Disclosure in an Era of Cyber Warfare

(This article was originally published on the Findings From the Field blog.) Symantec reports that the Stuxnet worm targets PLC’s which control high frequency, frequency-converting power supplies. Such drives are export-controlled in the United States because they can be used as components in gas-centrifuge uranium enrichment processes. Symantec stops short of identifying Iran’s Natanz uranium enrichment facility as the target of the worm, but the information they supply is suggestive of that target. This begs the question: if the objective of the worm was to prevent Iran from developing nuclear weapons, was wise to give the worm all of the publicity it received? Variable Frequency Drives and Centrifuges Frequency-converting power supplies are often used to control variable-speed motors. It seems the worm targets PLC’s only if they are configured to control large numbers of power supplies produced by one of two vendors: one in Finland and the other in Iran. The targeted power supplies operate in a range of frequencies above 800 Hz. Symantec also reports that high quality frequency converter power supplies are controlled exports from the United States because of their value in uranium enrichment activities. Such power supplies are described by open source literature as components of uranium enriching gas centrifuges. The centrifuges spin uranium gas very quickly, creating a strong centrifugal force. This slowly separates the slightly lighter and much less common U235 isotopes from the more common U238 isotopes. Somewhat enriched uranium is used as reactor fuel for certain kinds of reactors. Highly enriched uranium is preferred if the goal is nuclear weapons. Variable frequency power supplies reduce the energy consumption of the centrifuges and provide a convenient way to control the speed of the centrifuges. The PLC logic in the worm apparently sends messages to change the frequency of the power supplies, between once per month and once every three months. The logic sometimes runs the power supplies at a higher frequency than their setpoints, and sometimes issues commands to very suddenly slow them down and then speed up them up again. The available literature suggests that if the manipulated power supplies are powering centrifuges, then one or both of the following may occur: When the frequency suddenly slows and speeds up again, the centrifuges may also slow and then speed up again suddenly. This could cause the high-speed mechanisms to vibrate or suffer physical damage. This also very likely re-mixes the gas in the centrifuge, interfering with the delicate process of separating high-value from low-value uranium isotopes. The attempt to change speed suddenly may induce currents or other electric effects large enough to damage the centrifuge motors or the power supplies themselves. If this is accurate, then in either case the centrifuges are effectively sabotaged. Either the enrichment process was frustrated, or the centrifuges themselves were damaged, or both. Responsible Disclosure If the objective of the Stuxnet worm was sabotage of a uranium enrichment facility, then the worm is an example of cyber warfare. Cyber warfare complicates the already contentious debate regarding “responsible disclosure.” The debate usually contrasts two points regarding “the public’s rights.” The public has a right to know about vulnerabilities promptly, so that they know they are at risk, how attackers can get to them and what they need to do to protect themselves. Malware toolkits mean that black hats can take advantage of newly-announced vulnerabilities faster than patches/updates can be created to eliminate those vulnerabilities, so the public is best served by keeping silent about vulnerabilities until patches are available. But the debate often falls into acrimony as: Software vendors are accused of taking no steps to fix their software unless threatened with the poor publicity that accompanies disclosure of their vulnerabilities, Security researchers are accused of caring only about “credit” for their discoveries resulting in publicity for their own security services businesses, Security product vendors are accused of using publicity about vulnerabilities to increase Fear, Uncertainty and Doubt and so increase their product sales, and The media is accused of caring only for the next headline and circulation statistics for their own publications. At industrial sites, there is an added complication of patch programs. Many sites have no effective patch programs for their conventional computers, and they find that patching firmware in low-level equipment is extremely costly to do safely. These sites argue that disclosure of vulnerabilities, even after a patch is available, puts them at risk because they are not able to apply the patches for months or years. Cyber warfare brings a whole new problem in the responsible disclosure debate. Publication of the details of worms and viruses which are designed to achieve military objectives may impede those objectives. Such publication may alert targets to the tactics being used against them and provide those targets with the information they need to disable the attacks. Whether or not the public benefits from publishing the details of worms involved in cyber warfare depends on who the malware is targeting. Any nation which is the target of malware has an interest in analyzing and understanding that malware very quickly. That nation needs to quickly disseminate information about the attack to the targets of the attack. On the other hand, a nation may be best served if information about attacks against that nation’s enemies is suppressed. The problem is, having discovered a piece of malware in the wild, how do anti-virus vendors, researchers and others tell who the target is? The authors of such weapons seem unlikely to want to disclose targets and objectives to people who discover and investigate the weapon. Looking Forward The Stuxnet worm appears to be very carefully targeted. As a result, the worm worked undetected for at least six months. If the target of the Stuxnet worm was really Iran’s uranium enrichment facility, then the worm represents the first very public example of cyber warfare in progress today. This begs many questions: How many other very targeted attacks against military/industrial sites are under way right now, undetected? Which sites are being targeted? Will future attacks continue to be as carefully targeted? This last question is especially concerning – future attackers may not be as discriminating as the authors of the Stuxnet worm. Not all terror groups or even nations follow the rules of war, with prohibitions against targeting civilian populations and the infrastructures critical to such populations. Very few industrial sites in the developed world are currently secured well enough to withstand attack by a weapon comparable to the Stuxnet worm. Additional protections are urgently needed at most sites. To justify the costs of such security measures, most sites need information. The information which has been released about the Stuxnet weapon over the last four months is helping industrial sites make a business case for spending money on sophisticated protections. But releasing information can have huge costs if that information compromises military objectives. When someone finds the next weapon targeting an industrial process, what should they do with it? Publicly pick it apart and release the information about who is being targeted and how? Or hand it over to one or more organizations like the ICS-CERT and let them figure it out?