(This article was originally published on the Findings From the Field blog.) Symantec reports that the Stuxnet worm targets PLC’s which control high frequency, frequency-converting power supplies. Such drives are export-controlled in the United States because they can be used as components in gas-centrifuge uranium enrichment processes. Symantec stops short of identifying Iran’s Natanz uranium enrichment facility as the target of the worm, but the information they supply is suggestive of that target. This begs the question: if the objective of the worm was to prevent Iran from developing nuclear weapons, was wise to give the worm all of the publicity it received? Variable Frequency Drives and Centrifuges Frequency-converting power supplies are often used to control variable-speed motors. It seems the worm targets PLC’s only if they are configured to control large numbers of power supplies produced by one of two vendors: one in Finland and the other in Iran. The targeted power supplies operate in a range of frequencies above 800 Hz. Symantec also reports that high quality frequency converter power supplies are controlled exports from the United States because of their value in uranium enrichment activities. Such power supplies are described by open source literature as components of uranium enriching gas centrifuges. The centrifuges spin uranium gas very quickly, creating a strong centrifugal force. This slowly separates the slightly lighter and much less common U235 isotopes from the more common U238 isotopes. Somewhat enriched uranium is used as reactor fuel for certain kinds of reactors. Highly enriched uranium is preferred if the goal is nuclear weapons. Variable frequency power supplies reduce the energy consumption of the centrifuges and provide a convenient way to control the speed of the centrifuges. The PLC logic in the worm apparently sends messages to change the frequency of the power supplies, between once per month and once every three months. The logic sometimes runs the power supplies at a higher frequency than their setpoints, and sometimes issues commands to very suddenly slow them down and then speed up them up again. The available literature suggests that if the manipulated power supplies are powering centrifuges, then one or both of the following may occur:
If this is accurate, then in either case the centrifuges are effectively sabotaged. Either the enrichment process was frustrated, or the centrifuges themselves were damaged, or both. Responsible Disclosure If the objective of the Stuxnet worm was sabotage of a uranium enrichment facility, then the worm is an example of cyber warfare. Cyber warfare complicates the already contentious debate regarding “responsible disclosure.” The debate usually contrasts two points regarding “the public’s rights.”
But the debate often falls into acrimony as:
At industrial sites, there is an added complication of patch programs. Many sites have no effective patch programs for their conventional computers, and they find that patching firmware in low-level equipment is extremely costly to do safely. These sites argue that disclosure of vulnerabilities, even after a patch is available, puts them at risk because they are not able to apply the patches for months or years. Cyber warfare brings a whole new problem in the responsible disclosure debate. Publication of the details of worms and viruses which are designed to achieve military objectives may impede those objectives. Such publication may alert targets to the tactics being used against them and provide those targets with the information they need to disable the attacks. Whether or not the public benefits from publishing the details of worms involved in cyber warfare depends on who the malware is targeting. Any nation which is the target of malware has an interest in analyzing and understanding that malware very quickly. That nation needs to quickly disseminate information about the attack to the targets of the attack. On the other hand, a nation may be best served if information about attacks against that nation’s enemies is suppressed. The problem is, having discovered a piece of malware in the wild, how do anti-virus vendors, researchers and others tell who the target is? The authors of such weapons seem unlikely to want to disclose targets and objectives to people who discover and investigate the weapon. Looking Forward The Stuxnet worm appears to be very carefully targeted. As a result, the worm worked undetected for at least six months. If the target of the Stuxnet worm was really Iran’s uranium enrichment facility, then the worm represents the first very public example of cyber warfare in progress today. This begs many questions:
This last question is especially concerning – future attackers may not be as discriminating as the authors of the Stuxnet worm. Not all terror groups or even nations follow the rules of war, with prohibitions against targeting civilian populations and the infrastructures critical to such populations. Very few industrial sites in the developed world are currently secured well enough to withstand attack by a weapon comparable to the Stuxnet worm. Additional protections are urgently needed at most sites. To justify the costs of such security measures, most sites need information. The information which has been released about the Stuxnet weapon over the last four months is helping industrial sites make a business case for spending money on sophisticated protections. But releasing information can have huge costs if that information compromises military objectives. When someone finds the next weapon targeting an industrial process, what should they do with it? Publicly pick it apart and release the information about who is being targeted and how? Or hand it over to one or more organizations like the ICS-CERT and let them figure it out? |
NEWS, TECHNOLOGIES, PRACTICES, AND EXPERIENCE
Note: Comments in this blog are blocked for any posting 14 days old, or older
2010-11-15
Disclosure in an Era of Cyber Warfare |
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment