According to Gartner’s predictions, Cyber attackers will be able to weaponize operational technology and harm or kill humans by 2025. Operational technology (OT) refers to monitoring or controlling pieces of equipment or processes in manufacturing, resources, and utilities. Cyber-physical systems (CPS) and internet of things (IoT) devices are increasingly affecting our quality of life and also playing a more important role in our society’s infrastructure and government. The combination of global digital interconnection and sophisticated major cybercrime players (such as states sponsored or organized crime hackers) are increasing the domain and consequences of such attacks.
Stuxnet, a highly sophisticated 500 KB worm, was first uncovered in 2010 after destroying many centrifuges in Iran’s Natanz uranium enrichment facility. It was originally developed to remotely exploit a zero-day vulnerability of a version of Siemens SIMATIC STEP 7 and PCS7 software running on Microsoft Windows machines in Iranian nuclear programs. This is a supervisory control and data acquisition (SCADA) system that controls types of equipment utilized in power plants and other manufacturing industries. The worm was identified by a security company from Belarus due to spreading beyond the intended target, caused by an error in programming and infecting more than 200,000 computers across the world while physically destroying 984 centrifuges.
It is believed that in 2008 Siemens shared its source code with US authorities and Idaho National Laboratory in order to find any possible security vulnerabilities in the PLC system used in nuclear energy facilities operations. It is commonly believed that the US and Israeli joint intelligence task force against the Iranian nuclear program was informed about the vulnerability found in Siemens software, and they started developing Stuxnet. The task force’s code name was “Operation Olympic Games,” and it had worked under President Bush and President Obama's administrations. The Stuxnet domain, “mypremierfubol.com,” was registered in late 2008 and was supposed to be used only for code download and updates. it seems that Stuxnet had spread itself via LAN into contractors’ systems that were working with the Iranian nuclear program, at first, and then transferred into the offline PCs inside the facility by a USB stick, most probably by an insider. The worm was programmed to check the machines after infection and identify whether it was part of the targeted control system made by Siemens or not, and if it was, it would try to access the internet for the latest updates. The next step was reconnaissance and gathering information, which then was used to take control of the centrifuges, making them spin irregularly and push them to failure. The worm also was giving false feedback and reports to the outside controllers, so they couldn’t diagnose the problem. Stuxnet was later compared to Industroyer, which was used to attack Ukraine’s power grid, for its unique capability in direct communication with industrial hardware.
It seems this attack was massively successful because of:
- Multi-States sponsored sophisticated team
- Shared zero-day vulnerability
- Serious security breaches in Iranian organizations (personnel and cyber security and protocols), they failed to consider supply chain vulnerabilities and implement an effective IDS/IPS, AD, and ACL monitoring system.
On the Iranian side, the attack could have been prevented or at least minimized the impact by implementing:
- Multi-layered defense, or defense-in-depth, to ensure more effective security, such as security policies, ACL, component isolation, segmentation, and workforce training.
- Physical and logical barriers between different networks (SCADA and organizational networks).
- Disabling all unnecessary ports (physical & logical).
- Restrict user privileges and implement pre-approval procedures for any software installation or changes.
- Constant administrative monitoring procedures on the network.
For a country like Iran that is technologically dependent on other states and multinational corporations, there is always a considerable risk of manipulation or exploitation; however, their critical point of failure was the lack of proper security, personnel, and IT, especially for such a secretive and politically imperative program.