Stuxnet Theory

Who created and used Stuxnet? This would be a big story in the mainstream press and the biggest story in ICS security to date by far. Unfortunately we have nothing but motive and speculation with almost no hard facts on the culprit — at least publicly disclosed.

A major player in ICS security says he knows that INL did it. He may be right, but there is no evidence and no one willing to go on the record. The evidence that INL presented on the ability to launch a Stuxnet type attack years earlier is not proof. I knew such an attack was possible, and I didn’t do it.

I’m not alone in getting the “INL did it” pitch, and reaching the lack of proof conclusion.

Unfortunately the press has a history of a low bar to evidence in reporting ICS security stories beginning with the CIA’s Donahue in 2007 stating that hackers “caused a power outage affecting multiple cities”. 60 Minutes, desperate to get a big lead for a scheduled story, talked to almost everyone in this space, including me. The best they could do was “several prominent intelligence sources confirmed the cyber attacks [were] in Brazil“. There has been no better evidence to date to prove this assertion and a number of holes have been poked in the scenario.

A story by Richard Sale in ISSSource last week asserts that “Stuxnet had its true origin in the waning moments of George W. Bush’s presidency in 2009”. It then goes on to tie in the work by INL on Siemens as part of the caper. It all sounds plausible, but it is actually speculation on how it happened based on vague and broad assertions of former senior intelligence officials. Readers don’t even get to read quotes from these “former senior intelligence officials” and there are no details ascribed to any official so the sourcing is very suspect.

While I normally rail against the Automation Press for not asking the tough questions and being little more than advertorial distribution, this time my beef is with press in general. Stop giving us these stories based on anonymous senior government officials. Give us something with hard facts or at least someone who is willing to put a quote on the record or don’t bother with the story.

This type of reporting becomes a vicious circle. For example, CIA Donahue starts with his vague statement; it gets picked up with speculation by the New York Times; and then the President includes reports by the NYT as his primary evidence point why we need critical infrastructure security. If there was something there, couldn’t the President say that his intelligence agencies have proof of hackers affecting the critical infrastructure rather than the NYT? True story.

Image by Randy Landicho