Today is an anniversary: ICS-CERT has started working on Stuxnet three months ago. That’s right, three months of “continued analysis of the Stuxnet malware in an effort to determine more about its capabilities and intent”, as it reads in ICSA-10-238-01. From the advisories that ICS-CERT has published on Stuxnet, we learn that Stuxnet can possibly change the behavior of attached PLC hardware, and that the affected products are widely used in many critical infrastructure sectors. Well, that’s how far it goes. Nothing more, nothing new, nothing detailed on the biggest security threat in the history of control systems.
From our dissection of ICSA-10-272-01 two weeks ago, you will remember that ICS-CERT describes a test setting with no PLC. A test setting that is absurd and misleading by purpose if ICS-CERT takes its own insight serious: STUXNET MAY ALTER PLC BEHAVIOR. Why would a CERT with that (trivial) insight REMOVE PLCs from the test bed?
In the meantime, Sean McGurk from DHS lets the public know in an interview about Stuxnet: “We took a broad all-hazards approach to the [Stuxnet] malcode.”
The “all-hazards approach” approaches a DCS product with the most important part, the PLC, deliberately removed? Strange. “We were able to reverse engineer the [Stuxnet] code and monitor how it works,” continues Sean. Wait a second… With no PLC attached, it is technically impossible to monitor how Stuxnet works. It’s like “monitoring” the behavior of a spam server with unplugged network connection. So either ICS-CERT still has no idea of how Stuxnet works but tells differently, or ICS-CERT does have an idea what the damn thing does but doesn’t want to tell you. You choose which alternative you like best. Yeah, it’s like measles and flu.