Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Best of 2016 Recommended by Editor Recommended by Reviewer Recommended by Reader
Search
Countdown to zero day : Stuxnet and the launch of the world’s first digital weapon
Zetter K., Crown Publishing Group, New York, NY, 2014. 448 pp. Type: Book (978-0-770436-17-9)
Date Reviewed: Jan 30 2015

This deeply researched, masterful narrative tells several stories. The principal one about the discovery and decipherment of Stuxnet by cybersecurity researchers is contextualized with accounts of the Iranian uranium enrichment program, its earlier physical sabotage by the US and Israel, the vulnerabilities and consequences of failed industrial control systems (ICS) for physical infrastructures, the emergence of cyberspace as a domain of international conflict, and an accompanying digital arms race. The penultimate chapter evaluates the effect of Stuxnet on Iran’s alleged efforts to build a nuclear bomb: a qualified success according to US and Israel officials, who estimate it delayed development by at least 18 months and considerably depleted Iran’s stock of uranium gas and centrifuges. Other observers believe the effect was minor and the Iranians quickly recovered, particularly after the causes of their equipment malfunctions were revealed.

Zetter’s last chapter examines the wider issues and questions Stuxnet raises as a major step in the militarization of cyberspace. These include:

  • the future of cyberwar--relatively low-level sabotage, crippling blows to military and civilian infrastructures or special ops on a tactical level, with the occasional strategic impact;
  • the possibilities for deterring cyber attacks on infrastructure;
  • the problem of monitoring the development and stockpiling of cyber weapons;
  • the ethics of governments withholding discoveries of zero-day vulnerabilities in the name of “national security”; and
  • the irony of the US advocating cybersecurity on a global level while its agencies and Israel ally were building and running Stuxnet.

This last point, like a similar one about the National Security Agency (NSA)’s mass surveillance, as revealed by Snowden, suggests the pursuit of a covert program without any consideration of the systemic effects in the event of its exposure. Might that have been a hazard of compartmentalized organizations or the effect of technological enthusiasm?

Zetter is particularly good in distinguishing the investigations of the attack tools--the “missile” in her terminology--which seized control of a Windows environment from those for the “payload” itself, the code which replaced the Siemens ICS to feed malicious instructions to the programmable logic controllers (PLCs) for certain devices used in the enrichment process. In one version of Stuxnet, the malicious code caused a frequency converter to run centrifuges at damaging speeds; a second version caused valves of pipes between cascades of centrifuges to open at wrong times, resulting in the loss of uranium gas being enriched. Zetter follows members of a research team at the cybersecurity firm Symantec as they unpack the malware, which exploited four unpublicized vulnerabilities (zero days) and forged certificates to hijack the Windows operating system and launch the bogus ICS. They observed that the newly installed software changed code to the PLCs, but not being familiar with industrial controls they could not understand to what end. Aided by their reports, Ralph Langner, a specialist in ICS failures and Siemens PLCs, recognized that the payload only operated in the presence of a particular PLC, many instances of which he knew were in Iranian systems. On that basis, he inferred that the targets were some processes in the Iran’s nuclear development program, although his guess was the nuclear reactor at Bushehr rather than the centrifuges at Natanz. Other experts then quickly provided the more exact answer.

Although the story of the development and deployment of Stuxnet itself remains annoyingly secret, Zetter makes some well-informed conjectures about it. Noting discussions in the NSA since the mid-1990s about digital attacks on physical infrastructures, and taking some timestamps in the code at face value, she suggests that work on Stuxnet began as early as 2003. It might have initially been built on earlier research on subverting Siemens ICS and PLCs--a project that would have been warranted by their prominent use in Middle East oil and gas industries--but by 2003, it was also possible to anticipate some of the equipment that would be used in Iran’s uranium enrichment. Several different groups at the NSA and at Israel’s signal intelligence unit did the heavy lifting of code development, with testing, according to one of her sources, at Oak Ridge National Laboratory (ORNL) rather than, as more commonly reported, at a simulated range in Israel. ORNL had a collection of centrifuges and other equipment similar to those in Iran, which the US had taken from Libya after that country, under international pressure, renounced its nuclear development program. (The well-known 2007 experiment at Idaho National Laboratory in which a generator was destroyed by remote digital attack was apparently unrelated to this work.) The launch of the first version of Stuxnet likely occurred in late 2007, about the same time that Congress reportedly authorized $400 million for a “major escalation in covert operations aimed at undermining Iran’s nuclear ambitions.” By 2008, some difficulties in operations at Natanz were being reported. These results might not have seemed sufficient for the program’s sponsors, but its expansion in 2009 eventually led to the discovery of the malware.

Many questions remain with respect to Stuxnet as an astounding technological achievement and as a challenge to international security that should not be dismissed with a knowing wink. For example, how much did the program depend on human intelligence? How much intelligence was gained through Flame, a massive Swiss Army knife of spyware, which was developed and deployed before Stuxnet? Who brought the malware-laden flash drives into the air-gapped Iranian facilities, and did they do so knowingly? How many people were involved in the program and how was it organized? When, if ever, did its sponsors recognize their actions could be considered an act of war? Until there are answers to these questions, Zetter’s account is a must-read.

More reviews about this item: Amazon, Goodreads

Reviewer:  Roger Hurwitz Review #: CR143128 (1505-0389)
Bookmark and Share
  Reviewer Selected
Editor Recommended
 
 
Security and Protection (K.6.5 )
 
 
Abuse And Crime Involving Computers (K.4.1 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
CIRCAL and the representation of communication, concurrency, and time
Milne G. ACM Transactions on Programming Languages and Systems 7(2): 270-298, 1985. Type: Article
Oct 1 1985
Computer security risk management
Palmer I., Potter G., Van Nostrand Reinhold Co., New York, NY, 1989. Type: Book (9780442302900)
Apr 1 1991
Computers at risk
, National Academy Press, Washington, DC, 1991. Type: Book (9780309043885)
Oct 1 1991
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy