Blowback: Stuxnet and the Ongoing Risk to Manufacturing Worldwide

Dear Chevron: Thanks for letting us know you’ve been infected with Stuxnet. It’s difficult to muster sympathy for your management or shareholders, because you were warned.This guy quite clearly warned your industry, as did other firms specializing in technology security.

Every single manufacturer around the world using supervisory control and data acquisition (SCADA) driven equipment in their processes was warned. Businesses at particular risk are those relying on certain ubiquitous applications in a networked environment.

Perhaps you heeded the warning months ago but didn’t disclose widely that your business was working on eliminating the exposures. If your business has been hardening your systems, great. However, the public does have a right to know know if your plant located in their backyard might blow up or release toxic chemicals because your firm was exposed to cyber warfare elements our country sponsored in some fashion.

This goes for any other firms out there that are dealing with the same exposure. Perhaps you believe it’s a business intelligence risk to let your competitors know you’ve got a problem– frankly, we’re way past that. The potential risks to the public outweigh your short-term profitability, and if your plant blows up/dumps chemicals/produces unsafe or faulty products because of Stuxnet, our public problem becomes your public relations/long-term shareholder value problem anyhow.

By the way: perhaps it might be worthwhile to actively recruit American citizens who qualify for security clearance when hiring SCADA application analysts to fix your Stuxnet problems. Why compound your problem for lack of foresight with regard to national security risks? We can see you’re hiring. Ahem.

Dear Senate Intelligence Committee: You are in way over your heads when it comes to technology. You need to rethink how you handle anything involving software and the hardware on which it runs as well as any technology attached to a network. That includes phones.

You let this thing loose when you signed off on it–you signed off on a weapon payload that was inherently insecure, or designed deliberately to be insecure, because it relied on delivery applications requiring security and upgrade patches every frigging month, delivered via network in nearly all cases. It’s laughable that you think there was a leak requiring investigation when this insecure cyberweapon of mass destruction was released with your blessing.

What was it you thought you were authorizing? Did you not realize that this bug could spread because its was designed for delivery via an insecure application? Or did you permit an undisclosed quid pro quo to some unidentified entity so that all SCADA-based manufacturing could be affected at will at some point in the future?

There were at least three countries involved in this process, too. Did you rely too heavily on one of the two partners to keep a leash on the other? Have you asked how one of the partners is protecting its own manufacturing environment from exposure? Or did it never occur to you that they are our competitor for manufacturing jobs and have less exposure to this weapon because they don’t rely as much on a private corporation’s inherently buggy applications in their manufacturing? Did it ever occur to ask if there were secondary agendas on the part of any participant in the design, development, and distribution of this weapon?

And now that we the public know your little xenomorph has gone rogue and into the wild, when are you going to mitigate the risks of proliferation by ensuring manufacturers as well as SCADA users like utility companies, mass transportation providers, and any site requiring physical maintenance and security controlled by computers are informed of the risks and take action to limit potential failures? Recall Congress’ reaction to the risks from Y2K; Stuxnet and its precursors and variants may pose a far bigger risk than Y2K, worthy of deeper consideration.

Perhaps the Permanent Subcommittee on Investigations should review this mess to prevent future snafus like the Stuxnet debacle. Perhaps if you can’t or won’t tell us, you’ll tell that committee what other monsters you’ve unleashed that might blow back on us all.

Dear Fellow Americans: Welcome to the 21st century, where proliferation is about bits and bytes of information, and not physical fissile materials. Perhaps it’s time for voters to ask whether we have a 21st century government, capable of understanding the risks that technology poses. Or are we really comfortable with elected officials who think of the internet as a series of tubes, don’t understand The Facebook, and wouldn’t understand the concept of futureshock if it came up and bit them on the nose like it did with Stuxnet?

[Note: Video embedded here features preeminent Stuxnet expert Ralph Langner of Langer Communications, “The first deployed cyber weapon in history: Stuxnet’s architecture and implications” presented at NATO’s International Conference on Cyber Conflict, Tallin (Estonia), June 2011. The definitive presentation to the SCADA industry from January 2012 can be found at this link; it is not embeddable. The most important portion of the video is in the last third, though the entire video, if rather technical, is worth watching.]

