As we get ready to hear if President Trump will pull the US out of the Iran Nuclear Deal, it’s worth revisiting the big remaining question and underreported story on Stuxnet:

Why Did The US Government Not Care If Or Want Iran To Discover Stuxnet?

Full credit for identifying that Stuxnet’s creators likely either wanted Stuxnet discovered, or knew it would be discovered and didn’t care, goes to my friend Ralph Langner. The amount of time and work he has put into understanding and explaining Stuxnet is something all in the ICS security community should be grateful for. His S4x12 Stuxnet Deep Dive video goes deep into the PLC programming and his To Kill A Centrifuge paper written after more years of work is the definitive paper on Stuxnet.

Most people in the ICSsec community are familiar with the rotor speed attack, but the initial versions of Stuxnet were a highly stealthy and very complex centrifuge overpressure attack. I won’t try to summarize the enrichment process and the attack, read To Kill a Centrifuge, but this is the attack that recorded 21 seconds of normal operation and replayed these to fool the Operators. This version was only discovered as an artifact in the code of the figuratively and literally noisy rotor speed attack that replaced the centrifuge overpressure attack.

The critical rotor speed attack was much simpler. It sped up the centrifuge rotation to a speed that would damage the centrifuge and then slammed on the brakes, all the while showing the operator a constant speed. While Ralph hypothesized that the US knew and didn’t care that Stuxnet would be discovered in his paper, he provided even better and easier to understand proof last year. The centrifuges were very loud, and the noise would vary noticeably as the rotating speed changed as specified in the Stuxnet code.

This video below makes the point so clearly, and loudly, that it is obvious that the team in the Plant quickly knew that the rotation speed showing in their displays was not accurate.

 

While the physical affects of Stuxnet were now easily detected, the methods used to deliver and propagate Stuxnet were also expanded to such a degree that detection was likely. This means that detection would not only be likely in Iran, but elsewhere as Stuxnet now propagated via Windows rather than Siemens Step 7 software.

So now back to the question. Unless the Stuxnet team, who had done brilliant technical work in the overpressure attack someone lost all of their smarts and skills, this had to be a conscious decision to modify the attack knowing it would only be effective for a short time. And importantly that the US would be letting the genie out of the bottle, crossing the Rubicon or whatever buzz phrase you select.

The enhanced propagation and much simpler attack had a higher likelihood of causing damage until it was discovered. Perhaps the overpressure attack was not doing enough damage and a short term increase in damage was viewed as worthwhile even given the likely ramifications of this new type of weapon, which seems shortsighted now. Perhaps there was another part of the plan that we don’t know yet post Stuxnet that was believed to make this Stuxnet part of the campaign worthwhile.

Perhaps … I haven’t heard a credible answer and don’t have a great educated guess as to why they moved from stealthy Stuxnet to obvious Stuxnet. It remains the last big unanswered question about Stuxnet.