Sons of Stuxnet

Hackers are learning new lessons from the most sophisticated virus code ever written

Loading the podcast player...

Steven Cherry: Hi, this is Steven Cherry for IEEE Spectrum’s “Techwise Conversations.”

Last year, we did a show about the Stuxnet worm that was one of the most listened to of the year. In fact, it’s one of the most listened-to shows of this year as well.

Last week, we did a show about cybersecurity with the FBI’s cyber division’s deputy assistant director, who said things seem to be getting both better and worse. He said, in particular, “The awareness of users of critical infrastructure and of the designers of critical infrastructure is heightened....Unfortunately, the awareness on the terrorist side has also increased.” Terrorist organizations, he went on to say, are focused on how to attack the West in nontraditional ways, not just through kinetic bombs but through the Internet, critical infrastructure, banking, and finance. In other words, the echoes of Stuxnet are reverberating through our real world and cyberspace, and I thought we’d continue to explore them but in a somewhat nontraditional way.

My guest today is Larry Constantine. He’s a graduate of the MIT Sloan School of Management. He’s taught at the Wharton School of Business, the IBM Systems Research Institute, the University of Technology in Sydney, Australia, and he’s currently a professor in the mathematics and engineering department at the University of Madeira, Portugal. He’s also led a double life as a family therapist and has been an assistant clinical professor of psychiatry at Tufts University, and has also taught human development and family studies at the University of Connecticut.

More to the point for our purposes today, he’s also an accomplished writer with three published novels to his name—or actually, to his pen name of Lior Samson. The third novel, published in 2010, just as the world was waking up to the complexity and sophistication of the Stuxnet attack on Iran’s nuclear program, imagined a complex and sophisticated attack on critical infrastructure, specifically U.S. power plants. He’s also the coauthor, with Ed Yourdon, of one of the most influential books in computer science, Structured Design. Larry, welcome to the podcast.

Larry Constantine: Thank you very much, Steven.

Steven Cherry: Larry, to start off maybe you can just remind our listeners about what was uniquely innovative and sophisticated about the Stuxnet worm.

Larry Constantine: Well, there were a number of things that made it a game changer in terms of malicious software. One was that it was specifically targeted. It essentially had a kind of homing mechanism that looked for particular signatures of other software and, in that software, the embedded impression of specific industrial equipment in order to take out a very special target. It was interesting in some other ways, too. It actually included three zero-day exploits, which marks it as probably not the work of malicious hackers, because they usually value zero-day exploits too much to waste multiple ones on a single piece of malware. And it included some very sophisticated code; in fact, portions of it were programmed in C and C++, which are not so commonly used by your random hackers out there. The other thing that made it interesting was that it contained a “poison pill routine,” a piece of software code that looked for a specific date and on that date would delete all parts of the Stuxnet worm. This again is more a sign that somebody was really trying to accomplish a very specific end and didn’t want to have any side effects or collateral damage, as the military likes to call it.

Steven Cherry: Just remind us what a zero-day exploit is.

Larry Constantine: A zero-day exploit is something that hasn’t been previously discovered. So it’s first discovered in the wild rather than a defect that Microsoft or Apple already knows about.

Steven Cherry: And these were specifically weaknesses in Microsoft Windows.

Larry Constantine: These were weaknesses in Microsoft Windows, yes, that gave them immediate access to some computers. From there the Stuxnet worm looked for removable media and land connections in order to spread itself to whatever computers it could find, always looking for specific software—in this case instances of Siemens Step 7 series of programming tools and Win CC interface tools.

Steven Cherry: Very good. So let’s fast forward to 2011. Tell us about Duqu.

Larry Constantine: Well, if  Stuxnet could be thought of as a smart bomb with a specific target in mind, Duqu is essentially a reconnaissance drone. It contains sections of code that were clearly lifted from Stuxnet, and it looks for information that could potentially be useful in attacking other industrial control systems. So it’s not a destructive package so much as it is a Trojan that is trying to gather intelligence.