Blogger since 2002, political activist since 2003, geek since birth. Opinions informed by mixed-race, multi-ethnic, cis-female condition, further shaped by kind friends of all persuasions. Sci-tech frenemy, wannabe artist, decent cook, determined author, successful troublemaker. Mother of invention and two excessively smart-assed young adult kids. Attended School of Hard Knocks; Rather Unfortunate Smallish Private Business School in Midwest; Affordable Mid-State Community College w/evening classes. Self-employed at Tiny Consulting Business; previously at Large-ish Chemical Company with HQ in Midwest in multiple marginalizing corporate drone roles, and at Rather Big IT Service Provider as a project manager, preceded by a motley assortment of gigs before the gig economy was a thing. Blogging experience includes a personal blog at the original blogs.salon.com, managing editor for a state-based news site, and a stint at Firedoglake before landing here at emptywheel as technology’s less-virginal-but-still-accursed Cassandra.
29 replies
  1. Rayne says:

    Nice to see you, rosalind and jo6pac. ;-)

    Good gravy but that Langner gets this geek grrl hot under the collar. Unf. I’m really digging the point he makes in the presentation to NATO above, right here:

    [40:13] The big problem that we have, as good and intelligent as it sounds, is proliferation. The proliferation of cyberweapon technology cannot be controlled for one very simple reason. When you think about nuclear weapons, what a proliferant needs is, in a nutshell, the know-how to do it, and then he needs the fissile material. And for counter-proliferation your only chance to do anything, is in respect to the production and the distribution of the fissile material. You can’t do anything about the spreading of know-how. So if you’re an engineer and you do some research you’re going to be able to design, develop, and produce your own nuclear weapon–if you have fissile material. All counter-proliferation is affecting the development, the production, and the distribution of fissile material.

    [41:20] Now let’s look how this looks like in respect to cyber weapons. You also need know-how, but you don’t need fissile material, you only need bits and bytes. And you can’t control the proliferation of bits and bytes. That’s impossible.

    Anybody working with cyberweapons must understand this maxim: Information wants to be free.

    Not free like beer, but free like a puppy. It must move around and it will make a mess, and those who choose cyberweapons must be willing to deal proactively with this fundamental truth.

    EDIT – 7:55pm EST —
    Damn but I frigging love this presentation to NATO in the embedded video as much as I love the SCADA one.
    At 1:04:27 my sweet geek boy Langner says, “…And you can’t secure what you don’t understand.” The previous minute he basically outlines a case for futureshock–even the designers no longer understand the entire system. They only grok their little bit. Clearly, the Senate Intelligence Committee cannot comprehend this.

  2. bmaz says:

    I want to take some lessons from you on how to get a righteous rant on. Cause I been slipping lately, and you got talent girl.

  3. Rayne says:

    @bmaz:

    1) Find something that really fucking pisses you off. Won’t take long. Don’t settle for merely annoying; pick the thing that makes you wish you had access to a programmable personal drone and a lack of morals.

    2) Pour yourself a stiff cocktail, take a few swigs, let the burn get a firm grip on your already burning belly. (My latest poison is some cheap gin I need to excise from my inventory.)

    3) Dump. Make a cloud of pixels fly above your head.

    4) Edit for lucidity but not for politeness.

    5) Hit Publish.

    There you go, my secret methodology for righteous ranting.

  4. bmaz says:

    @Rayne: Shockingly, save for the personal drone, okay and maybe a little editing discretion (I grip and rip baybee) that is pretty much my MO.

    Yeah, I know, who knew….

  5. Frank33 says:

    Recall Congress’ reaction to the risks from Y2K; Stuxnet and its precursors and variants may pose a far bigger risk than Y2K, worthy of deeper consideration.

    Y2K posed no risk. Microsoft computers could not count up to 2000. Laughably hilarious.

