By Paul Gribbon
I decided to write about the decade old story of Stuxnet as a fable. And then the Colonial Pipeline story broke; history repeating itself, or perhaps just rhyming. Stuxnet was about geopolitics. Colonial was about money (and perhaps geopolitics too). What links the two attacks – which occurred more than a decade apart – is that Industrial Control Systems (ICS) were affected by the attacks. One directly, the other indirectly.
Just a few weeks before Colonial, the newswires were covering what they called ‘the return of Stuxnet’ – the worm that disrupted Iran’s nuclear programme back in 2008-09. It was revealed that the Israeli intelligence forces had targeted the same nuclear facility at Natanz which had been at the centre of the original operation. The Guardian called it ‘the latest episode on an increasing tit-for-tat cyberwar’ and remined us all that ‘both sides have already targeted so-called Industrial Control Systems, which have emerged as a key weakness for countries across the globe.’
And right on cue, Colonial Pipeline’s ICS was brought to a shuddering halt. Panic buying led to long lines of distressed American motorists, the Biden Administration was forced to react, energy markets were spooked, and very quickly news outlets were calling the incident “one of the most significant attacks on critical national infrastructure in history.” Which was also the conclusion most commentators reached when the Stuxnet story surfaced in 2010.
Air-gapping might not hack it
We can’t be sure (at the time of writing) how the hackers got into Colonial’s systems, or whether they had specifically targeted the company’s ICS. But the effects were the same: chaos and disruption to a critical resource. The story focuses attention on the risks to the systems (including administrative systems) which control critical infrastructure. When the systems that run a pipeline – or, in the case of Iran’s nuclear programme, a network of centrifuges – are controlled by computers connected to an internal network, then they are, by definition, vulnerable to a malicious attack. And even if they are not, an attack on the administrative side of the operation has a knock-on effect to the functioning of the ICS. Stuxnet was carefully targeted at an ICS. Darkside, the group behind the Colonial attack denied doing the same, but the effect of their attack produced the similar results.
The (some might call them pioneering) developers of Stuxnet were clear about their objectives: get into the ICS even if it’s air gapped. They understood that there is always a point where a system must connect with the wider organisation. Administrative personnel and systems will need to be able to work on or with the ICS, take data from it, update it, and deliver new applications or software. The point is simple, when it comes to critical systems, air-gapping alone isn’t enough.
Stuxnet was a cyber-worm specially developed – probably by the Americans in association with the Israeli’s – to take its time. It’s rumoured that an infected flash-drive was passed to a lowly administrative official to infect a laptop which, eventually, was connected to an administrative network through which the worm then sought entry to the ICS. Alexander Klimburg, program director at The Hague Centre for Strategic Studies, described the Stuxnet episode as a strong ‘candidate for being the world’s first major cyberattack’. It was a new chapter in the story of states conducting clandestine hostile operations. And, as it turned out, a new chapter in global criminal activity.
Stuxnet’s ultimate target was the ICS which governed an array of centrifuges. As it was air-gapped, the worm made its way into another equally important control system, the nuclear programme’s SCADA – Supervisory and Data Acquisition system. That made sense because, alongside the ICS, it controls day-to-day operations, so any cyberattack will have huge effects.
You can’t rely on ‘good practice’ alone
The Iranians – and perhaps Colonial – were following ‘good practice’. The ICS at Natanz was air gapped, just as it should be. It’s not yet clear if Colonial’s was. The Israeli’s played the long game. Once they’d created the malware, it was only a matter of time before the infected flash-drive was connected to either the ICS or SCADA. How this happened is a matter of intense speculation. It’s probable that third-party partners were infected first and even that a mole infiltrated one of them to get close to the ICS at Natanz.
Whatever the truth is, patience paid off: the worm made its way from machine to machine and burrowed deeper into the networks of the clandestine Iranian nuclear operation. Stuxnet had been programmed to activate ONLY when it encountered the specific ICS of the Siemen’s built centrifuges used by the Iranians. And when it did, there was no spectacular or even discernible event. The point was to carry out subtle sabotage. Stealth and time were the main objectives of the operation.
Stuxnet carefully (and invisibly) manipulated the control software for each centrifuge so that they would spin one-third faster than its designed operating speed of 63,000 revs-per-minute. The aim was to cause cumulative damage and, eventually, wear them out much faster than expected. The data seen by the Iranian operators via their ICS was faked to show everything working normally. It was a spectacularly successful plan. The International Atomic Energy Agency (IAEA) estimated that the number of known Iranian centrifuges fell by around 20% in just a year.
Nothing has changed
Commentators at the time, and since, have speculated whether the success of Stuxnet – and the fact that its code was available for anyone to examine – has inspired other state actors and cyber-criminals to copy its tactics. As the Guardian article stressed, ‘Since the emergency of the Stuxnet virus, attempts to hack and exploit ICS systems have emerged as one of the most dangerous and contested frontlines in cyberwarfare – with officials in the Biden administration… revealing a planned executive order to beef up US defences.’
That article was prescient. Not long after it was published, Colonial happened. Instead of shadowy intelligence agents launching a political attack, highly organised gangs of criminal are turning sabotage into a business model. The New Yorker recently called Darkside ‘a professional service’ with its own website, blog, and a user-friendly interface which offers a range of services including the ability for hackers upload and publish stolen data.
They try hard to come across as ‘tech entrepreneurs’ and even sound like them: “We created DarkSide because we didn’t find the perfect product for us,” they declared in a ‘press release’ when they launched, “Now we have it.” They then offered potential clients a sliding fee scale, ranging from twenty-five per cent of ransoms worth less than half a million dollars to ten per cent of those worth five million or more.
All ICS’s are vulnerable
Any utility, manufacturing, oil, gas, mining, or engineering operation needs to protect its ICS and SCADA systems. As one commentator put it a decade ago, ‘Policymakers need to assume that even air-gapped networks will be breached, and must have technologies, processes, and training in place to deal with this eventuality.’ The question is, are those systems better protected now than they were then?
Of course, terrorists would be motivated by the prospect of chaos – and worse. A huge blackout, interruption or corruption of water supplies to millions, or putting thousands of aircraft at risk in the skies, would enable them to make a political point. While hacktivists might shut down mining or drilling operations, disrupt pharma labs, or undermine manufacturers they don’t like.
Seeing the wood for the trees
Cyberattacks aren’t just about data, and their effects aren’t always limited to computer systems; they have a very real effect on the services we all rely on. That’s why it’s vital that systems which manage complex operations are protected with multiple layers of security.
Stuxnet was, if you like, a proof-of-concept. Colonial proved that organised criminals now have the power to undermine just about any ICS – intentionally or unintentionally. The key learning point is that a network – ANY network – is both complex and intricately interconnected. At some point a laptop, phone, or tablet which has come into contact with an infected laptop, phone, or tablet will find its way into the inner sanctums of a critical ICS and deliver its hidden payload.
From Stuxnet to Colonial, the need for vigilance and proper defence has not changed.
Talk to us about how we can help.
1 The Guardian: Natanz ‘sabotage’ highlights Iran’s vulnerability to cyber-attacks: April 12, 2021
3 The Darkening Web: Alexander Klimburg: Penguin Press 2017
4The Guardian ibid
5 How hacking became a professional service in Russia – The New Yorker May 23rd, 2021
6 The Stuxnet Enigma: Implications for the Future of Cyber Security Irving Lachow: Georgetown Journal of International Affairs 2011