Steven Cherry: I guess one of the scary things about Duqu is that in the case of Stuxnet, it was pretty clear that the level of sophistication and effort indicated a sort of major set of resources that might not be easily available to the sort of regular hacker community, if you will. And you mention that it was written in C and C++, so that’s just not the language of “script kiddies,” as they’re sometimes called. But Stuxnet seems to have delivered a whole bunch of resources to the script kiddies. Is that fair to say?

Larry Constantine: Absolutely. In fact, in my view it essentially represented a reusable code library as well as a set of templates and concepts that could be used in many different ways. And in fact, the core that made Stuxnet so effective against Iran’s facility at Natanz was a so-called man-in-the-middle attack, in which the code inserted itself into the actual industrial control system, the PLC or Programmable Logic Controller, in such a way that it was presenting a false picture to the operators of the equipment and hiding the built-in software from actual inputs coming in from the control system, and that’s a concept that can be reused in many different ways. And you don’t have to be targeting specifically high-speed centrifuges that are used for purifying uranium; you could be targeting a generator plant or a water treatment facility or a petroleum refinery. So basically, Stuxnet provided a bunch of tools that could be reused; some of those were reused in Duqu. And Duqu itself is interesting. The forensics aren’t really completed there yet, but although some sources attribute it to the same group that produced Stuxnet, I have my doubts, partly because there’s good reason to believe that Stuxnet was produced by people who had insider access to information about industrial control systems, whereas Duqu seems like a scattershot approach that is looking for more information, and that doesn’t make sense if it’s a team of people from Homeland Security and Israel’s Mossad, which are the prime suspects in the case of Stuxnet.

Steven Cherry: Larry, last month there was quite a little scare in the Midwest. A report by the Illinois Statewide Terrorism and Intelligence Center was leaked to reporters that said that hackers had entered the network of a water plant there and burned out a pump in much the same way that Stuxnet ruined those Iranian centrifuges.

Larry Constantine: Yes. Well, in fact one of the rules of cyberterrorism, laws of cyberterrorism that I’ve been formulating is that anything with a rotating shaft that operates under computer control can also be destroyed under computer control. Because once you know that the system is operating a pump or a centrifuge or a generator set or something like that, then you can start to do things like throw it out of sync; you can speed it up and slow it down in irregular patterns, you can cause it to overspeed or simply stop it too fast. There are literally dozens of ways that you can use that against any rotating piece of equipment. So essentially, Stuxnet proved that you can do this remotely and by targeting an attack, and the Illinois case essentially shows that anything is vulnerable in this way.

Steven Cherry: Now the report is believed to have been false, but the idea of the attack was all too believable, and the former chief counsel of the National Security Agency recently was quoted as saying that “water companies tended to leave default user names and passwords in place because they’re afraid to get locked out of their own systems.”

Larry Constantine: Well, there are many different paths into these systems, and in fact I often follow the postings online, and technically savvy but naive posters will comment, “Why are things like industrial control systems and nuclear plants and so forth connected to the Internet in the first place?” Well, the truth is, they’re not. There’s a so-called air gap that separates them from the general network of the companies and from the Internet. But the air gap is an illusion, because by definition there always is another way around. The reason is that the engineering systems that are being used to maintain and update the control software have to themselves be updated and maintained current, so they have to at least at times be connected to the Internet. And the industrial control systems have to connect to the engineering work stations in order to update their software and maintain it. So there’s always another path that can get malicious software into these supposedly secure systems. I mean, that’s exactly what happened to Iran—I mean, this was a military level of security and yet the Stuxnet virus was able to penetrate it.

Steven Cherry: Larry, in your most recent novel, which was published last year—it has the title Web Games—you envision malicious code that travels through an ad hoc game network. And lo and behold, last year Nintendo came out with a portable game player that looks for other game machines and sort of automatically networks with them. It seems that in the race for convenience we’re just leaving ourselves open wider and wider than ever.

