Cyber attack case study

Stuxnet

By: Jimena Alegria

INITIAL DISCOVERY

• Stuxnet was discovered by Sergey Ulasen under the internet security company
VirusBlokAda, and later Kaspersky. While working on a customer complaint that
their computer kept rebooting, he discovered that the Stuxnet malware was on
the computer.
INCIDENT RESPONSE

• Stuxnet was discovered because, unexpectedly, it spread beyond the Natanz facility. As noted,
Natanz was air-gapped, and it’s not clear how Stuxnet got out. Many in the U.S. believed the
spread was the result of code modifications made by the Israelis. It’s also possible that it
escaped thanks to poor security practices on the part of the Iranians at Natanz, it could’ve been
something as simple as someone taking a work laptop home and connecting it to the internet.
AT T R I B U T I O N C H A L L E N G E S

• It’s practically impossible to attribute with 100% certainty, so attribution can be

contested. Attackers take steps to hide their activity. to misdirect analysts and
frame others (e.g., using malware created by others, using computers owned by
others, embedding a language they don’t speak). Many technical indicators are
easily spoofed.
Impact and Consequences
DISRUPTION
• Stuxnet reportedly ruined almost one-fifth of Iran's nuclear centrifuges.
Targeting industrial control systems, the worm infected over 200,000
computers and caused 1,000 machines to physically degrade.
PUBLIC REACTION

• It is typically introduced to the target environment via an infected USB flash drive, thus
crossing any air gap. The worm then propagates across the network, scanning for Siemens
Step7 software on computers controlling a PLC.
M I T I G AT I O N A N D R E C O V E R Y
Technical mitigation
• Effective security policies and procedures. Policies and Procedures are the first step to securing control systems. These
policies and procedures then need to be reviewed and updated as part of a continuous improvement program.
• Security Policies should be created that address specific host-to-host and zone-to-zone communication requirements,
including protocols, ports, etc. This information is vital and will be used in subsequent countermeasures to identify suspect
traffic, and is a basic requirement in complying with ISA-99 standards.

Negotiation Dilemma

• The creators of Stuxnet reportedly programmed it to expire in June 2012

and in any case, Siemens issued fixes for its PLC software.
SUMMARY

• Stuxnet destroyed thousands of centrifuges and greatly delayed Iran's nuclear program. Ralph
Loanger states that Stuxnet has “changed global military strategy in the 21 st century”. The
aftermath of Stuxnet would also be seen in the world by the arms race that most likely follows
the success of such a cyber weapon.