    Bill Gates was worried about lawsuits because his defective computer operating systems could not change 1999 to 2000. There was little actual consequence other than hype. Stuxnet operates on the vulnerabilities of their present defective operating systems of Microsoft.

    Microsoft does not fix its vulnerabilities. It exploits them for profit. Taxpayers get to pay for Microsoft’s patented spyware. Any critical systems that use Microsoft, can and will be hacked.

  6. Gitcheegumee says:

    @Rayne:

    How wonderful to see you here again…a latter day tech version righteous rant a la Howard Beale..

    “I am mad as hell and I’m not gonna take it anymore!”

  7. Rayne says:

    @Frank33: You’ll think differently after watching Langner’s videos. As he says, “…this is how the pros do it,” using so-called “design flaws” not vulnerabilities. Zero day exploits are “design flaws.” How is it there are so many holes in this cheese even after several different generations of this operating system?

    Microsoft has become an asset, in the same way that Erik Prince and Blackwater were assets. For all intents and purposes this company was the fifth but silent partner in Operation Olympic Games.

    As for Y2K: nobody really knew pre-2000 what the degree of risk was for Y2K failures, because nobody really thought that far ahead when they wrote code. Developers typically concentrated on solving for X — they didn’t think, ‘solve for X AND don’t cause future problems’ of a kind that might not be predicted in 1988.

    This same focused mindset is in part what allowed Stuxnet to become a global risk. Each cluster of developers concentrated on taking out their portion of the Natanz program. One can easily see any overall umbrella program manager keeping an extremely low profile, forcing each portion of the project to work in a silo so as to preserve plausible deniability. Injection team (specializing in Microsoft OS) probably had very little to do with the PLC team (specializing in Siemens app); only a test bed team may have seen the entire project, and that’s debatable.

    @Gitcheegumee: LOL nice to see you stop by to see me scream out the window into the void!

    —–

    Have been thinking for a year-plus now about the likely solution to Stuxnet for any business using PLCs.

    It’s not debugging Siemen’s SCADA software to patch against this infection. The infection could reoccur at any time, on the fly, as long as the PLC is attached to a network and Microsoft apps are involved.

    * Rip out Siemens PLCs, for starters–and Siemens surely must have had some idea this was a risk, or were they that stupid, too? Is it possible the were compensated for the potential loss of PLC business?

    * Swap out middleware/communications environment and relevant OS up to the PLCs with open source–a business could do that, but this may have some wrinkles of its own in terms of support. If the gov’t is the entity involved and not a private business, you can expect Microsoft to launch a massive FUD program to halt a change away from their proprietary system. Just ask the state of Massachusetts about their experience.

    * Reduce all links between networks and PLCs–this is probably the single easiest measure, but highly dependent on the nature of the business.

    For starters. Don’t get me going about ports on devices.

  8. Bustednuckles says:

    Rayne?!

    Is this the very same Rayne
    I used to see over at FDL back in the day? If so, Howdy from Busted!

    Either way, excellent post and the first I had heard that Stuxnet came back and bit our side in the ass.

    That’s ugly.

    Not that I have any love for Chevron but if they got zapped I would bet money that thing is running amok in other businesses computer systems too.

    Makes me wonder how it got from Iran’s nuke computers to Chevron, HMMMM?
    That is a very interesting question in my book.

  9. joanneleon says:

    That article about Linux usage throughout the world was really interesting, Rayne. One tidbit in there:

    Linux popularity in the United States
    In the United States, interest appears significantly stronger in Utah and California than the rest of the country. California’s high position is understandable, considering it is the home of Silicon Valley, but we are not sure why the interest for Linux is even higher in Utah. Perhaps some of our readers might shed some light on this?

    Also the popularity of searches for Linux in Cuba was interesting too.

    So what’s going on in Utah? What’s going on in Cuba? :)

    Also, I did not realize that DiFi’s committee signed off on this. Brilliant. How many others are out there?

    I couldn’t help but draw a parallel between the War on Terror and this cyberwar Stuxnet thing. In both cases, where are the biggest threats coming from? Who is creating them? Well it seems to me that we are creating the biggest threats to ourselves by ourselves. We pay to create the threats. We pay to fend off the threats. Who wins? Who loses? The war industry wins. The rest of us lose.

  10. Frank33 says:

    As for Y2K: nobody really knew pre-2000 what the degree of risk was for Y2K failures, because nobody really thought that far ahead when they wrote code.

    I should also say, excellent Post. Who could have anticipated sloppy programming? Certainly not Bill Gates. Not to pick on him exclusively. Any computer can be hacked. Open source or closed source. It appears Microsoft assisted the creation of Stuxnet and Flame and who knows what else. That has made their systems even more hackable.

    Another new vulnerability is being given to us by Bill Gate’s predatory monopoly. Their “UEFI Secure Bootloader” does not allow other operating systems, even older Microsoft versions. And of course the Bll Gates Foundation works to promote neo-con causes, privatized education, Franken foods, and spying on everyone who uses MS Windows.

    Another strange case is a British hacker looking for UFO data. Eric Holder and Lanny Breuer are on a crusade to destroy hacker Gary McKinnon. Ten years ago, he hacked into government systems, many with a blank passwords. McKinnon is accused of ONE MILLION DOLLARS worth of damage with his computer games. They should blame Microsoft or the military lack of security. And Holder and Breuer helped give us MERS.

    Now I will now watch the hour video.

  11. joanneleon says:

    @Rayne: A lot of people never thought their software would be around until 2000. I started coding for the four-digit year back in the 80s. Some of my colleagues laughed at me for it. Others though it was a waste of disk space, which was very precious back then. Software doesn’t have a long shelf life, generally. But in the mainframe world, some things hung around for a long long time especially after the migration to client-server and the web, a lot of old legacy code on the mainframe was left in place and interfaces between the two were done instead of replacing the mainframe stuff.

  12. shekissesfrogs says:

    Great diary, Rayne! My son, the non-political computer engineer was even interested. That in itself is amazing.

  13. Rayne says:

    @Bustednuckles: Howdy! nice to see you. I think for most Americans it’s not a matter of whether we love/hate a company like Chevron. It’s extremely important for the public to realize firms that deal in volatile chemical products–sensitive for their toxicity or flammability–are being processed in their very backyards using PLC equipment that may be infected.

    For instance, Chevron has a refinery in Richmond CA (see this link). Note how close the tanks are located to water; I’m sure this has enabled transport of either crude inbound or gasoline/chemicals outbound by ocean tanker at the waterfront depot. However, note the proximity of family homes nearby along the water front, particulary along Ocean Avenue. (Wonder how some of these very wealthy folks feel about Stuxnet…wait, you mean nobody in major US media or government told them? Huh.)

    I should point out that Chevron is hiring a SCADA apps analyst in their Bakersfield CA office, recruiting through a headhunter; their post indicates they’ll accept visas/green cards. (Amazing what one can find in Monster.com…) The guy working on PLCs will be hundreds of miles away from refineries in other people’s backyards, so it’s not personal, just business.

    Ugh. I have a rather large chemical company upwind from my home. I hope like hell they’ve been hardening.

    @joanneleon: Utah, like Massachusetts, has been pushing for open source to reduce costs for the state to operate. They have been on the vanguard for 6+ years now. Cuba is a matter of financial need; they cannot afford proprietary prices, have a culture of hacking all manner of goods to make do under US embargo. Further, they may not want to support an American corporation, particularly one that requires regular backdoor access to computers for so-called patches.

    I think it’s critically important for Americans to realize that the ubiquity of certain applications here is not the same overseas. Germany has been a leader for 10+ years in Linux development; they do not have the same saturation of Windows OS in their manufacturing environments. A Germany entity involved with Operation Olympic Games would have an entirely different attitude toward the OS to PLC interface for this reason alone.

    And yeah, I was think about folks like you who did coding back in the day. We didn’t have a lot of extra digits laying around; the earliest desktop computers were little more than faster systems for handling information that could contained on a punch card or tape, and goodness knows there wasn’t any room for two more digits on those. (Brings back nightmares from one of my earliest high school jobs–sorting punch cards every night that had been keyed with data from drawing changes for a design office at a Fortune 100 automaker. Blecch.)

  14. Rayne says:

    @shekissesfrogs: I’m sure your son understands the implications readily, given his background. Good to see both of you reading this. Will he watch Langner? If so, his feedback here would be interesting.

  15. JohnLopresti says:

    I wonder if Rayne is following CrySysLab at Budapest University, and Kaspersky Lab, re SkyWiper, other advanced persistent trojans.

    Another vantage I might check would be standard anomalies, like Babak’s Quantico circuit of EW blog fame back in the day of the mirror babybell nocs, when Ashcroft Buscho were signing off on FISC circumvention, exigent letters with real time co-located terminals were getting written, and guys with cellphones were putting explosives in duffle bags in Grand central station, Madrid in 2004 (Atocha).

    The last CrySysLab.hu report I perused was spring 2011, at which time there were SkyWiper DLLs that were encrypted and blackbox. That was part of the stux suite, Subsequently there were other exploits possibly to modify those early DLL’s which existed in the wild, possibly also carried spy-style to unconnected instrumentation, i.e., no internet port, all proprietary private nets. Flame ostensibly was one of those.

    Condoleezza Rice is delivering the conference final keynote in 4 months at RSA. Maybe someone could ask her, privately, how solid she feels about all the cyberespionage.

    Chevron is partof a cartel, now, legally. It’s profit margins vary little, and its books remain robust, even when it has to shut its Richmond facility. The neighbors have a long history of toxic exposures, and most are poor and in impaired health from decades of lacking environmental regulations, though Chevron has a firm history of civic involvement. As a kid I can remember a game we played in the East Bay beginning around Benecia and ending south in Berkeley and Oakland, as that entire 30 miles of Contra Costa coast along the bay was rank with odors of petroeum refining.

    One jocund elderly codewriter I met observed simply about the Y2K CLOCK function, that there was so much overtime paid to programmers of COBOL and FORTRAN who came out of retirement for 18 months around that time, that life on the sinecure looked much brighter afterward. In a way, code always was modular, looping, OOP; but new processor bandwidth has opened the door to legacy problems.

    My sense, too, is that SCADA coding probably is tight in some quarters, but lax in others. Siemens, after all, has a background working as a global telco, and has made big iron for Europe, Africa, and the Middle East for 50+ years.

  16. Rayne says:

    @JohnLopresti: Yeah, I’ve been following Flame and Duqu (which is what you’re really implying when talking about the Hungarians). As CW noted, development timeline for the cyber weapon suite is important to understanding intent.

    I wish we knew more about that bit of code that Sergey Aleynikov was accuse of stealing from Goldman Sachs. At some point there will be a juncture where Flame’s seek-monitor-report, Duqu’s seek-inject, and Stuxnet’s seek-modify-deliver capabilities will be combined by malicious elements to conduct asymmetric terror — not necessarily warfare by a nation-state, but perhaps a criminal element acting with either blessing or passive acceptance of a nation-state. Threats to manufacturing, transportation, power generation are bad enough, but a threat to the economy through financial markets? Ugh…the fallout won’t be nuclear, but it wouldn’t be local.

    The unifying field for all three of these known malware–Stuxnet, Duqu, Flame–is Microsoft.

    As for Condi: I wouldn’t ask her the time of day. I’m really not certain what her true gift is besides bullshit. RSA is only using her as a name-draw. It’d be far more beneficial to ask RSA why they aren’t out in front of these malware. Seriously; why am I relying on Langner and Kaspersky rather than RSA when writing about cyber warfare?

  17. Bustednuckles says:

    OK, bear with me, I am the antithesis of a computer geek.
    So what I just read, if I am correct, is that Microsoft is the common platform used for delivery of these cyber attacks, yes?
    All of these attacks are Windows exploits?
    So, say, Using UBUNTU or some other operating system would make them impotent?
    Just a quick clarification, thanks.

  18. Rayne says:

    @Bustednuckles: Each of the three known malware believed or acknowledged to be cyber weapons employs Microsoft tools in creation or flaws for delivery of a payload.

