Working with the mainstream media is an interesting experience. Some journalists get the point quickly and ask very intelligent questions, others miss the point completely and even quote Ralph incorrectly. However, missing the point is easy in this case as understanding Stuxnet’s attack vector is barely possible with a high level of technical background knowledge. Let’s try to explain Stuxnet to the average computer user.
If Stuxnet was a conventional piece of malware as everybody knows it, it could have done this. It would have checked if a specific word processor is installed on your machine, let’s say Microsoft Word. It would then check if you have a specific printer model installed. Now comes the freaky part. Stuxnet would then check for the presence of one specific document on your hard disk. Not based on the document’s file name, but based on the document’s content. If no match is found, Stuxnet leaves you alone. If Stuxnet finds the document it is looking for and you print out the document, Stuxnet prints its own stuff rather than the original document content. What Stuxnet prints is not random garbage, but completely well-formed sentences in English language.
Let’s get back to the real Stuxnet. As everybody knows who accessed our web site, it is not about changing document content, it is about disrupting a physical process, thereby destroying machinery and equipment that is difficult to replace. If you are infected with Stuxnet but don’t have the specific machinery that Stuxnet is targeting, configured the exact way that Stuxnet is looking for, Stuxnet will ignore you. If you ARE Stuxnet’s target, don’t bother that you could somehow miss Stuxnet’s action. Stuxnet is so aggressive that there is no way to miss it. Others will see Stuxnet’s results, too. Of all the infected systems from all over the world, only two facilities have reported damage caused by Stuxnet: Bushehr’s nuclear power plant, and the uranium enrichment facility in Natanz. NO other infected facility has reported damage.
Now to the threat posed by Stuxnet. Stuxnet’s bullet is fired and hit its designated target. Stuxnet as such will do no more harm. However, Stuxnet will live on, it will be the zombie of our nightmares — for those who are responsible for industrial control systems that run something of any value. Stuxnet shows everybody who is interested HOW to manipulate process control on the PLC level (that’s where all the drives, valves, pumps, sensors etc. are electrically connected to). In order to explain what that means, let’s get back to Stuxnet’s virtual brother in office IT. After studying Stuxnet, we now know how to manipulate documents during printout, great! But why be as picky as the original Stuxnet? We can simply use this technology to print garbage in every document, or randomly in some documents, or only on Tuesdays (‘garbage Tuesday’). We can also use Stuxnet’s technology to slow down the printing process, or to make printing impossible. We can do whatever we want with document printing, without any insider knowledge. Unfortunately, our vendor is unable to fix this problem with a security patch, so we have to sweat it out until we have implemented a solution on our own.
That’s the real threat Stuxnet poses for all of us. It provides a blueprint for aggressive attacks on control systems that can be applied generically. Depending on where you live, such very same control systems may control the power plant that provides your electricity, the water utility that provides your water, the factory where you work in, and the traffic lights you see on your way home. The technology how to manipulate all such systems is now on the street, and don’t be so naive to assume that nobody would take advantage of it. Unfortunately, CERTs and similar organizations don’t have the guts to tell you this, even though it is their obligation and they’re paid for it with taxpayers’ money. However, now you know.