Highlights include:

Identifying Stuxnet’s target with 100% confidence / Why Stuxnet’s source code is not needed for substantial copycat attacks / Details on attacker strategy (“not a Pentagon job”).

As a brief recap, a first-generation Iranian uranium enrichment cascade consists of 164 centrifuges that are not simply piped in a serial fashion but in groups, which are called stages. Centrifuges within one stage are piped in parallel. The resulting overall pattern is a belly-shaped curve that loyal blog readers will remember from last winter. The exact shape of an IR-1 cascade was not publicly known but was computed in approximation by Alexander Glaser from Princeton, based on revelations of a talkative Gholam-Reza Aqazadeh who let the world know that Iran used to group their IR-1 cascades into fifteen stages. From the IR-1 cascade structure computed by Alex we were able to link Stuxnet’s 417 attack code to Natanz – the match was simply too good to be a coincidence.

But it gets even better when looking at the SCADA screens in Natanz’ control room, as the President is doing, where we find an exact match with the cascade structure as coded in Stuxnet. You don’t see it? You will.

The green dots that you see on the displays are operational centrifuges. There are four rows of green dots (and centrifuges) because this is how they physically group centrifuges in Natanz, as it can be determined easily by looking at the walk-around pictures of the 2008 presidential visit. Look closely at the grey columns below the green dots, highlighted in the detail view by added red arrows. It is easy to see that the column size varies. The rightmost column spans one green dot, the second rightmost column two green dots, then three dots, then four, then five, then six, and then it goes back to five, with the left column edge being overwritten by the ending “r” of the President’s URL. After having looked at the pimped up detail view it is even easy to see in the original photograph, right?

Now multiply the column sizes with four, because every column contains four centrifuges. That makes 4, 8, 12, 16, 20, 24, 20. Did we see this before? Yes, that’s exactly the cascade structure as coded in Stuxnet. It also suggests that stage 15 in Natanz is using the rightmost four centrifuges being piped together, stage 14 the next eight centrifuges, and so forth (in Farsi they are writing from right to left). It is easy to infer that the next column left of the leftmost 20, hidden under the URL, is four dots wide (for 16 centrifuges). Ralph will discuss details in his upcoming talk in Miami at S4. 

By the way, we wouldn’t be too surprised if the big red buttons at the top of the display would in some way be related to the six Profibus segments of the Siemens S7-315′s that are used to control the centrifuge rotor speeds — apparently for groups of up to 28 centrifuges. Again, think right to left, seven times four.

So where’s Stuxnet 2.0? Well it’s certainly not Duqu. If there is a 2.0, it would better be on site already. However, we see the chances for success of an improved cyber weapon slim, and this assessment has nothing to do with the still existing vulnerabilities of the target, but with flawed strategy on the attackers’ side.

Contrary to what you might have heard, Stuxnet 1.0 was not crude and simple. It was oversophisticated. The complexity of attack details in the payload is overwhelming. I’m going to talk about this in January at S4 in Miami, and I’m sure the audience will have a hard time believing that the stuff I’m going to show is real. But it is. The overall approach of Stuxnet’s 417 digital warhead is like trying to stop a psychopathic killer from committing homicide by performing a multi-hour brain surgery on the perpetrator at the quickly evolving crime scene, keeping fingers crossed that he won’t notice (after all, you got that local anesthesia).

Some time ago at a conference where I had expressed my belief that Langley and the Department of Energy were the leading forces behind Stuxnet (just because this was a classic covert nuclear counter-proliferation operation), I was later approached in private by an official of the US military who said: “You’re right, we are simply not smart enough to do something like this.” If the Pentagon had developed Stuxnet, it might have been much more crude and brute-force. The irony is, it might also have been much more effective. It is obvious by forensic evidence that the given design and overall ops strategy placed priority on remaining undetected, gambling quick and clear mission success for stealthiness and long-term infiltration. It is not very difficult to determine the origins of this school of thought. They are written down by Catherine Collins and Douglas Frantz in their book FALLOUT: The true story of the CIA’s secret war on nuclear trafficking.

Unfortunately, there seems to be not enough time left for a 2.0 that would follow the same doctrine. So either we’re going to see an updated version 2.0 soon that goes straight for a simultaneous catastrophic destruction of as many centrifuges as possible (which had been, and maybe still is technically possible), or the problem has to be delegated to the Air Force.

Ralph Langner

For media inquiries, please note that we don’t research Duqu as it appears to be unrelated to control systems.

During the second part of my talk, dedicated to low-key attacks against industrial controllers, I explained two lethal attacks that require zero insider knowledge. The first had been published earlier in this blog as the 14-byte time bomb. The discussion in SCADASEC assumes that it would be required to compromise the OS kernel of the controller, and to disable the cycle time monitor executive (inaccurately identified as OB35, in reality it would be OB80). Both assertions are wrong. Let’s start with the latter because it is easier to explain. Getting OB1 into a tight loop doesn’t trigger a cycle time exception because the operation block finishes well in time. If the attacker would want to add code that is heavy on CPU performance, as in the case of Stuxnet’s 417 code, he would simply disable cycle time monitoring by loading a BE directive to OB80, as demonstrated by exploit code in the wild.

The real problem with the 14-byte time bomb is not the four lines of exploit code as explained at WeissCon. This was just to make the point that no insider knowledge is required and any process can be targeted by a payload like this. The real problem is how easy it is to inject rogue code onto a controller, as demonstrated by Stuxnet. For obvious reasons we did not detail in our blog post (and neither did I in my WeissCon talk) how this is done. The point to be made was that any hacker with enough time to spare can learn how this can be achieved by studying Stuxnet, or by simply playing around long enough with the vendor’s engineering software and Wireshark. No need to p0wn the kernel. It’s all about understanding the proprietary protocol of the engineering software. All of this can be crafted into a Metasploit module and can be released on the Internet.

The other attack that I discussed focused on how to kill a controller with one legitimate command, and what the corresponding source code for Metasploit looks like. The point was: It looks short, very short. Too short. It’s way too easy. While having the same effect as the 14-byte time bomb, it isn’t time-triggered and requires online access to the target controllers. However, it is a reliable attack because it uses a legitimate command — that should never have been implemented in the protocol in the first place.

Are both vulnerabilities hard or impossible to fix? Not at all, and this is what everybody discussing DHS’ new look at vulnerabilities should know. Simply disabling the DELE command for operation blocks in the engineering protocol would result in a nuisance for a handful of control system engineers who feel that the command speeds their development process by an hour. Actually this vulnerability is easier to fix than a buffer overflow hidden somewhere deep in code. — The best solution for the vulnerability of code injection has been discussed in this blog several times, it is digitally signed ladder logic. This can be done with existing controller hardware. The Rockwell guys explained at WeissCon their first and promising steps into this direction. LL integrity checking will slow down the LL load process a couple of seconds. Just seconds delay for an engineer, but a product generation’s leap forward for the industry.

Ralph Langner