Enterprise IT Watch Blog

Mar 23 2011   9:11AM GMT

Was Stuxnet an inside job?

Michael Morisy Michael Morisy Profile: Michael Morisy

While Stuxnet has been painted as an unprecedented takedown of one government’s facilities by another, the truth is that very little information is known about the worm that rose to prominence with reports that it set back Iranian nuclear enrichment two years. There is even statistical evidence to suggest that, rather than a highly secretive joint-operation between the United States and Israel, Stuxnet might even have been an insider threat.

Forget everything you know about Stuxnet, the Iranian nuclear program and the dawn of a new age of cyber missiles. Forget these things because they’re largely unknowns. They are speculation and distraction from the more important lessons the security, defense and electrical industries should be learning.

For example, as security researcher Davi Ottenheimer told an audience recently, there’s statistical evidence to indicate the attack was more likely an inside threat than an external one. In other words, not the first salvo of Israel’s and/or the United States’ cyberwar against Iran so much as a play by an Iranian politico vying for power.

This is based on a rising tide of intrastate violence, even as interstate violence is being reduced. In an authoritarian regime such as Iran’s, assassinations and violence aren’t uncommon campaign tactics when it comes to securing a promotion.

To be clear, Ottenheimer is not saying Stuxnet was or wasn’t an inside job, but outlining a fundamental point overlooked in the popular and even most of the trade press: In the 21st century, attribution to state actors has become an increasingly tricky job, even in the physical world.

“We always say it’s China, or Russia, or the Reds, and that compromises our ability to analyze threats,” he told me. “What I tend to find in the data is that we’re finding attribution harder and harder, and so we should give pause before we make attribution, at least before we say it’s got to be this guy or that guy.”

And while turning Stuxnet and other high profile attacks into a made-for-Tom Clancy-and-Harrison Ford drama does a great job at raising awareness, it often hurts the greater cause of securing basic infrastructure.

“I’m very sympathetic into scaring people into action, because I’m a security consultant,” Ottenheimer told me, before diving into all the reasons that, in Stuxnet’s case, marketing through fear could easily backfire.

  • It’s old news. In 1998, security researcher Mudge declared before a U.S. Senate Committee, under oath, that he could disable the United States’ access to the Internet in 30 minutes. Even more pertinent, and worrying, were leaked videos prepared by the Department of Homeland Security showing how a cyber attack could cripple physical infrastructure, breaking turbines and disrupting electricity access. This was in 2007.
  • It actually minimizes the perceived risk. You’d think that highlighting these dangers would increase not only awareness but also spending. But just look at how much movies like Armageddon have shaped the United States’ meteorite defense priorities. The problem, Ottenheimer told me, is that by turning cybersecurity into spy-on-spy dramas, you tip the bean counter’s equations the wrong way. “If we’re scaring people with ‘This is an online missile, they might take a look at it and say the likelihood is too rare for us to worry about,” he said. “So you have to scare them by saying this is going to happen all the time, this is really severe.” And at the end of the day, what happened to Bushehr and other reactors might not even have been that severe.
  • It’s a bad example of what could happen. While the majority of the press has latched onto the narrative that Iran’s program has been set back years, Ottenheimer said that the truth is likely much less dramatic, and much less devastating than similar attacks could be. “The best sources are people who have been watching for a very long time, and they have said that, the program hasn’t been really set back,” he said (Read his blog post on this). But the experts being interviewed on the subject were generally very good at understanding security in most settings, but out of their league when it comes to understanding the technology and context of the industrial control systems that were being deployed in these plants, making the attacks sound groundbreaking when in fact (as previously mentioned) the methods were largely well-known.
So Stuxnet does offer important lessons, but instead of a new age of cyberware, they are about the lagging state of security in many industrial settings, the importance of following basic patching best practices and, perhaps most importantly, the uncertainty of digital security threats, even when you think you have the full story.
An alternative look at security
While Ottenheimer isn’t the only one to raise questions about the “unprecedented” nature of Stuxnet, it’s still a bit of a contrarian look at security in most circles, which is what made it perfect fodder for his talk at Security B-Sides San Francisco, the unconference that ran parallel to RSA 2011.
The San Francisco event was one of many throughout the year, generally run in parallel (though organizers are quick to add, not in competition to) traditional security conferences. The full schedule is available at the B-Sides website, but it’s the quality and tone of the sessions that make these can’t miss events for many security practioners: Gone are the booth babes and infomercial sessions, replaced with … well, the San Francisco event’s lead organizer Mike Dahn put it in his own words:
The commonality is that people are looking for the next thing rather than jumping on the cloud-wagon.  The community voted on the presentations they wanted to see and that’s how the schedule was created.
If you’re interested in Ottenheimer’s presentation, the slides are up on his website Flying Penguin, and they are chock full of thought-provoking citations.
Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Was Stuxnet an Inside Job? – flyingpenguin
    [...] If you are new here, you might want to subscribe to the RSS feed for updates on this topic.An article in Enterprise IT Watch by Michael Morisy references my BSidesSF presentation: To be clear, Ottenheimer is not saying Stuxnet was or wasn’t [...]
    0 pointsBadges:
  • The Darth Vader Guide to InfoSec mastery - Enterprise IT Watch Blog
    [...] to sneak out to the highly enjoyable Security BSides series. Read last year’s coverage of Davi Ottenheimer’s talk, or learn more about BSides, a free unconference around the world, at [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: