This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
The mystery began at a uranium enrichment plant in Iran. The inspectors and Iranian technicians observed that centrifuges used to enrich uranium were breaking down at an unprecedented rate and couldn’t explain what was happening or why. In a seemingly unrelated incident, a computer security company was asked to troubleshoot Iranian computers that were crashing and rebooting repeatedly. Again, the cause of the problem was a mystery, until researchers found malicious files on one of the systems and discovered a digital weapon, Stuxnet.
acronym for supervisory control and data acquisition, which is a computer system used to gather, monitor, analyze and control real time data for equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation.
Stuxnet is an extremely sophisticated computer worm that exploits multiple previously unknown Windows zero-day vulnerabilities to infect supervisory control and data acquisition (SCADA) systems and it is believed to be responsible for causing substantial damage to Iran's nuclear program. Unlike the worms that hijack computers or steal information from them, Stuxnet was used to cause physical destruction to equipment controlled by the targeted computers, specifically centrifuges used to enrich uranium that powers nuclear weapons and reactors.
programmable logic controllers (PLCs)
is an industrial computer which has been adapted for the control of manufacturing processes that require high reliability control, ease of programming, and fault diagnosis.
Stuxnet is typically introduced to the target environment via an infected USB flash drive. When Stuxnet infects a computer, it checks to see if that computer is connected to specific models of programmable logic controllers (PLCs) manufactured by Siemens. PLCs are how computers interact with and control industrial machinery like uranium centrifuges.
Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack; a link file that automatically executes the copies of the worm; and a rootkit responsible for hiding all malicious files and processes to prevent detection of the presence of Stuxnet. The worm then spreads across the network, looking for Siemens Step7 software on computers controlling a PLC. If Step7 software is not found, Stuxnet becomes dormant inside the computer.
If PLC software is found, Stuxnet introduces the infected rootkit onto the system, modifies the code, and gives unexpected commands to the PLC. These commands are masked to the PLC and users of the system by Stuxnet through a loop of normal operations system values being returned. As such, the PLC and users believe everything is working fine, making it difficult to detect problems until after the damage to the centrifuge is already done.
It is widely understood that Stuxnet was created by the intelligence agencies of the United States and Israel, despite the fact that neither government has ever officially acknowledged developing it. Sufficient evidence has surfaced that supports that this was a classified program of these governments which used Stuxnet as a tool to derail, or at least delay, the Iranian program to enrich uranium to develop nuclear weapons. The leadership of the United States believed that if Iran were on the verge of developing nuclear weapons that this could have set off a war between Israel and Iran, and therefore, Stuxnet was seen as a nonviolent alternative.
The best way to be protected from Stuxnet is to avoid it by:Incorporating redundancy and a layered defense that addresses security throughout the entire extended network into the network design.Ensuring proper physical and logical separation between different types of networks. Specifically, access to PLC and SCADA devices should not be accessible via other networks.Writing software to detect non-conforming actions.Limiting user privileges and requiring strong authentication.