Larry Constantine: This is absolutely true. The game networks represent another path, because in turn those systems will connect to local area networks. Increasingly, office devices are networked in a way that they can phone home and check in with their manufacturers to get new software, which then opens up new possibilities for exploits. And the number of holes in the digital dike, as it were, just seems to keep multiplying.

Steven Cherry: Yeah, I mean, there’s a million possible ways to get into a network, and a hacker has to only find one of them. You know, we call terrorist attacks “asymmetrical,” because a single person or a handful of people with maybe only thousands of dollars at their command can kill thousands and cause damage in the billions. But it seems cyberattacks are even more asymmetrical than that. In your novel, a sort of million-dollar attack by a handful of people—and a million dollars is like half the estimate of what people think Stuxnet cost—but that million-dollar attack threatened to take down pretty much a third or more of the power plants in the United States.

Larry Constantine: Yeah, it’s very asymmetric, and in fact, actually the more the malicious intent, the more unsymmetrical it becomes. Because if you’re trying to take out the Natanz nuclear enrichment plant, you have to have very sophisticated inside knowledge and target your software very carefully. But if you’re just trying to wreak widespread damage to the electrical infrastructure of the United States, you don’t have to be so careful. It doesn’t matter if you inadvertently cause a water plant to spin out of control, you don’t care; all you’re doing is looking for ways to cause damage, and this is a problem that is extremely difficult to find fixes for. It’s not like providing better antivirus software looking for signatures, although some of that is being attempted in the so-called SCADA networks, the Supervisory Control And Data Acquisition networks that interconnect all these industrial control systems. But ultimately, what you have is lots of different highly specialized systems, each of which represents different kinds of security issues and different kinds of vulnerabilities, and there aren’t simple generic solutions that will protect these systems.

Steven Cherry: Your novel was published in 2010, but in your preface you wrote that you started it in 2003. I’m just curious: What made you start to worry about cyberattacks on critical infrastructure back in 2003?

Larry Constantine: Well, I was working in the field. A lot of my work has been in industrial automation, power systems management and distribution, and I was aware of these wide-open doors and windows into these highly critical infrastructure systems. And so as an exercise I sketched out a-back-of-the-napkin kind of design for a piece of malicious software that could take down power plants. And my intent all along was to use it as the basis of a novel. I just happened to miss the window of opportunity by a matter of months, because I was just finally finishing the final version of the novel when the Stuxnet story broke. So, yeah, I think there have been people who have been really calling for a closer examination of these vulnerabilities for a very long time. We build security fences around our power plants, we hire guards, we have dogs, we’re using robots now. But you know, anyone with a basic knowledge of how these systems work and the will to get into them can probably find a way to launch a malicious software attack.

Steven Cherry: Well, Larry, it’s a scary world, and I think it’s great to have somebody using fiction as well as nonfiction to call attention to these problems.

Larry Constantine: Well, that was really my intention in writing Web Games.

Steven Cherry: Very good. Well, thanks for talking to us today.

Larry Constantine: You’re most welcome.

Steven Cherry: We’ve been speaking with Larry Constantine, author of the recent cyberterrorism novel Web Games, about the increasing real-world threats that got a big push from last year’s Stuxnet attack. For IEEE Spectrum’s “Techwise Conversations,” I’m Steven Cherry.

Announcer: “Techwise Conversations” is sponsored by National Instruments.

This interview was recorded 13 December 2011.
Audio engineer: Francesco Ferorelli
Follow us on Twitter @TechwisePodcast

NOTE: Constantine’s fourth novel, The Rosen Singularity, was published just this week.

NOTE: Transcripts are created for the convenience of our readers and listeners and may not perfectly match their associated interviews and narratives. The authoritative record of IEEE Spectrum’s audio programming is the audio version.