I like how even though it is pretty clear that the target is Iran's uranium enrichment complex with centrifuges running at 600Hz - 1200Hz, they explicitly avoid mentioning that. That shows considerable professionalism, as obviously there is no factual evidence of that (and most likely there won't be unless one of the authors decides to confess).
It's fascinating to think about Symantec's motivations for creating that very well-produced, streamlined video. It basically plays like an ad for Stuxnet, the growth of which represents the creation of a new market for Symantec.
It would be an odd move in terms of the market though?
ie how many windows machines/networks are there which are hooked up to PLCs (well, there are a lot, but many orders of magnitude less than consumer uses of windows and pcs).
Having said that - it could be VERY lucrative for them - just not in volume. Very much high end expensive product sales (which may be a direction they want to go in - now that MS and others are rolling out built in virus protection with the OS?).
It is all about bragging rights among the security specialists.
Symantec is basically deconstructing a worm that cost some government lots of money, time and talent to create. They want to be seen as playing in the same league as the security experts at NSA, CIA or the respective equivalents of another country.
For those of us who don't do industrial process control, what would that do to the plant?
Supposedly more than 30 programmers worked on Stuxnet. That seems like a big investment just to increase the wear rate on a few motors, however critical they might be.
I have no clue what it would do. My guess was that you'd want to not just disrupt production, but preferably damage the equipment. Since the centrifuge is such a delicately built device (see wikipedia: http://en.wikipedia.org/wiki/Zippe-type_centrifuge), exciting a resonance or causing a bearing rub would be a productive hack.
Maybe flipping the motor drive frequency from 1200Hz to 2Hz and back could act like an impulse to excite any high-Q resonance in the centrifuge structure?
The description in the article suggests the virus quickly drops and restores the speed of the motor. A guess (from someone who knows nothing about nuclear facilities) would be perhaps this would result in enrichment processes failing to sustain the chemical process, but in a manner that would be relatively hard to detect since it the change in speed is only over a short time period.
Most people seem to be assuming the intent is either to damage the centrifuges or stop them from working in other obvious ways. However, that would just lead to them being replaced, probably with better protection from reinfection.
I think there is another option: these modifications in the frequencies were intended to make sure the uranium did not becoming pure enough, effectively preventing Iran from obtaining a working bomb. If the virus wasn't discovered, it could have taken the Iranian scientists years to figure out why the centrifuges weren't doing their jobs, after discovering the lack of purity in the first place.
First, the virus should have been less interesting.
Second, the true goal of the virus might not be the actual attack but rather, like the scenes from the Bourne movies spying on Pamela Landy from the rooftop across the street, the realization that someone knows exactly what you're doing and they're more sophisticated than you. Further, it indicates there's a hole in your organization from which information is leaking or might be leaking (even worse if you can't find something that doesn't exist). I've followed enough of the Wikileaks controversy regarding their internal disputes to conclude the weakest link in many organizations is their structure and individual members. The true goal might be psychological.
Fortunately, I don't see this particular type of cyber warfare existing for very long. Nobody with expensive industrial computers is going to mess around when it comes to security, and it should not be difficult at all to fully insulate SCADA systems from malware.
It worked this time because nobody was expecting it, but no target worth attacking in this way is going to let it happen again.
With any plant of sufficient size, there will be a lot of people involved in commissioning, servicing and operating it. This makes "fully insulating" SCADA systems much harder.
Management people will demand to get data from the plant to manage utilization. Servicing personnel will want to connect their laptops to the automation systems to talk to their company's devices that are installed in the plant during maintenance. ... ...
So, for military projects where integrity/secrecy is a value for itself, I can imagine draconian regulations to be in place soon, or most likely they already are. But for "normal" industrial plants where there's a need for money to be made, there always will be a balance between IT security and pragmatism in running the damn thing.
And if diagnosing a failed motor controller in a stalled plant is delayed because IT security prohibits the technician from inserting his USB stick, I can tell you how the discussion with the plant manager will turn out in 99% of all cases.
But for "normal" industrial plants where there's a need for money to be made, there always will be a balance between IT security and pragmatism in running the damn thing.
And those plants likely don't have enemies powerful or motivated enough to attack them in this way. Typical black hats these days are in it for the cash and I don't see how sabotaging a factory could be made into cost effective fraud.
