If you’ve followed reports of the Stuxnet internet worm over the last month or so, you probably have in your mind an image. I am about to guess the image in your mind.
I’ll use the word “research” in my description of what’s in your mind. But if you think “bomb making” sounds better than “research”, feel free to read “bomb making” where I have the word “research”.
The image in your mind is of a Windows computer. This computer is in a nuclear research facility in Iran. It is attached to a network and has access to the internet. It is also attached to a programmable logic controller (PLC), via a Windows application, that allows an Iranian researcher to key in or otherwise load changes to the operational nuclear research environment, adjusting settings and changing live code as he needs to.
In the plant where this Windows computer sits there is no deployment discipline for patches or upgrades. That is, the kind of process which enterprises typically use for bringing code changes online (test –> staging –> prod) is unknown. Someone can sit down at the machine, tap keys for a bit, hit ENTER and immediately production code is changed. There are no safeguards to prevent a typo from causing disaster. There’s no way to quickly roll back a patch if it causes an unexpected problem. There’s no redundancy, so that if one monitoring or control system fails another system — independent — can take over.
This Windows machine is not only on the corp network but it is reachable by other machines on the network — that is, the router doesn’t have it on its own lonely subnet. It has some virus detection software, but that’s it. It is not re-imaged regularly, and no one ever cd boots it with a non-Windows OS to collect checksums from the filesystem to diff against a known baseline.
Is that anything like the image you have in your mind?
The reason it could be is that the superficial reporting of Stuxnet has embedded in it an assumption that the challenge for the worm was only to find its way to a more-or-less ordinary Windows machine with access to production code running a nuke plant, quietly get control of that machine and then make changes to the nuke-plant-controlling code.
Got that? Here’s something else we should take just as seriously:
Living in the sewers there is a race of little green men, originally from Mars, who ooze through keyholes and use precision lasers to steal vital organs from sleeping victims without waking the family doberman.
The image of the alleged target Windows machine and fly-by-the-seat-of-your-pants change management is created by superficial reporting of Stuxnet, and it’s preposterous.
The worm has many clever features, but it’s not magical. Symantec has a good paper describing it, if you have a taste for technical details. I won’t give away the plot, but it is at least conceptually possible for Stuxnet to get its code into a PLC, in the wild (as opposed to in the lab). However, the idea that it could seriously disrupt a nuclear research plant for any length of time, causing anything more than a passing inconvenience, is nonsense.
Now (still reading your mind), you’re thinking, “In Iran maybe they do have Windows boxes that can access live code managing a nuke plant, machines that are also used to check email and surf the net…”
The reason you think that is related to another image in your mind: the image of His Utmost Ridiculousness Ahmadinejad.
The response: “No. In Iran they don’t hire monkeys to manage nuclear research plants. They have smart people, good engineers, who know how to do things that are technically complex. They know how to review code changes, manage patch deployments, limit access to mission critical applications, checksum binaries and code blocks… do rollbacks, ensure redundancy… Iran is not a nation of halfwits, notwithstanding Ahmadinejad’s efforts to persuade us otherwise.
What about the speculation that Stuxnet was created by state-sponsored hackers — maybe Israel, maybe the U.S. — and that the target was an Iranian nuclear plant?
Governments, certainly ours and maybe Israel’s, are capable of delivering truckloads of money to oily, big-talking contractors, who pretend that Rube Goldbergian schemes are easy as tinker toys. But the simple fact is that no one with understanding looked at a proposed objective like, “eliminate Iranian nuclear plant,” and believed that Stuxnet could or would do that.
I can make a case that is coherent (if not likely) that the U.S. or Israel or some other state sponsored the release of Stuxnet on the internet, and that it did have something to do with an Iranian nuclear plant — but the chance that Stuxnet itself would do damage was understood: slim to none.
I’ll make that case… another day.