WarSclerotic

Security and Defense: Nuclear worming.

By YAAKOV KATZ
10/08/2010 16:30

Is Israel behind the latest Stuxnet cyber-attack on Iran?

What does Stuxnet tell us about the future of cyber-warfare? | Stephen M. Walt.

Posted By Stephen M. Walt Thursday, October 7, 2010 – 5:17 PM Share

Some readers may recall that I’ve been a skeptic about the whole “cyber-war” business, and suggested that it was an ideal policy arena in which to expect threat-inflation. To be clear, I did not argue that there was absolutely nothing to it, or even that we could afford to ignore the problem, but there’s no question that I’ve been less than fully persuaded by a lot of the hype.

It is therefore a fair question to ask whether the whole Stuxnet affair has altered my views on this matter. (For those of you just returning from a month wandering in the desert, I refer to the computer worm whose origins remain obscure but which has apparently affected a number of industrial control computers in Iran, presumably with the intent of disrupting their nuclear enrichment efforts).

So has the Stuxnet worm convinced me that the cyber-war/cyber-terror threat ought to be taken more seriously?

Yes and no.

On the one hand, this incident has provided a vivid demonstration of the potential impact that various cyber-weapons could have, and so it has led me to revise my concerns about the problem upward. But as noted above, I never said it should be ignored; only that we had to be careful not to over-hype it.

On the other hand, I think this incident also demonstrates why this whole problem is still so hard to evaluate, and why we really need greater information and assessment before we’ll know if we are over- or under-reacting. Although some people undoubtedly know who made the Stuxnet worm and how it got into Iran’s industrial control systems, it hasn’t been made public thus far. Indeed, private computer security experts are reportedly miffed that the U.S. government isn’t providing them with everything it may know about the Stuxnet problem. So it’s hard for us laypersons to judge just how broad or serious such a threat might be, or how easy it would be for others to do something like this to us. The apparent success of the Stuxnet attack may not tell us very much about the vulnerability of other systems (including military systems), especially when they are equipped with more sophisticated defenses.

The reports I’ve seen also suggest that the worm was almost certainly the product of a sophisticated programming team, and most analysts seem to think that a wealthy and/or advanced country had to be behind it. If so, then one might be justified in concluding that cyber-war in the future will be a lot like conventional war in the past: the richest and most advanced countries will be better at it, simply because they can devote more resources to the problem. Even if Stuxnet suggests that cyber-war has more potential than people like me had previously believed, it doesn’t herald some sort of revolutionary shift in the global balance of power, in which a handful of clever computer-wielding Davids suddenly strike down various lumbering, computer-dependent Goliaths.

In any case, the one thing I haven’t changed is my desire to see this problem analyzed in a more systematic and public fashion, and by a panel of experts with no particular professional or economic stake in the outcome. Ironically, in the aftermath of the Stuxnet attack, I’d like to see that even more.

‘You guys made the cyber world look like the north German plain’ – The Tech.

Cyberattack Becomes More Sophisticated | AVIATION WEEK.

By David A. Fulghum
Washington

Talk over the last several years concerning Iran, Israel, the U.S.—and whether Tehran’s nuclear program might be bombed—may have been a canard or a purposeful bit of misdirection.

In fact, the real attack—using cyberweapons instead of bombs—may have been underway during the last year, given the admission of Iranian officials that many of their automated industrial processes—such as those that control nuclear materials and processing—have fallen victim to a cyberworm. But the question of authorship of the attack—despite immediate claims from Iranian officials that it was Israel—is unresolved. It may have been an accident, the action of a surrogate or a cyber-“hired gun,” or a warning of what cyberweaponry can do to the unprepared.

“When people create cybertools, the unintentional distribution of some of those tools can cause the most problems,” says U.S. Army Gen. Keith Alexander, the chief of U.S. Cyber Command. “We have to cover the spectrum [of threats because] most modern nations have [cyberskills] that are near to us and in some areas may exceed our capabilities.

“We’re going to see that one country may be best at developing worms or viruses,” he says. “Another may be the best at building stealthy exploitation tools. A third may be the best at designing tools that can attack specific systems that are in their national interest.” An example of the last might be the U.S. or Israel taking down computers employed in the Iranian nuclear program.

Mahmud Liai, an official of Iran’s industries and mines ministry, says 30,000 computers have been invaded and the attack is considered part of an electronic war against his country. It is widely known that Iran’s nuclear program has been running into technical problems.

For years, an important question has been “whether Israel will one day try to stop the [Iranian nuclear weapon] project by its own means,” Maj. Gen. (ret.) Giora Eiland former head of Israel’s National Security Council, tells Aviation Week. “Can we do it? That depends. Can you count on tacit cooperation of others in the region [and America]. What is the physical damage you will cause? The most important question is how much delay in the program do you cause—a few months or years? Months are useless, decades may do.”

Perhaps the decision was already made and acted upon by the U.S., Israel or a third party. Regardless of who inserted the worm, advanced cyberattacks should have been expected. Warnings have been voiced during the last several years. Among those who have suffered increasingly sophisticated cyberattacks are Estonia, Georgia and Syria. Now it appears that Iran and other countries in the region have been made members of that increasingly less-exclusive club of the cyberexploited.

The attack was successful enough to shut down some of Iran’s digitally controlled industrial capabilities, including systems in its nuclear power plant, confirms a senior U.S. defense official. Perhaps reflecting security compartmentalization, “the question is still open about who created the worm and who is infected,” he says. The official says about 60% of the infected sites are in Iran.

“The worm is spread via USB, and it targets administrative access vulnerabilities to locate Siemens-built supervisory and control data acquisition [Scada] management programs that remotely observe and manage large systems,” the official says. “It appears to be able to take control of the automated factory control systems it infects and do whatever it was programmed to do.”

Iranian agencies that run defense facilities say they are trying to undo the potential damage of the Stuxnet worm, which is a self-replicating set of algorithms.

The U.S. has been studying and testing associated capabilities. In the “Aurora Test” conducted by Idaho National Laboratory in early 2007, a 21-line package of software code sent from 100 mi. away caused a $1-million commercial electrical generator to generate self-destructive vibrations by rapidly recycling its circuit breakers.

“It introduced destructive instructions into a closed computer network that “caused the generator to blow up,” said Rep. Jim Langevin (D-R.I.) during testimony by military officials at a House Armed Services subcommittee hearing Sept. 23. Aurora indicates that this kind of physically destructive cyberweapon “is not just sitting around on a shelf somewhere.”

In another example, Israel shut down Syria’s integrated air defenses in late 2007 with cyberattack and electronic warfare long enough to bomb and destroy a nuclear processing plant.

Moreover, many nations that do not have the international and industrial power of Russia, China, South Korea, Japan, Germany, the U.S., U.K. and Israel have matched and in some cases surpassed the larger nations’ cyberexpertise in key specialty areas.

“In cyberspace it’s not the size of the country as much as it is the [skills of the people] creating the software,” Alexander says. “There are a number of countries that are near-peers to us in cyberspace, and that is a concern. Others have an asymmetric capability and advantage [is specific areas].

A key goal of professional cyberwarriors is to penetrate networks that are protected or isolated from other networks. Of particular interest are Scada networks that run factories, refineries, pipelines, utilities and nuclear facilities.

It is no secret that the U.S. also wants to put such weapons on aircraft for airborne electronic attack.

One such device seen by Aviation Week is a software framework for locating digital weaknesses. It combines cybersleuthing, technology analysis and tracking of information flow. It then suggests to the operator how best to mount an attack, and it later reports on the success of the effort. The heart of the attack device is its ability to tap into satellite communications, voice-over-Internet protocol and Scada proprietary networks—virtually any wireless network.

“If you think about the explosion of capability in commercial electronics, it’s obvious that for not too much money, anybody can set up a fairly robust WiFi capability and just ride the backbone of the Internet,” says a U.S.-based network-attack researcher. Stuxnet seems to differ from this concept in that it apparently works autonomously, without direction, and relentlessly searches for predetermined targets.

In the unclassified arena, there are algorithms such as Mad WiFi, Air Crack and Beach. Industry teams have their own toolbox of proprietary, cyberexploitation algorithms. But the unclassified tools give a sense of what can be done. In fact, they resemble some of the characteristics attributed to Stuxnet.

Air Crack, for example, is used to decipher the encryption key for a wireless network. Some are quick but require injecting a lot of data into the network, which makes the attack noisy and easy to trace. Others are passive and slow. It takes days or even months, but no one is aware of the intrusion—as for months was the case with Stuxnet.

Cryptoattack uses sophisticated techniques to attack passwords. It runs fast and gives good results but the operators have to take an active role, capture different types of data and send the right information to get a proper response.

A deauthorization capability can kick all the nodes off a network temporarily so that the attack system can watch them reconnect, which provides information for quickly penetrating the system.

Photo: USAF

FT.com / Columnists / Philip Stephens – Caught between bombing Iran and an Iranian bomb.

By Philip Stephens

Published: October 7 2010 23:20 | Last updated: October 7 2010 23:20

John McCain framed the dilemma during the 2008 US presidential election campaign. The only thing worse than war with Iran, the senator postulated, would be a nuclear-armed Iran. Barack Obama took another view and went on to win the White House. He may yet find it impossible to sidestep the choice posed by his opponent.

Some things have moved in the right direction during the intervening couple of years. The uprising on the streets that greeted Iranian president Mahmoud Ahmadi-Nejad’s fraudulent re-election showed his regime to be more vulnerable than many had imagined.

The United Nations has imposed tighter sanctions in response to Iran’s nuclear programme. Taken with unilateral measures introduced by the US and European Union, the sanctions are making themselves felt. The Iranian economy is looking ever more rocky. After this latest of six UN Security Council resolutions, Iran has agreed to return to negotiations.

With Mr Obama holding out a plausible offer to normalise relations with Tehran, Russia and, to a lesser degree, China have begun to share some of the west’s exasperation. Moscow has cancelled an agreement to sell Iran sophisticated air defence systems. Tehran’s enrichment programme has meanwhile lagged behind earlier expectations.

The hope is that Mr McCain’s binary choice can be avoided. Through a combination of sticks and carrots, Iran might be persuaded to trade its nuclear ambitions for a return to the community of nations. The chances still seem slim. The best a high-ranking US official will offer is that a deal is “not impossible”.

I caught this mood during two days of discussions between a diverse group of mostly European and American experts assembled in Berlin at the invitation of the Aspen European Strategy Forum.

The message I took from the policymakers, diplomats, intelligence types and physicists was depressing in almost every dimension. Iran wants the bomb; and nothing that the west has done thus far is likely to persuade it otherwise.

The experts were far from agreed on how best to respond. Some backed military force ranging from naval blockades to the bombing of nuclear sites; others put more faith in diplomacy; others still thought it was time to think ahead to containment and deterrence. What struck me, though, was that hawks and doves alike mostly shared the same view of where we are.

Iran is developing a nuclear weapons capability. It remains open as to whether it has taken a strategic decision to build one or, more likely, several weapons. It might yet be content to become a so-called threshold state. But, as the reports of the International Atomic Energy Agency indicate, the programme does not make sense as a civilian enterprise.

The Iranians are not there yet. There are differences between intelligence agencies as to how long it will take to turn the uranium being enriched at Natanz into sufficient fissile material. But, adding in the need to master warhead technology, most estimates range from a minimum of two to more likely three or four years.

Even before recent speculation that the Stuxnet computer worm had been aimed at Iran, sanctions and clandestine sabotage operations had had notable successes in disrupting the country’s nuclear installations.

Israel is not as sanguine as others about the timeline. Given the threat, it cannot afford to be. Israeli experts point to the possibility of more concealed nuclear sites, raise questions about a new generation of enrichment centrifuges and worry about Iran’s access to spent fuel from the Bushehr nuclear reactor.

Diplomacy and sanctions have thus far achieved pretty much nothing as far as Iran’s intent is concerned. There have been moments when Tehran seemed ready to negotiate seriously, most notably after the US invasion of Iraq in 2003 and, perhaps, last year in Geneva.

More recently, it has been shaken by Beijing’s and Moscow’s backing of new sanctions. But as of now, there are precious few signs of a change in fundamental intent. Russia and China do not want a nuclear Iran, but will go only so far to forestall it.

Within Iran, the nuclear programme is widely seen as in the national interest. In this analysis, possession of the bomb would deter aggression from the US, mark out Iran as a regional leader and alter the balance of power with the west. Iranian leaders have neither forgotten nor forgiven US-led support for Saddam Hussein during the Iraq-Iran war. Sanctions meanwhile play to Mr Ahmadi-Nejad’s narrative of a nation victimised by the west.

Were Israel, the US or both to attack the nuclear sites, they would probably be on their own. One or two European (and Arab) governments might privately cheer, but most weigh the risks of conflict with another Muslim state as too high.

Yet if Tehran does succeed in its ambition, it will probably start a nuclear race in one of the world’s most volatile regions. The pressures on Arab states to follow suit – Saudi Arabia and Egypt spring first to mind – would be intense. Turkey would have to consider whether to cross the nuclear threshold.

Proliferation in the Middle East would signal in turn the end of the nuclear non-proliferation treaty. John F. Kennedy’s nightmare of a world held in terror by the threat of nuclear conflagration would come a big step closer.

The deterrence that prevented the cold from becoming a hot war could not be guaranteed to prevent the use of nuclear weapons in a proliferated world. The promise of mutually assured destruction during that era ensured that neither side could secure an advantage with a first strike that outweighed the cost it would face from retaliation.

In a world in which a larger number of potential adversaries had smaller numbers of weapons, the same calculation would not be assured. The risks of pre-emptive nuclear war – or indeed of simple miscalculation – would be high.

Readers who have persevered this far will have realised that this is not a column offering easy answers or prescriptions. I am not sure there are any. To my mind, the case both for stronger sanctions and for bolder US-led diplomacy speaks for itself – but carries no guarantee of success.

Mr McCain, I think, was wrong in suggesting that bombing Iran could provide an answer; but he was right to suggest that if Iran gets the bomb, the Middle East and the world will be a much more dangerous place.

DEBKA.

Ali Akbar Salehi

Iran’s Atomic Energy Organization Director Ali Akhbar Salehi has had to keep on changing his story.
In late August, he set Sept. 2 as the date for the start of operations at the 1,000 megawatt Bushehr atomic reactor with the installation of Russian fuel rods.
On Oct. 4, he first spoke of a delay: The start-up at Bushehr was “progressing well and we hope to see it connected to the national electricity grid by late December, or even a few weeks earlier,” Salehi said.
He ruled out any links between the delayed launch and a computer worm accused of targeting the Islamic Republic’s nuclear facilities.
To account for the delay, he said: “During the Bushehr plant’s washing process, a leak was discovered at the side pool of the reactor and it was plugged.”
He was challenged that day by a spokeswoman for the Russian Atomstroyexport company which built the reactor who said only that “The loading of the fuel into the reactor is scheduled for October.”
This left the date for the start-up up in the air because it contradicted the Iranian claim that the fuel had been loaded in late August. The Russian nuclear engineers may also be presumed to have thoroughly checked the pool of the reactor before finishing their work.
Monday, Oct. 5, Iran’s nuclear chief finally admitted that the reactor, Iran’s first, would not be ready to go on line before the spring of 2011.
Salehi was forced to change his story as the damage wrought by the Stuxnet malworm came to light. He had to contend not only with the devastating worm but with a briefing by a colleague which put the whole mess in the public domain with disarming frankness.
Iran concentrates on repelling cyber attack on its military systems
On Sept. 27, Hamid Alipour, director of the government-owned Iran Information Technology Company, openly admitted that his country was under cyber attack by a worm that “is mutating and wreaking further havoc on computerized industrial equipment in Iran.”
He said new versions of the virus – no “normal” worm – were spreading.
On Oct. 1, DEBKA-Net-Weekly 463 first indicated the initial scale of this havoc (An Assessment of Initial Cyber-Damage to Iran’s Nuclear Program).
First, the Bushehr reactor and other parts of the nuclear program were so badly hit that it would take months to restore the damaged systems to normal operation. Some might never recover – at least until someone found a silver bullet for purging all systems of the wily worm.
Second, whenever an expert managed to clean out a control network, the destructive malworm spawned more sophisticated offspring which went on the rampage.
The Iranians have gone all-out to damp down the sensational international reporting on the cyber attack afflicting their nuclear plants and strategic infrastructure and made a show of having it under control. At the Virus Bulletin Conference in Vancouver last week, Iranian computer security experts said data “compiled from systems run by Kaspersky’s security software had shown that Stuxnet is no longer prevalent in Iran.”
But they also confessed that the data was not authoritative and represented “just a slice of infected systems in Iran.”
DEBKA-Net-Weekly‘s military and intelligence sources report that Iranian experts have made little progress in their attempts to rid Iran’s nuclear systems of Stuxnet and even less in getting the Bushehr reactor ready to start generating power. They have therefore decided to concentrate at this stage on repelling the cyber invasion of their military systems.
Stuxnet can only be detected in missiles by firing them
They no doubt took note of an article published on Oct. 1 by the noted American weapons expert David Kay in The National Interest, under the caption “As the Worm Turns” in which he asks:
Who can assure the Iranian leadership that the son of Stuxnet is not quietly sitting in the guidance- and flight-control systems of Iran’s missile delivery capability? For after all, a “good” cyber worm does not have to reveal itself except under the conditions that its creator has chosen. Static tests may not show anything. Maybe sudden acceleration and heavy G loading is required. Or some other wickedly difficult conditions to simulate and test.
This fatal diagnosis must have increased the alarm in Tehran, confirming as it did the assessment by military sources in our last issue: Some of Iran’s military command and control centers at military and Revolutionary Guards Corps headquarters are shut down, along with field command centers for ballistic missile batteries, key air bases, air defense and the navy.
It tells them that the only way to find out if their missile batteries are infected by Stuxnet – or “the son of Stuxnet” is to activate the firing mechanisms of every one of those missiles, thereby destroying their entire stock and remaining defenseless.
The same predicament applies equally to Syria and Hizballah.
DEBKA-Net-Weekly‘s sources report that this week experts of Iran’s Information Technology Company’ (whose director first sound the malworm alarm in public) visited Damascus and Hamma in northern Syria to examine the local armaments factories, which are a branch of Iran’s industries, to find out if the deadly virus in its active or latent state had reached their products.
Some of the team then set out for Lebanon to see whether the new ballistic missiles Iran had consigned to Hizballah, especially the Fateh 110, were infected.
In reporting back to their masters in Tehran, they said they could not be sure of tracking down every version of the rampant Stuxnet in Syrian and Lebanese hardware – any more than they can at the Bushehr reactor.