Friday, September 24, 2010

Did Israel hack Iran's Nuclear Program?

People have been asking, and The Czar of Muscovy is looking for a report.  As always, he has interesting ideas, and you should first of all go read his post.  This will be a longish Sitrep, and the Czar provides excellent background material that you'll need to make sense of this post.

Then you should go read one of my old posts, How To Hack A Classified Network.  It also is longish, but it gives you a lot of information that I'm going to build on in this post.

Then, you should go read an even older post of mine about the intricacies of software, and how easy it is to mess up security.  It amplifies some of what the Czar wrote, and gives you a Real World example of how a computer that controlled a factory was accidentally taken down.  It's not precisely analogous to what's happening with the StuxNet worm (that's in How To Hack A Classified Network), but it is something that happened to me, on my watch.

Back now?  OK, let's think about "Embedded Process Controllers" - computers that control manufacturing processes.  SCADA systems - the ones I keep yammering on about how someone could attack them and take down our power grid - are a variant of these.  Typically, there's a hierarchy of devices: (a) The SCADA system(s) as the Master Control unit at the top, (b) a distribution layer that talks to SCADA on the top tier and individual devices at the bottom tier, and (c) the individual devices (e.g. welding electric switch, pipe valve actuator, etc) at the bottom.

The (c) layer is 100% custom software.  There aren't a lot of people who understand this, and they're very well paid indeed.  Were I Dr. Evil, directing a hacking effort, I wouldn't waste any time here.  The next level up (b) typically runs on Linux, but a stripped down version.  It's exploitable, but is not only a harder target, but if you did get in, the opportunity for mischief is less.  You could focus here, but that's not where the smart money will bet.

It's the top tier that's the big win.  SCADA runs on Windows (insert Dr. Evil maniacal laughter here), so you know that it's a target rich environment.  These systems are unlikely to be patched (for reasons that you should read here; another one of my very old posts that explains why people don't like to patch).  So while the StuxNet worm seems to include multiple "Day Zero" exploits (attacks for which there is no security patch to stop it), you probably don't need them.  They're insurance.

Once you're in the SCADA system, you have high level control options (as opposed to low level "device on/device off" ones at the lower tiers).  If you want to make something go boom, this is where you'd do it.  Well, that's where I would do it, except I only use my Powers for Good ...

Can you really make something go boom?  Absolutely, and this has been done before:
The CIA was tipped off to the Soviet intentions to steal the control system plans in documents in the Farewell Dossier and, seeking to derail their efforts, CIA director William J. Casey followed the counsel of economist Gus Weiss and a disinformation strategy was initiated to sell the Soviets deliberately flawed designs for stealth technology and space defense. The operation proceeded to deny the Soviets the technology they desired to purchase to automate the pipeline management, then, a KGB operation to steal the software from a Canadian company was anticipated, and, in June 1982, flaws in the stolen software led to a massive explosion of part of the pipeline.
Important note: My knowledge of this comes from "Open Source" intelligence only; the people that I know who would know something about this are in the Intelligence community.  I haven't asked them, and they wouldn't tell me if I did (it's classified, duh).

So what are we left with at this point?  As the Mythbusters would say, the scenario is plausible.  The technology exists or could be created to do any number of types of mischief.  Insertion of the code is clearly not a major problem, even into totally isolated networks (as our own Defense Department has discovered to its dismay).  This would be expensive, and would require the resources of a Nation State actor, and one of probably a dozen or so actors (Israel qualifies as a member of this club).  The government of Israel certainly has the motivation to do this, and pervasive corruption throughout the Middle East offers a selection of insertion points.

Means, motive, and opportunity.  This is the "Holy Trinity" of mystery stories, is it not?

You could add layers of misdirection to this scenario.  The Russians have sold much of the technology to the Iranians, in the face of weak and ineffectual protests on the part of our State Department.  Is it possible that there is a quid pro quo where we let the Russians sell the technology (to get the hard currency), but the technology is actually sabotaged a la the Siberian Pipeline of the 1980s?  The cover story now becomes a worm did the damage, to keep the Russian's hands "clean".  If so, then it's possible that we created this.  Absolutely we have people who know how to do this (I know some of them).

Or maybe the Russians did it - after all, it was a Russian antivirus company that "discovered" the worm.  What the Russian's motivations would be are left as an exercise to people better at Realpolitik than I (perhaps our dread Czar?).  Certainly the idea of nuclear proliferation into the 'Stans isn't something that the Kremlin looks to eagerly.

One thing that I'd bet cash money on, at long odds - the worm code itself will not provide clues that point back to its creators, at least not easy ones.

My own feeling is that you won't hear about a boom.  While dramatic, there are a lot of moving parts in a process control system that would need to be sabotaged at the same time, and anyone smart builds manual governors and overrides into systems like these.  However, nuclear warheads are terribly finicky things.  Everything has to be just right, or your incredibly expensive "physics package" (as they call it in the business) is really nothing more than a falling rock.  If I were Dr. Evil, and charged with doing this, I'd make sure that the processes almost worked perfectly - so close that the parts pass QA inspection, but far enough off that the bomb won't detonate. 

Disclaimer: I don't really know what I'm talking about, and absolutely did not rely on anything classified for this post (or the ones linked).  It's informed speculation based on what I know from my days in Internet Security, and from people well versed with atomic weapons.  Your mileage may vary, void where prohibited, do not remove tag under penalty of law.

UPDATE 24 September 2010 16:18: The Register has more, and it worth a read in its entirety.  If you were to attack a single point in the process, the centrifuges would be the logical place.  You might even get a catastrophic failure that would take months or years to recover from.  However, it's an obvious failure, as opposed to non-obvious failures like warheads that won't detonate.   Again, all disclaimers apply.

UPDATE 24 September 2010 19:20:  Hmmm ...

UPDATE 24 September 2010 22:01: Well, that didn't take long:

 First out of 1.1 Million pages.  Google's my bitch.


NMM1AFan said...

Why are classified and critical infrastructure systems connected to the internet at all?

Seems like an easy fix.

Borepatch said...

NMM1AFAN, my first link (about hacking a classified network) talks about this. They shouldn't be, and for classified networks, aren't (to the best of my knowledge).

As to critical infrastructure, I ranted about this a while ago. They shouldn't be, but (mostly) (probably) are. It makes it easier for their administrators.

Stalin would have had them all shot. Were I King, I might do the same.

reflectoscope said...

Interesting idea that the IDF didn't flatten the facility because it didn't need to.

Two fundamental problems with this approach: One, it seems unlikely that it could be repeated, what with it being such a distinct tactic. What I mean is, everyone who is anyone is going to have the motive and opportunity to examine it.

The second is that if the Iranian plant is the target, it leaves a pretty short list of motivated attackers.

Hell of a thing, anyway. I'll be curious to see how it pans out.


bluesun said...

Gotta love those random hits from Muslim countries...

I'm probably on a few interesting lists from that whole "Draw Muhammad Day" thing...

Matt said...

The problem with the "screw it up so subtly that they think it works until the day they decide to use it" plan is that nuclear weapons don't have to actually work to cause massive problems.

Yes, yes...a dud warhead would spare Tel Aviv. But if Iran thinks they have nuclear weapons, and the rest of the region also thinks they have nuclear weapons, but the weapons secretly might not work, the strategic situation deteriorates almost as badly as it would if they actually did have working nukes.

No member of the nuclear club actually wants to lengthen the membership roster. I wouldn't put it past the Russians to be playing both sides this way. They get to be buddies with Iran, tweak the noses of their regional rivals, and yet still hamper the actual Iranian nuke program.