People have been asking, and The Czar of Muscovy
is looking for a report. As always, he has interesting ideas, and you should first of all go read his post. This will be a longish Sitrep, and the Czar provides excellent background material that you'll need to make sense of this post.
Then you should go read one of my old posts, How To Hack A Classified Network
. It also is longish, but it gives you a lot
of information that I'm going to build on in this post.
Then, you should go read an even older post of mine about the intricacies of software
, and how easy it is to mess up security. It amplifies some of what the Czar wrote, and gives you a Real World example of how a computer that controlled a factory was accidentally taken down. It's not precisely analogous to what's happening with the StuxNet worm (that's in How To Hack A Classified Network), but it is something that happened to me, on my watch.
Back now? OK, let's think about "Embedded Process Controllers" - computers that control manufacturing processes. SCADA systems - the ones I keep yammering on about how someone could attack them and take down our power grid - are a variant of these. Typically, there's a hierarchy of devices: (a) The SCADA system(s) as the Master Control unit at the top, (b) a distribution layer that talks to SCADA on the top tier and individual devices at the bottom tier, and (c) the individual devices (e.g. welding electric switch, pipe valve actuator, etc) at the bottom.
The (c) layer is 100% custom software. There aren't a lot of people who understand this, and they're very well paid indeed. Were I Dr. Evil, directing a hacking effort, I wouldn't waste any time here. The next level up (b) typically runs on Linux, but a stripped down version. It's exploitable, but is not only a harder target, but if you did get in, the opportunity for mischief is less. You could focus here, but that's not where the smart money will bet.
It's the top tier that's the big win. SCADA runs on Windows (insert Dr. Evil maniacal laughter here), so you know that it's a target rich environment. These systems are unlikely to be patched (for reasons that you should read here
; another one of my very old posts that explains why people don't like to patch). So while the StuxNet worm seems to include multiple "Day Zero" exploits (attacks for which there is no security patch to stop it), you probably don't need them. They're insurance.
Once you're in the SCADA system, you have high level control options (as opposed to low level "device on/device off" ones at the lower tiers). If you want to make something go boom, this is where you'd do it. Well, that's where I
would do it, except I only use my Powers for Good ...
Can you really make something go boom? Absolutely, and this has been done before
The CIA was tipped off to the Soviet intentions to steal the control system plans in documents in the Farewell Dossier and, seeking to derail their efforts, CIA director William J. Casey followed the counsel of economist Gus Weiss and a disinformation strategy was initiated to sell the Soviets deliberately flawed designs for stealth technology and space defense. The operation proceeded to deny the Soviets the technology they desired to purchase to automate the pipeline management, then, a KGB operation to steal the software from a Canadian company was anticipated, and, in June 1982, flaws in the stolen software led to a massive explosion of part of the pipeline.
Important note: My knowledge of this comes from "Open Source" intelligence only; the people that I know who would know something about this are in the Intelligence community. I haven't asked them, and they wouldn't tell me if I did (it's classified, duh).
So what are we left with at this point? As the Mythbusters would say, the scenario is plausible. The technology exists or could be created to do any number of types of mischief. Insertion of the code is clearly not a major problem, even into totally isolated networks (as our own Defense Department has discovered to its dismay). This would be expensive, and would require the resources of a Nation State actor, and one of probably a dozen or so actors (Israel qualifies as a member of this club). The government of Israel certainly has the motivation to do this, and pervasive corruption throughout the Middle East offers a selection of insertion points.
Means, motive, and opportunity. This is the "Holy Trinity" of mystery stories, is it not?
You could add layers of misdirection to this scenario. The Russians have sold much of the technology to the Iranians, in the face of weak and ineffectual protests on the part of our State Department. Is it possible that there is a quid pro quo
where we let the Russians sell the technology (to get the hard currency), but the technology is actually sabotaged a la
the Siberian Pipeline of the 1980s? The cover story now becomes a worm did the damage, to keep the Russian's hands "clean". If so, then it's possible that we
created this. Absolutely we have people who know how to do this (I know some of them).
Or maybe the Russians did it - after all, it was a Russian antivirus company that "discovered" the worm. What the Russian's motivations would be are left as an exercise to people better at Realpolitik
than I (perhaps our dread Czar?). Certainly the idea of nuclear proliferation into the 'Stans isn't something that the Kremlin looks to eagerly.
One thing that I'd bet cash money on, at long odds - the worm code itself will not provide clues that point back to its creators, at least not easy ones.
My own feeling is that you won't hear about a boom
. While dramatic, there are a lot of moving parts in a process control system that would need to be sabotaged at the same time, and anyone smart builds manual governors and overrides into systems like these. However, nuclear warheads are terribly finicky things. Everything has to be just right, or your incredibly expensive "physics package" (as they call it in the business) is really nothing more than a falling rock. If I were Dr. Evil, and charged with doing this, I'd make sure that the processes almost
worked perfectly - so close that the parts pass QA inspection, but far enough off that the bomb won't detonate.
Disclaimer: I don't really know what I'm talking about, and absolutely did not rely on anything classified for this post (or the ones linked). It's informed speculation based on what I know from my days in Internet Security, and from people well versed with atomic weapons. Your mileage may vary, void where prohibited, do not remove tag under penalty of law.
UPDATE 24 September 2010 16:18: The Register
has more, and it worth a read in its entirety. If you were to attack a single point in the process, the centrifuges would be the logical place. You might even get a catastrophic failure that would take months or years to recover from. However, it's an obvious failure, as opposed to non-obvious failures like warheads that won't detonate. Again, all disclaimers apply.
UPDATE 24 September 2010 19:20:
UPDATE 24 September 2010 22:01:
didn't take long:
First out of 1.1 Million pages. Google's my bitch.