    See the Wikipedia entries for each and note the relevance of Microsoft applications in their development and operation:

    Stuxnet
    Duqu
    Flame

    Ubuntu, Debian, Gentoo, gOS, or other Linux-based open source operating system would be less likely to contain these tools or flaws. Developers around the globe could also see into and make changes to the operating system, something that cannot be done to Microsoft’s closed proprietary software.

    For a good primer/manifesto on the reasons behind open source development, see the mac daddy treatise The Cathedral and the Bazaar by Eric S. Raymond. It’s a very quick and easy read, available online. Once you understand postulates like “Given enough eyeballs, all bugs are shallow,” you’ll understand why open source is far less likely to be attacked by malware.

  19. P J Evans says:

    @Rayne:
    Chevron has oilfields in Kern County, so Bakersfield makes sense. (It’s a bit more central than, say, Taft or McKittrick.)

    Also, I’m not sure how much high-end housing exists in Richmond, but it probably isn’t much. It’s not considered a ‘good’ area. (My sister lives and works on the north end of Richmond. The local mall has Macy’s. Penney’s, Sears, and Walmart.)

  20. Rayne says:

    @P J Evans: Based on the Google Map satellite photos, those waterfront homes are kinda spendy in Richmond. It may stink when the wind blows just so, but waterfront property is always in short supply and high demand.

    Bakersfield appears to be home to their business offices (found using Google Maps), along with a petroleum “loop” from from some nearby fields that I imagine are those you reference (again, found on Google Maps). It’d be appropriate to see hiring out of the business office.

    BUT…if a business wanted to ensure their corporation wasn’t at risk of terror/cyber threat from a weapon like Stuxnet, they have one of two options. Hire people that are a lower risk, or have a vested interest in the success through security/safety of operations. So far Chevron appears to be doing neither.

  21. Rayne says:

    @qweryous: YEAH. THAT. Nice job finding that story, a good example of a what-if.

    Let me make it clear that the accident at that particular refinery may have had causes that had absolutely nothing to do with malware.

    BUT…that’s what Stuxnet could do. Just as it was intended to cause invisible and erroneous variability in enrichment equipment, it could be tweaked to do the same in other environs. AND the result would initially look like an accident with potentially numerous causes. A PLC regulating release-and-mix of a chemical agent could appear to go haywire; a replacement PLC might work temporarily, then do the same damned thing. The damage might be big enough to cause immediate evacuation of surrounding area and health problems, or just a little persistent annoyance and possible health problems — not to mention the financial/economic damage inflicted. This example was a billion bucks to the companies, but did this line going out of production and subsequent reporting cause prices in the gasoline market to rise? Have each of us already been paying for a possible malware attack? Will we ever know definitively the cause of this particular leak?

    The public hasn’t been told about how often there are leaks in the petroleum industry, either. The media is part of the problem; I can think of a leak that showed up in monitoring, and no local newspaper reported. Only @SkyTruth noticed it, and they didn’t have the means to access the closest local papers (stupid papers did not have emails for tips, and/or no social media presence–I know, because I looked on behalf of @SkyTruth).

    With the media failing to report all but billion dollar boo-boos well after the fact as in that Reuters story (note the 3-week gap between leak and report), it’s quite likely that a cyberweapon could “detonate” in our own backyards and we’d find out far, far too late.

    Ugh. In hindsight, I think this comment should have been the next in the series on Stuxnet.

    EDIT — 1:24 PM EST —
    Nuts. I gotta’ point out to readers one more key point from qweryous’ linked Reuters’ article.

    The refinery is the product of a joint venture between Royal Dutch Shell and Aramco.

    Aramco is a STATE-OWNED enterprise; it is, for all intents and purposes, the Kingdom of Saudi Arabia.

    Were Stuxnet-like malware to be deployed against refinery operations, this is an issue that one must keep in mind. Attacks on some business operations are intended to target not local populations, not industries, but the nation-state owners.

    Welcome to the asymmetric warfare of the 21st century. We are all collateral damage now.

Comments are closed.