The German weekly newspaper Die Zeit titled an interview with me ‘Iran at war 2.0’. The reason obviously was that the cyberwar we have just witnessed is in some respects smarter than conventional, hardware-oriented war, with hardware being bombs, missiles, and aircraft. As far as we know, no fatalities have been reported as a result from operation myrtus; the operation must be viewed as highly successful in terms of economy, and it leaves a victim that has a hard time figuring out the appropriate way to retaliate.

On the other hand, it is hard to overlook how risky and buggy the whole operation was. In the movie ‘Wag the dog’ with Robert de Niro and Dustin Hoffman, which is actually a must-see in order to understand the public communications on Stuxnet, de Niro has the line: ‘All combat takes place at night, when it rains, at the junction of four map quadrants’. In other words, in war, many things can and will not go according to plan. To quote Clausewitz: War is the reign of chance. This will come natural to military folks. But in this case, it gets worse. Operation myrtus is the first real cyberwar operation in history. Everything before was kid’s stuff; in relation to myrtus it appears like a gang of hooligans busting a rivaling gang with baseball bats, a.k.a. denial of service. Myrtus is the first operation in history that a) uses a CYBER WEAPON, b) created physical destruction, c) hit a dedicated military target (it’s not even critical infrastructure, as Bushehr wasn’t operational yet and is not critical for the country’s electricity supply), d) is lead by a coalition of nation states, and e) would have triggered a conventional military hardware attack (= air strike) if not successful. And chances for mission success were slim, as I will explain next.

If you do something highly complex for the first time, expect mistakes and — ‘bugs’. Every software project manager knows this. Stuxnet may well compete in complexity with your email software application. Imagine you have installed a new email solution from a startup software company that has just released this as their first product. You also have reason to assume that this vendor has been working under a very tight timeline to get the product out to market, perhaps because there was this trade show that they couldn’t afford to miss, and venture capitalists pressing for results. You would not expect this product from being error-free. The same is true for Stuxnet, the weapon, and for myrtus, the operation. In commercial software terms, one could say Iran was Stuxnet’s designated beta tester. And it looks Stuxnet performed pretty well, but…

First, Stuxnet has bugs. A bug in Stuxnet gave us a quick clue of what we were looking at when starting to analyze Stuxnet’s digital warhead. The bug I am referring to is a read request to a specific data block (DB 8062) from the victim PLC, when the PLC has blank memory. During our first experiments with Stuxnet, we were puzzled to see that Stuxnet reads the main cycle program code from the PLC and then did — nothing. What was the purpose of this bizarre behavior? In order to find out, we erased the memory of our victim PLC, and then Stuxnet tried to read that data block. Stupid. Stuxnet knew at this point that the PLC was blank, since it didn’t try to read the main cycle code. This bug gave us a tremendous boost in figuring out that we were looking at a 100% directed attack. Another serious flaw is the fact that Stuxnet performs a five second read cycle to another data block (DB 890) when running in the WinCC environment. This is easy to miss if you are running a fully configured WinCC with hundreds of process variables, but it pops up immediately if you have configured WinCC to the bare minimum, as we did, with only one variable and a long read cycle. Obviously something the attackers hadn’t considered.

Bugs and flaws in a software as complex as Stuxnet, in the first version delivered to customers, eh, victims, are natural, especially if you take into account that the developers of Stuxnet had only about a year to produce a release version. Anyway, such bugs may make the weapon useless, either because of technical malfunction or because of premature detection, which will blow the whole op.

Second, operation myrtus was extremely high risk. Not in terms of life and limb, but in terms of mission success. The attackers had to bet on the assumption that the victim had no clue about cyber security, AND that no independent third party would successfully analyze the weapon and make results public early, thereby giving the victim a chance to defuse the weapon in time. While the first part of the bet may be taken for granted in this case, the second part may not. Development of Stuxnet has taken over a year, but it took us only two weeks to figure out the plot, with a team of three. Since we started late, our results were published after the blow, but this was only coincidental. I began to take Stuxnet serious after August 6, when it became evident that the thing was doing SOMETHING to controllers. I didn’t want to invest time in the analysis though as I thought, that’s Siemens’ duty, why should I do their job for free. However, it appeared that Siemens for some reason didn’t bother to thoroughly analyze Stuxnet, or at least didn’t publish results. So, after three more weeks, I decided to give it a go. Had I done so earlier, mission success could have been compromised.

It might also have been compromised if somebody in Iran had paid close attention to my comments in Joe Weiss’ Unfettered blog. Bushehr was on my radar for more than a year. I did not expect Israel to let that thing go operational, and a cyber strike seemed to be the obvious alternative to a conventional strike with military hardware. At April 21 2010, Joe was bitching in the manner that the community loves him for (well, more or less) about not finding ear & coverage for ICS related stuff at a government-funded project about cyber attacks for the intelligence community. His closing words were, ‘What is the appropriate venue?’ I commented, well, maybe a venue about covert ops — just think about a power plant that poses a major threat to a neighboring state, and simply self-destructs in the process of going operational. A clear hint to the Bushehr scenario. Funny enough, this and several other of my early blog comments that pointed to Bushehr were erased by God-knows-who. Again, risky business! I could have chosen to publish hints elsewhere where deletion would have been more difficult and noticed quickly.

Third, operation myrtus has the burden of significant collateral damage. The virus spread much farther than the attackers could have intended. Even though limiting distribution to USB sticks and shared folders, we see infected systems in many geographic regions. Actually this is easy to explain if you are familiar with real-world ICS environments. First of all, the spread that we see over India, Indonesia, and Pakistan is due to the fact that the integrator who builds the Bushehr NPP has business in these countries. Second, Atomstroyexport is not the only contractor with access to the infected sites. Other contractors access systems at infected sites, too, and make heavy use of shared folders. An easy explanation why we see infected systems even in Europe and the US. Anyway, cleaning up all the infected systems takes time. It may even cost significant money if you chose to contract a third party to do the job, especially one who charges big bucks for looking at your systems to simply determine if they are infected or not (you can do that yourselves within five minutes), which is what we’re seeing in Germany.

The biggest collateral damage, however, emerges from the cost of dealing with post-Stuxnet malware, which copies attack technology from Stuxnet. I am not sure if the forces behind Stuxnet were fully aware of this yet-to-come damage. Some among the attackers will experience little risk for themselves here, others may even profit from such damage, but for sure the US and Western Europe will pay a high prize for this. Is mission success, i.e. having crippled the Iranian nuclear program without going to War 1.0, worth such collateral damage? Probably. Probably not. We’ll see.