Responding to Cyber Threats
A brief case study of Stuxnet


According to Gartner’s predictions, Cyber attackers will be able to weaponize operational technology and harm or kill humans by 2025. The operational technology includes the monitoring or controlling equipment or processes in manufacturing, resources, and utilities, which are targeted in particular. Cyber-physical systems (CPS) and internet of things (IoT) devices are increasingly affecting our quality of life and also playing a more critical role in our society’s infrastructure and government. The combination of global digital interconnection and sophisticated major cybercrime players (such as states sponsored or organized crime hackers) are increasing the consequences of such attacks.
Stuxnet, the world’s first “Digital Weapon”
Stuxnet, a highly sophisticated 500 KB worm, was first uncovered in 2010 after destroying many centrifuges in Iran’s Natanz uranium enrichment facility. It was initially developed to remotely exploit a zero-day vulnerability of a version of Siemens SIMATIC STEP 7 and PCS7 software running on Microsoft Windows machines in Iranian nuclear programs. This supervisory control and data acquisition (SCADA) system control equipment is utilized in power plants and other manufacturing industries. The worm was identified by a security company from Belarus due to spreading beyond the intended target, caused by an error in programming and infecting more than 200,000 computers across the world while physically destroying 984 centrifuges.
It is believed that in 2008 Siemens shared its source code with US authorities and Idaho National Laboratory in order to find any possible security vulnerabilities in the PLC system used in nuclear energy facilities operations.
It is commonly believed that the US and Israeli joint intelligence task force against the Iranian nuclear program was informed about the vulnerability found in Siemens software, and they started developing Stuxnet. The task force’s code name was “Operation Olympic Games,” which had worked under President Bush and President Obama's administrations. The Stuxnet domain, “mypremierfubol.com,” was registered in late 2008, which was supposed to be used only for code download and updates. it seems that Stuxnet had spread itself via LAN into contractors’ systems working with the Iranian nuclear program, at first, and then transferred into the offline PCs inside the facility by a USB stick, most probably by an insider. The worm was programmed to check the machines after infection and identify whether it was part of the targeted control system made by Siemens or not, and if it were, it would try to access the internet for the latest updates. The next step was reconnaissance and gathering information, which was then used to take control of the centrifuges, making them spin irregularly and push them to failure. The worm also was giving false feedback and reports to the outside controllers, so they couldn’t diagnose the problem.
It seems this attack was massively successful because of:
Multi-States sponsored sophisticated team
Shared zero-day vulnerability
Serious security breaches in Iranian organizations (personnel and cyber security and protocols); they failed to consider supply chain vulnerabilities, implement an effective IDS/IPS, AD and ACL, and monitoring system.
On the Iranian side, the attack could have been prevented or at least minimized the impact by implementing:
Multi-layered defense, or defense-in-depth, to ensure more effective security such as security policies, ACL, component isolation, segmentation, and workforce training.
Physical and logical barriers between networks (SCADA and organizational networks).
Disabling all unnecessary ports (physical & logical).
Restrict user privileges and pre-approval procedure for any software installation or changes.
Constant administrative monitoring procedures on the network.
For a country like Iran that technologically depends on other states and multinational corporations, there is always a considerable risk of manipulation or exploitation. However, their critical point of failure was the lack of proper security, personnel, and IT, especially for such a secretive and politically imperative program.
References: