Instilling rigor and imagination in analysis

Countering the Iranian Nuclear ThreatStuxnet and its Broader Implications

Randolph H. PhersonMary C. Boardman

BackgroundBackgroundInternational Atomic Energy Agency (IAEA) reports every three months on Iranian nuclear program. It focuses on:

• Fifteen nuclear facilities• Nine outside facilities using nuclear material

A November 2011 report claimed computer modeling relevant to constructing a nuclear weapon was found.

• Iranian Foreign Minister Akbar Salehi, claimed the report was baseless and fabricated.

• It was seen as an indicator of nuclear weapons development.

Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org

2

Background, cont’dBackground, cont’d

The Iranian government claims the nuclear program is for peaceful purposes only; however:

• Iran announced the move of some uranium enrichment facilities to an underground bunker near the city of Qom, in June 2011.

• It will triple the amount of medium-enriched uranium for production, an important step to production of weapons-grade uranium.

Most analysts:• Believe Iran will have enough nuclear raw material for

2-3 nuclear weapons.

• Estimate Iran can build a nuclear weapon in 1-3 years.Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org

3

The Stuxnet VirusThe Stuxnet Virus• First discovered in July 2010 by Belarus-based

security in computers belonging to an Iranian client.• Initially, it was thought Stuxnet was designed to

steal nuclear secrets, instead it was designed to target a specific location in the code for a Programmable Logic Controller (PLC).

• It allowed attackers to change settings for critical factory operations, eventually causing failure.

• It is the first computer virus or worm known to have targeted industrial systems.

• It directed an attack on PLC controllers used at Bushehr and Natanz uranium enrichment facilities.

Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org

4

Figure 1. Aerial View of Natanz Uranium Enrichment Facility

Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org

5

How the Stuxnet Virus WorksHow the Stuxnet Virus Works

• Stuxnet contained a double digital warhead, simultaneously deployed in a single worm.o One was designed to cripple turbines at Bushehr nuclear

reactor, the other to destroy nuclear centrifuges at Natanz.o The first wave of Stuxnet launched on 22 June 2009, although it

took months to discover and longer to determine cause.

• Stuxnet secretly recorded normal operations before initiating attack, then played recordings back to maintain the appearance of normality during attack.

• Stuxnet recorded information on the location and type of each computer infected to track progress and determine success.

Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org

6

The Stuxnet Virus EffectsThe Stuxnet Virus Effects

• The virus reversed uranium enrichment at Natanz.• There were 12,000 identified infections traced back to

five infection points, linked to specific industrial organizations in Iran.

• Iran hit hard, perpetrator most likely nation state.• United States and Israel suspected as most likely

perpetrators.• Both had motives and capability to launch attack.

Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org

7

ImplicationsImplications

Meir Dagan, retiring Mossad chief, told Knesset in January 2011 that Iran had technical difficulties in its nuclear program.

• Could prevent Iran from building a nuclear bomb until 2015.

• Approximately 1,000 centrifuges had to be replaced at Natanz between late 2009 and early 2010.

• Less than 6,000 of 9,000 centrifuges were operational in late 2010.

Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org

8

Figure 2. President Ahmadinejad Tours Natanz

Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org

9

ImplicationsImplications

Stuxnet worm was open source, anyone can customize and launch the virus.

• PLC security was low, not seen as potential target.• The Stuxnet attack alerted industrial control specialists that

attacks could continue.

Challenge is ensuring future industrial control system software is not vulnerable to another Stuxnet Virus or a more sophisticated worm.

• Likely to require a complete reassessment of security systems and processes, including federal technology standards and

nuclear regulations.

Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org

10

ImplicationsImplications• Stuxnet code could be reconfigured as a dirty digital

bomb to infect software programs used in military weapons systems.

• The computer virus infected the cockpits of America’s Predator and Reaper drones reported in October 2011. o Iran may have launched the virus in retaliation for Stuxnet attack. o Virus was thought to be logging virtual pilots’ keystrokes at Creech

Air Force Base in Nevada as they remotely flew Predator and Reaper missions over Afghanistan and other warzones.

o If true, perpetrators may be able to redirect drones and weapons.

• Later reported as a nuisance “credentials stealer” and not a “keylogger.”

Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org

11

Briefing OrganizationBriefing Organization

What are the implications for us?

Who is responsible?

What is the extent of the damage?

How do we protect against future attacks?

Can we detect the virus if it is in our system?

Do we or any of our stakeholders have these systems?

How likely are copycat crimes, and what would the nature of these be?

How much knowledge of the system is needed?

Can we convert this into a business opportunity?

12Copyright 2012 Pherson Associates, LLC. All Rights Reserved. www.pherson.org