Sunday, September 26, 2010

More Stuxnet Speculation and the Limits of "Cyberwarfare"

The Stuxnet worm has infected tens of thousands of Iranian computer systems, along with systems in other countries. It is being unraveled by computer security companies and Siemens, the maker of industrial equipment that is its target.

The exact target is not known, but speculation tends to settle on the Bushehr civilian nuclear power plant and the Natanz enrichment plant, leading to the more speculative conclusion that Israel or the United States is responsible for it. Both have stated that they are using various means to attempt sabotage of Iran's nuclear infrastructure.

But let's look at another possibility: Russia. Russia has direct access to the Bushehr plant, since they are supplying it. Russia also has a great concentration of outstanding computer programmers, many of which have taken to the production of malware. Russia is a prime suspect in the distributed denial of service attacks in Estonia during the controversy over a Soviet monument in Tallinn and in Georgia during their short war. So a motive for the attack in Iran might be to test another sort of attack, against industrial infrastructure. Relations between Russia and Iran over Bushehr have been rocky over the many years it has taken to build the reactor; that's why it has taken so long.

If the code was furnished by Israel or the United States with the intention of harming a particular plant, it is highly irresponsible to make the code in the form of a worm, which can propagate itself. The ultimate protection against computer infection, of course, is the air gap: if a computer isn't connected to any other computers, it can't be infected. The air gap is used for security in many industrial plants. But memory sticks can be infected, and they can transmit the worm, which seems to be the main route of Stuxnet infection.

So why make a worm? It could be that the perpetrators didn't have access to the targeted facility, in which case infection would be necessary. Or perhaps the perpetrators wanted to trace the routes of infection, which might provide some clues as to who might be providing questionably-legal support to Iran's nuclear program. Transmission via memory sticks would be slow enough to outline the importance of various providers. The Guardian provides a map. Interesting connections to India and Indonesia.

Stuxnet is one more demonstration of how difficult cyberwarfare is. Estonia was inconvenienced for a week or two; the attack on Georgia seemed to be less effective. Siemens is introducing correctives to Stuxnet. Warfare has to be more than a one-off, but it is in the nature of an attack to be noticed, and, once noticed, responded to. A great many non-governmental individuals and organizations have as much fun countering malware as others do developing it, and governments have their resources as well. Like the attacks on Estonia and Georgia, Stuxnet is very difficult to trace to its perpetrator, perhaps impossible. So there is no retaliation. And transmissible malware can blow back on the perpetrator. Looks like there are Stuxnet infections in all the major suspects.

Defense works. Sticking possibly infected memory sticks into USB ports is dumb; the air gap applies to memory sticks too. And there are better defenses that most of us have on our home computers. As malware does its damage, it is detected and countered, an emerging and evolutionary process rather than a catastrophe.

No comments: