USB sticks being inserted into computers inside the control network. None of the reports reaching western news media, however, indicated that there was any physical damage to the reactor. The reactor startup was delayed, but conflicting statements by Iranian officials raise questions as to whether the cause was due to problems with PLCs caused by the Stuxnet worm or some other issue such as leaks in the reactor cooling system.

The reactor is not yet operational as no fuel has been loaded in it, although by the time you read this blog post that operation may be underway. UPI reports that the fuel for the 1000 MW VVER reactor will be placed in the reactor in November.

Fuel notesAccording to TVEL, the Russian nuclear fuel manufacturer, a VVER-1000 requires 163 fuel assemblies in a hexagon shape with 306 fuel rods in each assembly. Uranium is enriched to 4.4-4.8 percent U-235. Fuel rods for VVER reactors have zirconium-alloy claddings that are filled with fuel pellets of uranium dioxide. Some fuel rods, 6-9 per assembly, are filled with pellets containing gadolinium oxide. Each fuel assembly has 435 Kg of uranium. The VVER reactor is a PWR with an outlet temperature of 320 degrees C.

Was the target bulls eye Iran’s centrifuges?

Computer trade press reports indicate that the worm disabled a large number of centrifuges at Iran’s uranium enrichment plant at Natanz. Iranian officials quoted by the Mehr News service, and cited in the New York Times on September 26, complained that 30 000 computers were infected across the country. It isn’t clear whether the Iranian report is referring to desktop PCs or PLCs.

It is likely that the worm would be effective as a form of sabotage against a uranium enrichment plant, which has thousands of identical machines all using similar PLCs. It is less likely to be effective against a nuclear reactor site’s distributed control system, which has many different devices with different PLCs. That doesn’t mean it couldn’t create havoc if it got to the targeted devices and jammed them.

There are reports that the software has been infecting systems for over a year. This may account for a report by the Federation of American Scientists that the number of centrifuges operating at Nantz dropped precipitously between May and November 2009.

Amidst all the speculative press coverage of the scope of impact of the worm on nuclear facilities, there was much less reporting on the possible effect on Iran’s oil production and refining facilities or its electric grid.

Other countries with Siemens PLCs also impacted

The impact of the Stuxnet worm wasn’t confined to Iran. It infected a large number of computers in Pakistan, India, China, and Indonesia. One way the worm was spread was by social engineering that resulted from the distribution of infected USB sticks to workers inside Iran’s nuclear facilities.
(Note to readers: If you find a USB stick on the road, smash it. Do no pick it up and plug it into your PC to see what’s on it.)

Siemens, which makes the PLCs, said that 15 sites around the world reported multiple infections from the software. Significantly, when the worm infects a Windows-based PC that isn’t connected to the Siemens PLC, it does nothing.

Wired Magazine reported on October 1 that the worm targets the Siemens PLC and nothing else.

“Stuxnet conducts a number of checks on infected systems to determine if it’s reached its target. If it finds the correct configuration, it executes its payload; if not, it halts the infection,” Wired said.

In plain English, once the worm finds the software for the Siemens device, it takes over. It randomly alters the PLC’s operations. This makes whatever device is attached to the infected PLC uncontrollable with possible catastrophic results.

The release of the worm raised new fears that cyber-warfare could be used to disable a nation’s critical infrastructure. It isn’t the first time software has been used to attack industrial facilities. In a book published in 2004, titled, “At the Abyss: An Insider’s History of the Cold War,” (Amazon), Thomas Reed revealed that in 1982 the United States supplied faulty software to the Soviets, who were stealing it from a Canadian firm to use in running their natural gas pipelines. The compromised software caused the pipeline to blow up, creating one of the world’s largest non-nuclear explosions.

Who wrote the code?

The consensus among computer security firms is that the Stuxnet worm is a sophisticated piece of work. Symantec calls it “state sponsored espionage.”

“The complexity and quality of the attack assets lead some to believe only a state would have the resources to conduct such an attack,” Symantec said.

Computer security expert Bruce Schneier wrote in the October 7 Forbes that the Stuxnet worm was “expensive” and could have required a team of 8-10 people to write it.

“Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would get done,” Schneier said.

Symantec and other cyber security firms point out that the worm uses stolen or forged digital signatures, a form of authentication, to trick computers exposed to the virus to accept it. The code for the worm is able to hide itself from casual inspection. What it does once it infects a computer hooked up to a PLC running an industrial system is that it makes the component attached to go haywire. The implications for reactor coolant system pumps and valves, or uranium enrichment centrifuges, are all too obvious.

This analysis led others to assert that the computer code came from Israel, which has a manifest interest in crippling Iran’s nuclear programs. Israel is said to have sophisticated cyber-warfare capabilities. For instance, there are indications that Israel was able to insert a “kill switch” in the software used by Syria’s air defense radar and missile systems. It shut them down in 2007, which allowed Israeli warplanes to bomb a suspected Syrian nuclear weapons plant.

