Several people asked me to comment on Confront and Conceal as there appear to be some more or less obvious technical inaccuracies in the book’s much-qouted Stuxnet chapter. However, exposing those would be nitpicking and misleading. In respect to Confront and Conceal, the question is not what experts in critical infrastructure protection can tell journalism; it’s what we can learn from the latter. The impact of David Sanger’s book is equivalent to an earthquake shaking the supposedly solid ground that the industry used to operate upon.
The bombshell is dropped on page 196: Siemens did the instrumentation and control in Natanz and also acted as the host animal to carry the virus through the air gap.
We had always maintained that the most promising way to cyber-attack a hardened target is to play it indirectly via a contractor (watch for example this CBS recording from earlier this year). I had reasoned for some time that designing and configuring the complex I&C which controls and protects thousands of gas centrifuges would be beyond Iran’s domestic capabilities, suggesting the existence of an international contractor which would also be the prime target for a carried-forward cyber attack. While I had thought about some small and low-profile company, it now appears that nobody else than Siemens helped Iran to get their centrifuges spinning, and to implement an elaborate cascade protection system that prevents the obsolete and unreliable IR-1 from self-destructing (unless compromised by malware).
While this is shocking news in itself, it gets worse when viewed in the context of the public statements of the German industry giant regarding the worm. Back in the summer of 2010, Siemens never hesitated to answer media questions about Stuxnet and Iran by pointing out that they did not have any business in that country; sometimes creating the impression that they might even have a hard time locating the Islamic Republic on a map. Funny enough, journalists didn’t bother to question such obviously misleading statement. Siemens did business in Iran for as long as 140 years (no typo, no joke). In October 2009, when Operation Olympic Games was in full swing, Siemens’ board decided to discontinue that tradition by July 1st 2010, just weeks before Stuxnet caught the attention of the anti-virus industry. Later, the company argued that while they would take ICS security seriously, their efforts would be stalled by customers.
So it turns out that Confront and Conceal has an important real-life implication for ICS security and critical infrastructure protection: Asset owners/operators who still favor a policy of unverified trust in the cyber security posture of their contractors and vendors, no matter how large or well-reputed they might be, will from now on have to be regarded as negligent. On the plant floor, the biggest cyber security risk is associated with contractors with legitimate access to a facility’s most sensitive systems. There is absolutely no reason to assume that any specific contractor could be trusted without verification just because they say so, because they enjoy a big market share, or because they pursue a media strategy claiming that they had cyber security gotten straight – quod erat demonstrandum.