#byres #pollard #stuxnet #cybersecurity #safetysystems #controldesign #pauto #mfg Think about this one over lunch...

I'm reproducing here an email thread between Control Design's columnist Jeremy Pollard, Eric Byres of Byres Security and me. It is, shall we say, illuminating. And if this doesn't scare you into moving quickly to secure your plant networks and control systems, you just have not been paying attention, and, frankly, you'll deserve what you get when the hackers get around to your



haven’t listened but Ralph and his boyz are the ones who disassembled the code?????  Fyi dudes...


Thanks for this – I watched it earlier this week and it is pretty accurate. We came to the same conclusions here and discuss them in our How-Stuxnet-Spreads paper and our presentation – both are available at http://www.tofinosecurity.com/stuxnet-central if you want to see them.

Interestingly, there were two other groups that decoded the Siemens PLC components of the worm, besides Ralph: Siemens and Symantec. Symantec generously supplied us the full decodes along with their analysis. Siemens gave us some analysis that hasn’t been seen elsewhere and is interesting, but basically doesn’t change Ralph’s message much. And for Ralph, we got the same info as the rest of the world, which is off his website.

Unfortunately the three groups didn’t cooperate, but they did all independently come to the same general conclusions. And that is:

·         this was a focused attack on Natanz,

·         Sequence C was a general purpose reusable attack

·         that this is a nice framework for future attacks.

The biggest disagreement is whether Sequence C was actually used at Natanz or if it was disabled and just waiting in the wings. Frankly I think the designers of the worm did not actually use that sequence in Natanz, as sequence A&B were good enough for their purposes.

I also agree with Ralph that Sequence C was designed for a S7-417F safety controller. It is very reusable…

Wow.. how did this get lost??  oh easily I submit...

It’s the reusability that all shud be worried about, and as Walt says, bang the drum louder, earplugs fly off the shelves…

So instead of pounding the table on that, we should be educating all about proper network connectivity, local threats, end point monitoring and security etc… then stuff from the outside can't get in..

But the cloud I fear will simply make the sandbox bigger..and things like android phones and tablets will allow all kinds of crap to be present on the network...

I think too that Stuxnet was a test.. kinda like that Nigerian guy flying from New York to LA on someone elses boarding pass, and had 10 fake ones in his bag… just a test… lets see what we can get away with…

Or maybe conspiracy theorists are just hard at work?




Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>Is it just me, or did we lose sight that this malcode took out multiple Iranian nuclear installations?  It's already been established that this malcode required a formal design methodology to include a multi-faceted, multiple disciplined approach via a means (funding, access, etc) most likely available only to a nation, nation-state or well funded paramilitary (terrorist) organization.  With that in mind, I would firmly classify this as asymmetric digital warfare, and I would submit that one does not engage in warfare, asymmetrical, digital or otherwise "as a test."<br /><br /> Stuxnet was not a "test," but rather a prototype.  A one of a kind, disconnected, framework based, semi-autonomous prototype preprogrammed to seek and destroy a single set of targets.  It is the digital equivalent of the well known kinetic weapons system:  the cruise missile.<br /><br /> An observation:  the shameful self promotion in this space needs to end.  We need everyone to work together to move this gigantic security needle:  this means asset owners, researchers, vendors, integrators, OEMs, everyone.  I've said it before, and I'll say it again:  Security is a team sport.  The act of regurgitating others' research as an unrelenting and insufferable marketing campaign of "look how great I am," has to cease.  As Eric said, "the groups didn't cooperate."  Can we all get on the same page, please?<br /><br /> My two cents, FWIW. </p>


  • <p>First, I personally believe that your analysis is correct...this was not a test. This was an actual cyberwarfare attack. And it worked. </p> <p>As far as as "shameless self-promotion" is concerned, this is a blog provided by a for-profit organization called Control magazine...and mostly written by industry experts who do it for free-- so if they want to promote their book, or their conference, or whatever, I have no problem with it--- and I own the space, so I make the rules.</p> <p>I think Eric meant "didn't cooperate" in the sense that they worked independently, and achieved the same result.</p> <p>But I appreciate the donation of your two cents. It will help us make goal this month (grin).</p> <p>And your comments are always to the point and thoughtful, so please keep on keeping on. And if you ever want to self-promote, call me and we'll talk about it. (another grin).</p>


  • <p> Since the issue of cooperation between Stuxnet researchers (or the lack thereof) is brought up I would like to comment on this. </p> <p> First, Eric forgot to mention one very important player, which is ICS-CERT (or INL, which had been contracted by ICS-CERT for Stuxnet analysis). </p> <p> Second, I have been approached at last year's WeissCon by Thomas Brandstetter from Siemens and by Eric Cornelius from INL, both asking if we were interested in helping them with analyzing Stuxnet's STL code. Even though I responded in the affirmative, I never heard back from both organizations. </p> <p> The story with Symantec is a little bit different and perhaps too complex to tell here. Fact is we didn't cooperate, and I thought many times that after all this was a good thing because we reached our results completely independent, thereby verifying each other. If it had been different, there would probably still be more people thinking that this would all be fabrication and fantasy. </p> <p> Actually I don't see how our work on Stuxnet could be viewed as self promotion and I will perhaps beat Brad's butt for that the next time we meet. I believe that putting one's reputation and personal safety on the line is outside of conventional marketing wisdom. I think that Brad is barking at the wrong tree. The issue that we should discuss it not whether Stuxnet researchers (Siemens is not a Stuxnet researcher) cooperated or not. The issue is the imminent threat of copycat attacks. We published last year that after Stuxnet, control systems will get irresistable for hackers. Beresford gave a taste for that. More will come. Soon. </p>


RSS feed for comments on this page | RSS feed for all comments