There is no proof that the Stuxnet worm came from Israel or any other country. In fact, most security researchers who examined the computer code feel that the programmers who wrote it will never be known.

Schneier writes, “Stuxnet’s authors were uncommonly thorough about not leaving clues in their code.”

Global threat remains

The Stuxnet worm infection was global in nature. It showed that the capability exists to produce a threat that ignores international borders and can interrupt a variety of industry processes including those that involve processes with nuclear materials. If Iran was the sole target of the worm, then the people who wrote it may not have expected to spread so far or they didn’t care. What worries cyber security experts now is the next generation of malware that learns from the Stuxnet episode.

U.S. critical infrastructure vulnerable

The U.S. isn’t immune from cyber attacks. The Wall Street Journal reported in April 2009 that “cyberspies have penetrated the U.S. electrical grid” and left behind software to take control of it. In May 2009, the Wall Street Journal reported that the nation’s power plants are being targeted by “well organized” efforts to break into control centers for the nation’s power plants and electric grids.

In both reports, defense officials cite Russia and China as the sources of the cyber stalking incidents. Diplomats from both countries denied the charges in statements to the WSJ.

What is the federal government doing about the threats? The U.S. Nuclear Regulatory Commission is pushing the nation’s 104 nuclear power plants to complete cyber security plans, which will be amendments to the utility licenses to operate the reactors. The Department of Homeland Security is reportedly “quietly dispatching teams” to test power plant cyber security.

The Wall Street Journal reported earlier this year that the federal government has launched a new program called “perfect citizen” to detect cyber attacks on power plant and their grids. The surveillance will be carried out by the National Security Agency. The WSJ reported that defense contractor Raytheon Corp. won a $100 million contract to set up the initial phase of the system.

The computer industry isn’t impressed with this response, pointing out that the reason digital systems that control the nation’s electricity grid are vulnerable is because they are old. Instead of wrapping the systems in the digital equivalent of idiot mittens, experts says, the federal government should be pushing nuclear utilities to develop the most secure systems possible and helping them with technology from government labs.

Dan Yurman publishes Idaho Samizdat, a blog about nuclear energy. He is a contributing reporter for Fuel Cycle Week, and a frequent columnist for the ANS Nuclear Cafe.

# # #

6 responses to “As the worm turns ~ malevolent software hits Iran

  1. Only home-entertainment derived systems such as Windows allow automatic execution of a program when a USB Stick is inserted (“plug and play”). Anyone in his right mind would use Unix or Mainframes for mission critical systems.

  2. According to reports from Iran, and elsewhere, the Stuxnet worm was introduced into off-net systems at Bushehr and Nantanz as a result of compromised USB sticks being attached to the internal networks. The Stuxnet worm targeted a specific type of PLC which is in turn controlled by Windows-based machines.

  3. ‘Wam’ –

    “Plug and play” refers to automatic recognition of new attached hardware devices. “AutoRun” is Windows’ automatic execution of software on newly-mounted drives.

  4. Like Wam, I wonder why anyone would choose to use Windows to control anything that is mission critical. That system, though significantly improved with the release of Windows 7, remains based on a foundation of software designed for single machines for people who love to “hack”. From the ground up, it is a system that assumes anyone with physical access to the machine is ok.

    I also wonder about the journalistic assertion that a software effort that requires less than a dozen people for a short period of time is so expensive that it requires “state” type resources. There are thousands of start-up companies staffed by computer experts willing to work long hours for little pay on the promise of future glory and wealth. Even if you pay them, hiring a dozen programmers for a year would cost less than a million dollars. There are plenty of non state actors with those kinds of resources.

    Finally, with regard to finding USB sticks – it might also be a good idea to stay away from the dishes full of them that you find at every industrial conference as give-away trinkets. You never know who has put their hands in those bowls.

    • Rod Adams wrote:

      I wonder why anyone would choose to use Windows to control anything that is mission critical.

      Rod – I can see why you might. Your former employer learned that lesson the hard way.

      Personally, I wonder why anyone would choose to use Windows for anything other than playing computer games. Even then, there are dedicated gaming platforms that are far superior.

  5. The software that configures and maintains the PLC noted in this article runs on Microsoft Windows based machines. That’s what made it vulnerable. When Iran complained about “30,000 infected machines”, they were talking about the large number of similar PLCs being used in Iran’s gas centrifuge enrichment plants.

    Many instances of malicious software are developed using what are called “kiddie scripts” and are variations of well known threats.

    By comparison, the complex code in the Stuxnet worm appears to have been developed using a professional team that was assembled specifically to develop software to sabotage PLCs running in Iran’s uranium enrichment plants and at the Bushehr nuclear reactor.

    That’s what drives the assertion by multiple cyber-security analysts the worm is was “state-sponsored” and “expensive.” If freelancers were used, as cut outs to the “sponsor” of the project, not only do you have to pay these people to write the code, you also have to pay them to keep quiet about their exploit.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s