Reset 2018: Stuxnet - the prototype for industrial control attacks
Reset 2018: Stuxnet - the prototype for industrial control attacks

The keynote speaker at yesterday's Reset 2018 was Kim Zetter, an investigative journalist and author of an acclaimed book on Stuxnet (Countdown to Zero Day: Stuxnet and the launch of the world's first digital weapon).

She took the audience through the chronology, not just from introdcution to discovery, but from the US investigating the idea that Russia, China or North Korea  could cause physical damage with digital code - through to current day copycats.

The various iterations of Stuxnet were considered, how they were introduced - naming supply companies used - as well as a detailed explanation of how the worm worked.

For those few of our readers who may not know, the Stuxnet worm was the first known digital weapon to impact the physical world. It was initially introduced into the Iranian nuclear facility at Nantanz in mid November 2007 using a USB.  After recording normal activity, which would subsequently be show on the monitors during its destructive phase, it would speed up or slow down the centrifuges that processed and enriched unranium hexaflouride gas, so that they were out of sync, causing rotors to crash.  Safety controls were disabled during this phase. Catastrophic failure was avoided and instead the attack slowed down progress, requiring constant centrifuge replacements, while wasting the gas used - presumed as a ploy to buy time for diplomacy.

To avoid being caught It scrubbed code blocks on their way to a monitoring station, and then restored the malicious code if new blocks of code were injected.

Then in June 2010 researchers at anti-virus company VirusBlokAda's offices in Belarus were given remote access and found suspicious files,using zero day exploits to install malware on the site that only deployed for the specific configuration of this plant, then unleashed seven attacks.

Zetter explained how the discovery followed the Israelis adding reporting/spreading mechnanisms to the worm.  But Zetter also quoted General Cartwright of the US during a leak investigation saying that there was no point in having a digital weapon if your opponent doesn't know you have one. Hence the suggestion that it was enough to let the Iranians know that everything they were doing was seen.

While Iran would understandably regard the action as sabotage by an enemy state, Zetter notes how it was a very calibrated attack that had strenuously avoided collateral damage.

In contrast, on 23 December 2015, a power plant in the Ivano-Frankivsk region of Western Ukraine had 60 substations taken offline by cyber-attack, with 230,000 residents in  the dark for one to six hours, as the malware prevented closing of breakers, and locked out controllers, changing their passwords. There was also a DDOS attack on the plant's telephone customer call centre, making it harder to know who was impacted and slowing initial reporting of the problem.

So we do know that attackers can achieve physical destruction with code as a fact.  Multiple nations now plan to launch their own offensive capability - “at least 20 countries we know of”.  And the capability is there for anyone to use for any purpose. Zetter concluded that while Stuxnet was a precision weapon, not everyone will be as capable and careful.