Symantec’s W32.Stuxnet Dossier is the most useful info I’ve seen about stuxnet. Early in the paper, explaining context:
Industrial control systems (ICS) are operated by a specialized assembly like code on programmable logic controllers (PLCs). The PLCs are often programmed from Windows computers not connected to the Internet or even the internal network. In addition, the industrial control systems themselves are also unlikely to be connected to the Internet.
Whew… Don’t miss this: “…PLCs are often programmed from Windows computers not connected to the Internet or even to the internal network…”
From the superficial reporting of stuxnet you could get the idea that a Windows box, casually attached to a network, could also casually access and change production code in an industrial environment. When you stop to think about it, you know that can’t be true. It could be true somewhere at some time, simply because there are outliers in any large sample, but if you know how things work, you know it can’t be true in general.
Fortunately, Symantec mentions what is hardly worth mentioning — because it will be assumed by technically literate readers. But a lot of people don’t know much about development and deployment processes that are widely used, even for goofy web apps…
— “What? You go through all that to change one line of code on your webserver?”
— “On our production webserver”.
The Symantec paper has enough technical detail to be interesting. The assessment of resource requirements:
The full cycle may have taken six months and five to ten core developers not counting numerous other individuals, such as quality assurance and management.
From the superficial reporting, I had guessed 10 engineers (including QA) for 1 year, plus equipment, simulators, etc. — way less than $10 million if done in the private sector, and probably not more than $100 million if government sponsored.
This, of course, is easily within the reach of many criminal organizations (today in Wired: “5 Key Players Nabbed in Ukraine in $70-Million Bank Fraud Ring“) — and criminal-government blends.
Because the Symantec paper has fairly close technical analysis, it includes odd notes like this:
…If this value is equal to 19790509 the threat will exit. This is thought to be an infection marker or a “do not infect” marker. If this is set correctly infection will not occur. The value appears to be a date of May 9, 1979. While on May 9, 1979 a variety of historical events occured, according to Wikipedia “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community. He was the first Jew and one of the first civilians to be executed by the new Islamic government. This prompted the mass exodus of the once 100,000 member strong Jewish community of Iran which continues to this day.” Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party.
Wikipedia has a short article about Habib Elghanian:
Why does this remind me of “The Man Who Never Was”?