Home » Cyber » Cyber Security Center » From Targets of Opportunity to Ground Zero

From Targets of Opportunity to Ground Zero

by christian on October 8, 2010

By Kevin Coleman — Defense Tech Cyberwarfare correspondent

Programmable logic controllers, SCADA systems and other computerized control systems have become common throughout our critical infrastructure.

The demand for computerized industrial control within the United States is expected to exceed $16 billion by the end of 2011.  These devices have been a target of opportunity for several years. 

A target of opportunity is a military term that is used to define an objective that, in a combat scenario, presents itself as a possible target in addition to those targets which are considered to be the primary targets of any particular military operation. 

Given these units are now commonly used throughout our critical infrastructure, as well as in military facilities and critical assets like aircraft carriers to control their infrastructure, these targets of opportunity have moved to a high-value targets for cyber attacks.

The Stuxnet attack is a game changer.  This hybrid worm was specifically designed to attack the process control systems used in the Iranian nuclear enrichment program as well as the Bushehr nuclear power plant. So the big questions is:  How Prepared Are We?  In a recently released study on critical infrastructure protection it found that the top five safeguards that respondents felt had LESS THAN a high state of readiness were–

  1. Security training
  2. Awareness and appreciation of the threat by executive management
  3. Endpoint security measures
  4. Security response
  5. Complete security audit
Share |

{ 21 comments… read them below or add one }

Nidi October 8, 2010 at 1:58 pm

“This hybrid worm was specifically designed to attack the process control systems used in the Iranian nuclear enrichment program as well as the Bushehr nuclear power plant.”

Those control systems are used all over the world. To say they were targeted specifically at Iran is disingenuous at best, an outright lie at worst. There is no evidence that points to it being targeted mainly at Iran, unless you listen to the Iranian government (which is not known for their truthfulness). It has hit UK, US, Korean, and even Dutch companies and facilities. It goes into a Siemens program by using testing default passwords. So, you don’t want to get hit by Stuxnet, DON”T USE DEFAULT PASSWORDS. But Stuxnet as a game changer? Please. Sometimes, I wonder about the quality of these articles when compared to other ones at Defense Tech.

Reply

geedeck October 8, 2010 at 2:47 pm

Wow, that's just really harsh and doesn't feel very polite. Allow me to quantify why. One, is that there is a clear focus on Iranian systems. Two, some reverse engineering of the code pointed out some Old Testament verbage in there that either it's implicating the Israelis or at least trying to do so.

Now, perhaps the Iranians are just that much dumber than the rest of the world about default passwords. Or maybe someone took the time and effort to scatter infected USB keys around Iranians?

But it's clear this is something that benefits the Israelis (well, and us, and most of the civilized world). So, positing the logic is not a crazy thing to do and it's not some magical barometer of quality. Or at least I don't think so, unless someone shows up out of the blue with all the answers. And so that's why it seems a bit rude to make such a statement.

Reply

Kevin October 8, 2010 at 3:02 pm

Have you ever programed a PLC- I have! I wonder about what really motivated you to write this. The VAST majority of experts agree that Stuxnet specifically targeted the Iranian facilities. So it is not just me it is an international collection of experts. All the other countries you listed could easily be considered collateral damage.

It is easy for you to sit there hiding behind a nickname (NIDI) so no one knows who you are or where you are from and posting rude comments like some others on here.

Reply

Andrew October 8, 2010 at 4:23 pm

What, so I have to have a political agenda behind this? I have been using this name for years. And not just on this website either. But you know what, you caught me. I am actually an Israeli apologist who has been on this website for years building up a cover so I can protect Israel by spinning any story that my implicate Israel. You want to know who I am? Get my email from the webmaster, since you have to provide it to post and I give my actual email. Send me an email, and I will tell you exactly who I am. But the fact that you implicitly call me a coward and personally attack me, and then call me rude? I may have attacked your post, but I did not attack you or your character.

And for good measure, I went ahead and put my real first name up there. There is now plenty of information available here to find out who I really am, if it’s that important to you.

Reply

Oblat October 8, 2010 at 4:34 pm

At least your not a marketing flak using a government web site to shill his products.

Reply

David October 9, 2010 at 4:02 pm

Symantec has some very comprehensive analysis of the worm on their web site. It was detected all over the world, but primarily in Iran, India, Pakistan, and Indonesia, and more than half of the actual infections were in Iran. Furthermore, the code contains very specific matches for the particular Siemens installations in Iran, so the evidence is pretty clear that Iran was the target.

Reply

geedeck October 8, 2010 at 3:05 pm

I think we're in both a good and bad position. What do you folks think of as our high and low points?

High:
-I think american programmers are some of the best in the world. No one knows how to think outside the normal standards like we do (as a generalization, there are always exceptions of course.
-We're the source of a lot of controls + systems. It's in the national interest of companies here to assist the security of the nation, even in this multinational day and age (again, as a generalization, there will always be aberrant outliers)
-Our large middle class gives young people a lot more technology tools at a young age than many other, making people generally smarter about IT even if they aren't programmers (again! Generalizations, my apology)
-We're the US. If someone wants to do an IT-based attack (let's face, the word cyber-attack sucks dog butt), they have to be willing to pick on one of the largest fish in the pool. So that means it has to be someone really large (sup China) or really small (sup freelance hackers from poor east european countries).

Cons:
-I think our "cybercommand" stuff is bullshit. The armed forces require too much rigidity to attract the truly great computing hacking minds… at least as enlisted/officer. (again, as a generalization). [Though, this is likely a truth in all military based IT-warfare divisions world wide]
-The American public education system (generally) discourages intellectualism. Frankly put, nerds are picked on. I'm not saying we assign all socially awkward kids a body guard, but we should have discussion about academic environments, because we almost certainly lose great minds, or let them become just average minds due to social distractions.
-American arrogance. We're pretty awesome, but sometimes it's a two-edged sword and we forget that others can be awesome too.

So what pros and cons do you think I'm missing? Or are some of my theories just crazy?

Reply

Nidi October 8, 2010 at 3:41 pm

If there were a clear focus on Iranian systems, then why are sites around the globe getting hit? And Israelis? Hell, for all you know, it was China that did this. Because this worm wasn’t just about shutting down systems, it was about stealing information. Information from industrial sources. Israel doesn’t give a rat’s ass about industrial secrets, but guess who does? Who has one of the largest and fastest growing uniformed and civilian cyber sectors? China. It could even be Russia for all we know. Israel is not stupid enough to put OT verses inside code. They have one of the best intelligence services in the world. They know not to leave trails. And I’m not saying it was only Iran that was using default passwords. The fact that it is hitting people all over the world is testament to the fact that the use of factory default passwords is widespread. The only people seeing this as an attack directed at Iran are those that want to.

Another thought regarding the OT verses in the code. Worms such as these are rarely written by one person. Usually they are written by a group of people, and they can be all over the world. Where are the OT verses in the code? Are they all over it, or only in certain parts? It could just be a calling card of whoever wrote that part of the code. Just because they are Jewish does not automatically mean they are working for the Israelis.

Reply

Kevin October 8, 2010 at 3:56 pm

Please explain how your construct and release a worm like this that will only target one physical entity that is connected to the internet and not have it spread to other vulnerable systems of the same type around the world?

Reply

Oblat October 8, 2010 at 5:05 pm

"This hybrid worm was specifically designed to attack the process control systems used in the Iranian nuclear enrichment program as well as the Bushehr nuclear power plant."
.
As usual Kevin is just making stuff up. The evidence for an Iranian target is circumstantial at the extreme. There are no reports of any direct damage from the worm, most of the infections are in China and 5 guys and a PLC does not constitute the Manhattan project no matter how hard you squint.
.
Stuxnet is just another worm, on another platform that has created the usual inconveniences.
What is interesting is that it is the first - and that jars with Kevin's claims that these systems are under constant attack for years now.
.
Here is how things operate around here - Motorola phones have a new virus the president uses a Motorola thus it must be a plot to subvert the Presidency of the United States at the Very Highest Level. Throw in references to the Manchurian candidate and the football and presto you have global nuclear war.
.
Personally I think averting nuclear winter still isn't a good enough reason to attend one of Kevin's dreary seminars but YMMV.

Reply

Kevin October 8, 2010 at 5:42 pm

Interesting related articles

Expert: Stuxnet was built to sabotage Iran nuclear plant
http://news.cnet.com/8301-27080_3-20017201-245.ht…

Security Firms Scramble For SCADA Talent After Stuxnet

Link http://threatpost.com/en_us/blogs/security-firms-…

Stuxnet was a directed attack with insider knowledge expert says
http://www.thetechherald.com/article.php/201038/6…

Reply

blight October 9, 2010 at 12:26 pm

Langners website notes the attack targets a Siemens control system, and pins it on Iran based on a released UPI photo.
http://www.langner.com/en/index.htm

Unless someone has an axe to grind with Siemens..

Reply

Kevin October 9, 2010 at 3:38 pm

Some are saying INSIDE Job - Inside Siemens or Inside Iran

Reply

blight October 10, 2010 at 12:25 am

Anybody else use Siemens control software? Could be a plant in the United States?

Reply

Oblat October 8, 2010 at 6:14 pm

You just have to look at what Bruce Schneier says about Stuxnet.

None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an usually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates-India, Indonesia, and Pakistan-are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.

Kevin reminds me alot of those fake veterans you sometimes meet in bars, all secret knowledge and wild stories, but ask them anything specific about their stories and the edifice comes crashing down.

Reply

kevin October 8, 2010 at 8:03 pm

Oblat reminds me of the want-a-be that NEVER is. Your are outside the Intelligence community and military so you don't get to see the real situation and you resent the hell out of that!!! Again you got thrown off the other website because of your unprofessional behavior and it looks like you did not learn your lesson!

Reply

Oblat October 9, 2010 at 7:41 am

Ah yes Kevin's secret insider knowledge which he cant share with anyone. Unsurprisingly it doesn't seem to tally with stuff that is in the public domain - even basic network security concepts - a sure sign of quackery.
.
Apparently I'm not the only person calling your bluff - what was the other website ?
I have seen one article where someone traced all your cites back to your own previous statements

Reply

William C. October 8, 2010 at 10:19 pm

Ah President Ahmadinejad, let me just type in the password for the nuclear reactor and show you what we got working. Lets see 111111… uhhh 1. Nobody will guess that.

Reply

Kevin October 9, 2010 at 7:40 am

You have 1 too many 1s

Reply

nraddin October 9, 2010 at 1:36 am

I don't disagree that the target of this attack was Iran, if so no other reason than the Israeli names (Although it could be false flag) however I am not sure how this is a game changer. Systems proprietary, or not have been under attack for a long long time. Just the logs from my external facing web server at home will tell you how bad it's gotten out there and my site is not an obvious target. What I don't see is how this is very much different than worms that have attack specific types of systems in the past, or a general cyber attack (Hacking, DDOS, etc) against a specific system. Is it because a worm was used in a targeted attack? How is that very much different than a botnet attack or just straight up hacking into the systems and planting malicious code?

Reply

jhm October 9, 2010 at 10:35 pm

ooh cyber attacks and programming new!!! what a big deal. Hello we've been hacking for years and this articles makes the world seem like a stone age era. new cyber software, puh lease

Reply

Leave a Comment

Previous post:

Next post: