Langner – The last line of cyber defense

Siemens has presented “official” information on Stuxnet, and Joe Weiss asked me to comment on it. There is a lot that could be said about the presentation slides, but I’ll restrict my comment to the essential technical items. One thing that’s interesting about Stuxnet is the fact that major characteristics of it can be explored by lab analysis. It’s like investigating a crime where the weapon is available for forensic analysis, with blood, hair samples, and fingerprints on it. With that said, let’s take a look at Siemens’ prezo slide 5, “How are Simatic S7 controllers affected?” The diagram that you see is severely incomplete. Basically it says that in a WinCC environment, Stuxnet loads DB 890, FC 1865, and FC 1874 to a PLC. What’s missing? A lot: Read more »

Four lost weeks: One month ago, Ralph informed DHS about the threat posed by post-Stuxnet malware.

Today is an anniversary: ICS-CERT has started working on Stuxnet three months ago. That’s right, three months of “continued analysis of the Stuxnet malware in an effort to determine more about its capabilities and intent”, as it reads in ICSA-10-238-01. From the advisories that ICS-CERT has published on Stuxnet, we learn that Stuxnet can possibly change the behavior of attached PLC hardware, and that the affected products are widely used in many critical infrastructure sectors. Well, that’s how far it goes. Nothing more, nothing new, nothing detailed on the biggest security threat in the history of control systems. Read more »

Podcast with Ralph interviewed by Steven Cherry from IEEE Spectrum

The German weekly newspaper Die Zeit titled an interview with me ‘Iran at war 2.0′. The reason obviously was that the cyberwar we have just witnessed is in some respects smarter than conventional, hardware-oriented war, with hardware being bombs, missiles, and aircraft. As far as we know, no fatalities have been reported as a result from operation myrtus; the operation must be viewed as highly successful in terms of economy, and it leaves a victim that has a hard time figuring out the appropriate way to retaliate. Read more »

Dear Liam O’Murchu,

I have now managed to read your Stuxnet dossier. It’s a solid piece of good technical analysis — except for the summary where you draw dangerously misleading conclusions. Read more »

We continue our rant against the mainstream media for a short while. It is unbelievable how major publications give room to self-proclaimed security experts who have never come closer than 500 miles to a Stuxnet-infected installation, not to speak about having any clue of what an industrial controller is. We have also learned that the major interest of the media is the question who may be behind Stuxnet, which is usually answered by a mysterious ‘we will never know’ (meaning: I, the journalist, will never know, because I have no desire to figure it out). However, we will know. Stuxnet and its surroundings contain so many traces that sooner or later the organizations behind it will be identified beyond reasonable doubt. Let’s give some hints for those who are really interested in following the traces. Read more »

Working with the mainstream media is an interesting experience. Some journalists get the point quickly and ask very intelligent questions, others miss the point completely and even quote Ralph incorrectly. However, missing the point is easy in this case as understanding Stuxnet’s attack vector is barely possible with a high level of technical background knowledge. Let’s try to explain Stuxnet to the average computer user. Read more »

Following an interview with me in their Saturday edition, the Financial Times (European edition) contemplates about what will come after Stuxnet, setting the focus on ‘full-scale cyberwarfare in which major infrastructure is destroyed’. The reporters also speculate whether governments, especially those from the major powers, should sign treaties to ban the use of cyberoffensive weapons. I believe such concerns and speculations are misleading. Here’s my take. Read more »

Things are getting more and more bizarre at the communications front. CERTs are stretching their intellect in efforts to avoid frank talk without saying something provably incorrect. A good example is ICS-CERT’s most recent advisory on the Stuxnet malware from Sep 29, 2010 (www.us-cert.gov/control_systems/pdf/ICSA-10-272-01.pdf). Let’s look at it in detail. Read more »