As we get ready to hear if President Trump will pull the US out of the Iran Nuclear Deal, it’s worth revisiting the big remaining question and underreported story on Stuxnet:
Why Did The US Government Not Care If Or Want Iran To Discover Stuxnet?
Full credit for identifying that Stuxnet’s creators likely either wanted Stuxnet discovered, or knew it would be discovered and didn’t care, goes to my friend Ralph Langner. The amount of time and work he has put into understanding and explaining Stuxnet is something all in the ICS security community should be grateful for. His S4x12 Stuxnet Deep Dive video goes deep into the PLC programming and his To Kill A Centrifuge paper written after more years of work is the definitive paper on Stuxnet.
Most people in the ICSsec community are familiar with the rotor speed attack, but the initial versions of Stuxnet were a highly stealthy and very complex centrifuge overpressure attack. I won’t try to summarize the enrichment process and the attack, read To Kill a Centrifuge, but this is the attack that recorded 21 seconds of normal operation and replayed these to fool the Operators. This version was only discovered as an artifact in the code of the figuratively and literally noisy rotor speed attack that replaced the centrifuge overpressure attack.
The critical rotor speed attack was much simpler. It sped up the centrifuge rotation to a speed that would damage the centrifuge and then slammed on the brakes, all the while showing the operator a constant speed. While Ralph hypothesized that the US knew and didn’t care that Stuxnet would be discovered in his paper, he provided even better and easier to understand proof last year. The centrifuges were very loud, and the noise would vary noticeably as the rotating speed changed as specified in the Stuxnet code.
This video below makes the point so clearly, and loudly, that it is obvious that the team in the Plant quickly knew that the rotation speed showing in their displays was not accurate.
While the physical affects of Stuxnet were now easily detected, the methods used to deliver and propagate Stuxnet were also expanded to such a degree that detection was likely. This means that detection would not only be likely in Iran, but elsewhere as Stuxnet now propagated via Windows rather than Siemens Step 7 software.
So now back to the question. Unless the Stuxnet team, who had done brilliant technical work in the overpressure attack someone lost all of their smarts and skills, this had to be a conscious decision to modify the attack knowing it would only be effective for a short time. And importantly that the US would be letting the genie out of the bottle, crossing the Rubicon or whatever buzz phrase you select.
The enhanced propagation and much simpler attack had a higher likelihood of causing damage until it was discovered. Perhaps the overpressure attack was not doing enough damage and a short term increase in damage was viewed as worthwhile even given the likely ramifications of this new type of weapon, which seems shortsighted now. Perhaps there was another part of the plan that we don’t know yet post Stuxnet that was believed to make this Stuxnet part of the campaign worthwhile.
Perhaps … I haven’t heard a credible answer and don’t have a great educated guess as to why they moved from stealthy Stuxnet to obvious Stuxnet. It remains the last big unanswered question about Stuxnet.
Well I hint on my theory why they did no longer care about OPSEC so much in “To kill a centrifuge”: The whole operation had turned from nuclear counter-proliferation to an experiment in cyber warfare. Or as I had put it, they all of a sudden had discovered that “the world is bigger than Natanz”.
You may be right and likely have thought about this a lot more than most. Still its hard to imagine the people making the decision would not see the downside of demonstrating this to the larger world, and the upside to keeping the real potential impact and uses of this new class of weapons or operations to themselves as long as possible.
Thank you for this interesting discussion Dale.
There are many possibilities:
1) There may have been back-channel or indirect communications/negotiations between the US/Israel and Iran such that revealing this cyber warfare capability provided leverage (“Gee, if they can do this to us, what else might they be able to do?”).
2) Perhaps it was a form of psychological warfare. After identifying the problem of varying centrifuge rotor speeds, the operators at Natanz would have spent considerable time trying to understand and correct it. That frustration, combined with fear of reporting production slippage problems up the chain would have caused FUD, perhaps slowing production even further and sowing seeds of discord within the target organization.
3) Let’s not forget Hanlon’s Razor; perhaps the otherwise-capable Stuxnet team simply made a mistake. Ralph, please correct me if I misremember, but weren’t there some obvious errors in Stuxnet deployment (failure to erase itself under certain circumstances?)? If so, that is evidence that this may be just another error.
It’s fun to speculate, but we simply don’t have enough information to deduce the intent of the Stuxnet team on this issue. Absent further disclosures, we never will.
Thanks for your comment. The last item, it was a mistake, is highly doubtful. If you watch the video it is clear that the people in the plant would know the centrifuges were spinning at a rate far different than what they were seeing on the HMI.
They could have thought the Windows exploits would be discovered, and no one would dig into the impact to the PLC. This was true for a couple of months, which could have spread to years. Still the Iranians would have dug into it as centrifuges continued to fail and the rotor speed was the known cause.
One other issue that is being missed is the implication behind the story of the stealth attack: You can do it by being showy about it or you can do it with no one knowing about it. If you were the head of an APT team which method would be your first choice? Strange to think about this since we have no way of knowing how many stealth type attacks have been executed since we first heard about Stuxnet in 2010
True. The difference is that now some asset owners think … was this caused by a cyber attack? when things go wrong. This was definitely not the case pre-Stuxnet.