Before this remarkable year finishes, I would like to point out some remarkable people. Certainly they are all related to Stuxnet in one or the other way.
1. Gabriel (technical mastermind behind the attacks)
As it is known from the feature movies on the subject (“Live free or die hard”, “Password: Swordfish”), evil hackers are called Gabriel. So let’s continue the tradition. Because of Gabriel’s work, critical parts of ISA-99, NERC CIP, and NIST need to be rewritten. Stuxnet even calls for a new product generation of controllers with digitally signed code. Gabriel’s masterpiece is a man-in-the-middle attack on controllers, providing the legitimate controller code with pre-recorded input signals. Quite an achievement in history; such an attack had never even been discussed before. Unfortunately, only a handful of people recognize the achievement, which goes far beyond the Windows 0days. However, I am confident that Gabriel is happy with me recognizing the magnitude of his skills. Since the attackers used to leave messages in Stuxnet, here’s a message for Gabriel: 240107. Don’t bother to google.
2. Ralf Rosen (Langner Communications)
Ralf contributed an awful lot to our Stuxnet analysis. When we were sitting together on Sep 17 to discuss topics for my WeissCon presentation, Ralf was the one who realized: “Shit. Stuxnet’s attack technology can be copied easily. That’s what we need to focus on.” Which lead immediately to our security advisory, and to a detailed list of recommendations for asset owners, vendors, and security companies eight hours later the same day. (The presentation had then to be done on the flight to Dulles, and I’m happy nobody seemed to recognize…) However, after thirteen years with the company, Ralf decided to leave us by the end of this year for a much more tranquil job. I can’t blame him after all the stress with Stuxnet, working 24 hour shifts, including weekends, with the icing on the cake being to learn that Stuxnet experts live dangerously. Some other old timers in the company say Ralf may come back soon. Anyway, in the meantime we have an open job position and will be seriously looking at resumes from hot shots with a good background in controllers and security.
3. M (a reporter)
I had never thought this could happen: The only person I have met outside of our team who appeared to be really determined about finding out what Stuxnet is all about is a reporter who came a long way and spent a long time interviewing me. Not a vendor representative, CERT guy, politician, crime fighter, technical expert, analyst – a reporter. It changed my view about the media very much to the better. Chances are you’ll read M’s story soon. I don’t know what exactly he is going to tell, but I trust it’ll be terrific.
4. Joe Weiss (Applied Control Systems)
I must admit that in summer, Joe was starting to go on my nerves because he pushed Stuxnet hard – especially as a key topic for his annual conference. However, after all it appeared that Joe’s instinct was right. He focused the control system security community’s attention on the subject when it was just starting to get red hot. This makes it easy to forgive him for letting Siemens get away with a bizarre opening presentation, informing the crowd how wonderfully NERC CIP compliant their energy product (SPPA-T3000) is. I realized only weeks later how closely the presentation was related to the subject. Many others certainly won’t.
5. Dale Peterson (Digital Bond)
On September 16, 2010, we published that Stuxnet was apparently targeting the Iranian nuclear program. Today, this seems so trivial that few analysts and reporters deem it worthwhile to mention that it was our discovery. Mid-September, this was considerably different. When we came out with the Bushehr story, nobody wanted to believe it. Our press releases were simply ignored by all the media which later educated the public on the subject, quoting self-proclaimed experts who had never gotten near a Stuxnet-infected site, or had any idea about what a Siemens controller does. During those early days, Dale was the only person with the guts to support our version of the plot – at a time when others were still fantasizing that Stuxnet could be about intellectual property theft. Dale’s support meant a lot to us.
6. Nicholas Falliere (Symantec)
Nicholas is the guy on Symantec’s team who brought in PLC experience. Without his work, we might never have become motivated to take a closer look at Stuxnet. Since Nicholas appears to live in France, we assume that his major expertise is with Schneider controllers, and that he came across Siemens products only briefly. The more remarkable is his work. Great job.
7. Michael Assante (NBISE)
It doesn’t take much to like Mike. He’s young, talented, a brilliant presenter, and he has guts. In his testimony before the US Senate in the hearing on Stuxnet’s implications for US cricital infrastructure protection, he dared to say: “We’re running out of time”. He also addressed the issue of digital safety systems, which, I predict, will heat up soon in the wake of Stuxnet. Ok, you got to search hard for these topics in his testimony, because Mike being Mike, he said so much more in so little time. However, the topic he spent most of his time on – education – isn’t bad either. With so many experts telling you Stuxnet and its descendants can be stopped by more firewalls, more defense-in-depth, more of everything we had before that made Stuxnet possible, it is good to hear somebody telling that good security starts with people – especially when trying to address threats that hadn’t been thought possible before. Your firewall won’t think out of the box. Your best talent might.
8. Melissa Hathaway (Hathaway Global)
When I met Melissa, she knew little about Stuxnet. Days after we talked, she tells the New York Times that asset owners should prepare for copycat attacks within 90 days. Whew! If only more people were so quick in getting the point. Anybody who ever questioned Melissa’s capabilities just because she is a good-looking woman should better shut up.
9. Mike Peters (FERC)
I met Mike only once, at WeissCon 2010. Mike did a presentation that did not focus on Stuxnet at all. However, most of what he said would help asset owners to prepare against Stuxnet-inspired attacks. One of Mike’s most prominent messages is: Simply assume the threat is there, so work on your vulnerabilities. If somebody would find a way to clone Mike, this would be an extremely good starting point for an organized program for critical infrastructure protection in the wake of Stuxnet.
10. Anonymous friends
There are several more people I would like to point out and thank, but I guess, or know positively, that they prefer to remain anonymous.
Happy holidays to all of you.