Stating the obvious, really. This had the US and Israel written all over it from the get-go. Clearly Siemens would have had to supply technical information in order to help build the worm. If not them, then somebody with intricate, source-code level knowledge of Siemens' SCADA system. Knowing how governments work, it's far more likely they would simply have approached Siemens and offered them incentives.
This of course raises troubling questions about how much illegality we'll let the government get away with in pursuit of goals we mostly agree are necessary, but I'm okay with it, in this instance. We'll see if that remains true next time.
I think this was possible without siemens help. Many of Siemens customers would be familiar enough with the control system product in question to find weaknesses in it. People find flaws in software of all sorts without help from the vendor all the time right?
It's certainly possible without Siemens' help, but my assertion is that the government would have gone to Siemens first anyway, because that's how the government works. A small group of hackers could have banged out Stuxnet, but if you accept that it was created by the US and Israel, then it's pretty reasonable to presume it was contracted out to some security firm, who were given the information they would need by Siemens, via the gov't.
If a small group of hackers could have banged it out, and it was intended as a covert operation, wouldn't it make more sense to do it that way rather than involve (and implicate) more people?
Or am I giving US/Israeli intelligence too much credit?
>Or am I giving US/Israeli intelligence too much credit?
The US military is a big operation. They deal with big groups and big numbers. I just don't think it's in their DNA to approach a small group of blackhats to do what they could contract a legitimate firm to do. The US military contracts out to private firms for almost everything. To think that the US would approach a small, illegitimate group requires viewing Stuxnet as an aberration. I just don't think it is. It may be a new medium for the military, but it isn't a new paradigm: they identified a problem, and approached a firm that could solve it for them. That's my theory, at any rate. It's supported by those in the security industry who've analyzed it and determined the code itself wasn't anything special, just that the number of 0days involved was unusual. Any major security firm will have a shelf full of 0days kicking around; just look what we saw come out of HBGary.
I don't have any evidence that Stuxnet was a contract job. Hell, I don't even have any evidence beyond hearsay that the US was involved. I'm simply looking at the known facts and the known motivations and standard practices of the institutions that were (likely) involved.
I just don't think it's in their DNA to approach a small group of blackhats to do what they could contract a legitimate firm to do
I'm still amazed it's in their DNA to do this at all, but if they did, blackhats are the right people for the job. No point in hiring a legitimate firm to build an illegitimate weapon. Remember, Stuxnet infected thousands of other factories around the world. Whoever built it ain't legitimate anymore.
Going back to the HBGary situation (again), I think it's clear that many of the firms that work with the government stretch the definition of legitimacy pretty far.
> The US military contracts out to private firms for almost everything.
Not necessarily for highly classified projects.
I can see a NSA or CIA internal group organizing. I imagine some projects can be compartmentalized and organized to run like a small startup with a handful of hand-picked individuals having a narrowly focused goal.
That's why they have security clearances. Remember, Bechtel builds most of the US's nukes, Lockheed Martin developed the F-117 when it officially didn't exist, and the same was true of Northrop-Grumman and the B2. Private firms are regularly entrusted to perform functions that require the highest levels of secrecy. And, as much as it may tickle our nerd fancy to think so, Stuxnet was nowhere near as important as nukes or stealth technology during the Cold War.
The larger the number of people who know a secret, the more likely it is that someone will spill the beans. If the government went to Siemens, they'd then need to worry about the possibility that word gets out internally, and someone leaks the plans in time for the target to take preventive action.
Siemens has people with security clearances, as they do quite a bit of defence-related work. I'm sure they have official channels that governments can interact with them through without worrying about leaks (any more than usual).
I take an odd stance here. If the US government did have a part in this, I support what they did (as I don't believe that Iran should have nuclear weapons), but not that they did it. While it affects everyone, this is not our war, and I believe that this action on Iran, if it was actually the US, was an act of war, even if not a traditional one. I'm very conflicted here, but at the end of the day I just can not support the US on this, even if it is a problem for every one of us.
> If the US government did have a part in this, I support what they did (as I don't believe that Iran should have nuclear weapons), but not that they did it.
So you want someone to do the dirty work without it being your government? (You want to, understandably, feel good about your own country).
Well that is exactly what they have done. They didn't sign the object code officially with "Made in the USA" string so no matter what Iran says, officially US can still deny everything -- "Israel probably did it. We will not comment on this. Etc. etc." So your wish came true -- It was done and your government can still officially deny it.
The cognitive dissonance is a little too thick to parse. Are you saying if another nation other than the USA had done the deed, you'd be cool with it, since it comes to an end that you support?
No, I'm saying that the ends don't justify the means. I don't think that Iran should have nuclear capabilities, but that it's not our battle to fight, and thus the US (and any other nation) should not be attacking it.
Another way to interpret "nobody has the right to stop them" is that officially a "nobody" stops them i.e. a nameless shadow organization with everyone involved having the highest level of clearance and a program having a high degree of compartmentalization.
I develop control systems for power generation. Current trends are towards more and more automation, interconnectedness, collecting of business information and integration with smart grids. None of this should take place over the public internet... Private fiber or microwave would be nice, but isn't in the budget for many operations, so VPN over the internet is the compromise.
Stuxnet was spread by infected USB keys, so even a totally separate network wouldn't have helped them there.
PLCs and HMI software are a security nightmare, 30 years of legacy protocols, hardware, and client deployments to support and now all of the sudden it is under attack and no network can be considered safe.
Why would the US and Israeli governments actually need help from Siemens? Their SCADA equipment is almost certainly deployed widespread across both countries' power plants, nuclear sites, and other locations. And, does anyone actually think that Siemens doesn't supply SCADA equipment to the US government?
I'd also bet that a lot of their SCADA software is reused across multiple industries, so the exposure to attack vectors is probably pretty enormous. Couple that with the "it can't happen to us" mentality that these large industrial companies have with regards to highly specialized software and, well.... what you see is what you get.
I believe this was already explained, but I can't remember where. Siemens had been working with the Idaho National Laboratory to identify vulnerabilities in the PCS systems, which were then used in the exploits that Stuxnet leveraged. The US intelligence agencies that developed Stuxnet could have used INL as a front for interacting with Siemens or they could have simply taken the vulnerabilities after they had been identified as part of that joint effort. Either way I'm sure there was help from Siemens somewhere throughout the process, but not necessarily for the explicit purposes of creating the Stuxnet worm.
Perhaps the US/Israel discovered the prospect for this particular kind of software-based functional sabotage in defensive analysis of their own similar industrial systems. That analysis would have deserved vendor technical cooperation, perhaps even source code and engineering design documents, for wholly legitimate reasons, as a matter of course.
It shouldn't be surprising that any especially insidious risks discovered during that process could then be shared with the more covert and offensive branches. That wouldn't be Siemens' fault at all.
In 2008, the Idaho National Laboratory was working on the Siemens PLC and even made a presentation about it: http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf
(Page 59 and Page 60 are quite interesting as they use the security test case "Infiltrate PCS 7 ES and modify configuration").
This of course raises troubling questions about how much illegality we'll let the government get away with in pursuit of goals we mostly agree are necessary, but I'm okay with it, in this instance. We'll see if that remains true next time.