America’s government security experts are among the best in the world. But their private sector counterparts are mystified why government’s public findings on the Stuxnet worm – the world’s first publicly-known cyber superweapon – so often have seemed muted, old news, or incomplete.
Tucked away on a government website, the Industrial Control System-Cyber Emergency Response Team (ICS-CERT) – part of the Department of Homeland Security – posts alerts and bulletins with government analysis of Stuxnet, dutifully logging its findings since it emerged publicly in July.
Yet those government alerts have mostly been echoes of findings already made public by anti-virus companies and private researchers – often lagging by several days and providing less detailed findings, industrial control system security experts say.
It looks like government is either inept at releasing detailed technical information to help protect the country or – for other reasons political or strategic – has decided to pull its punches on helping defuse Stuxnet, security experts, former government officials and Stuxnet experts told the monitor.
For instance, they say, the US government so far has refused to provide details on Stuxnet that might help some 40-50 US-based industrial control systems possibly infected by this new generation of cyber-war software. The government’s failure, they say, leaves US corporations infected and open to attack in the future.
“Name me one new or helpful piece of information that ICS-CERT provided to the community on Stuxnet? Or any other helpful contribution on the biggest control system security event to date,” writes Dale Peterson, CEO of Digital Bond, a control systems security firm, in his Sept. 20 blog. “It seems to me to have been a delayed clipping service.”
‘Those bulletins they put out were missing key data’
“They had the expertise, the relationship with vendors, the equipment in their labs and the ability to analyze Stuxnet,” Mr. Peterson said in an interview. “But those bulletins they put out were missing key data or late. Getting this information out quickly was their sole mission, and they failed.”
Sean McGurk, director of DHS’s Control System Security Program, who oversees ICS-CERT, disputes that view, saying the team has been very focused on putting out timely public alerts – leaving out details if they did not serve the function of protecting critical US infrastructure systems.
“We took a broad all-hazards approach to the [Stuxnet] malcode,” he says in an interview. “We immediately began to analyze it and produce information to get into the hands of the community so they could begin taking protective measures.”
At the company level, ICS-CERT is focused on forensic incident response – like dealing with Stuxnet – and vulnerability assessment. Computer engineers in Washington, along with experts at the Department of Energy’s Idaho National Laboratory, test control system software and equipment. Results are distributed to software vendors and users of the system software.
“We were able to reverse engineer the [Stuxnet] code and monitor how it works,” McGurk says. “There have been individuals speculating on attribution and intent…. Our main focus has been on understanding the malware and putting mitigation in place – how to prevent the spread and how to protect the physical infrastructure.”
Still, examples of government as follower abound that Peterson and others say show the government has not been doing enough to get critical information out.
On Sept. 21, German researcher Ralph Langner dropped a bombshell at a cyber security conference in Maryland detailing how Stuxnet “fingerprints” its target, making it the first-known targeted cyber missile. It is designed to home in on and “destroy something” in the real world, Mr. Langner says. Some of his findings, posted on his website Sept. 13, were echoed days later in an ICS-CERT alert.
This past week the big anti-virus software company Symantec again eclipsed government researchers by unveiling a 49-page blue print of Stuxnet, which some experts speculate was aimed at wrecking Iranian nuclear facilities, but which has spread far beyond Iran.
Symantec’s analysis – much of it released long ago in blog posts this summer – details not only how Stuxnet operates, but also key steps to defuse it.
That could be important since Symantec notes in its new report that about 60 percent of the 100,000 Stuxnet-infected computers worldwide were in Iran. Yet just under 1 percent of those infections were in the US – roughly 900 computers systems. And within that smaller group, about 5 percent of the infections (40-50 computers) were on Siemens industrial control systems.
Siemans uncertain how many clients infected
That’s a lot more than Siemens admits to. A spokesman told the Monitor just 15 of its industrial controls systems clients worldwide had reported Stuxnet infection. The spokesman acknowledged, however, the company is not certain all its clients would have reported an infection if they had one.
That worries some experts who wish there was a stronger government push to fan out among potentially affected industries to explain Stuxnet and the threat variants it might pose.
“I don’t think the chemical industry has their eyes on this, which is why I’m writing about this,” says Patrick Coyle, a retired chemical engineer who writes a blog called Chemical Facility Security News. “Government hasn’t reached these guys.”
Others like Joel Langill, an industrial control systems security expert who works in the oil and gas industry says there’s been a distinct lack of information flowing from government.
“It was very quiet in July, and about the only place to get public information on Stuxnet was from Symantec,” says “I don’t think ICS-CERT reports have done justice to the magnitude of what happened. Their reports have contained a lot of detail about the Stuxnet worm and prevention, but haven’t done much about what to do if you had it. If this was a massive cyber attack, they didn’t do very well.”
On Sept. 29, ICS-CERT released a four-page “advisory,” the most recent in a series of similarly brief tracts on how Stuxnet has operated since July.
But until the Sept. 15 advisory – which appeared two days after Mr. Langner’s revelations on his website – none of these federal missives provided details that would be needed by US-based industrial systems to detect and remove Stuxnet from infected programmable logic controllers or PLCs, several experts say.
One part of Stuxnet sneaks into an industrial control system. But another part drops its main bomb on PLCs – vital computers that directly control robots on the factory floor. It was an issue focused on and unpacked in detail by Symantec in early August. But it took the government until its Sept. 15 advisory to address the PLC issue.
While some private researchers have peeled the Stuxnet onion, others left waiting since mid-July for key details from US government researchers for corroboration have frequently been disappointed.
“They did okay addressing Stuxnet, but I would like to know what I can do to prevent a similar attack coming in the future. That’s where they come up short,” says Langill.
One who applauds the federal government for its efforts on Stuxnet is Mark Weatherford, chief of security for the North American Electric Reliability Corporation. His organization, which is charged with keep the grid up and running, says his group has been working closely with government to get the word about Stuxnet security concerns directly to about 2,000 registered energy generators nationwide.
“Hopefully Stuxnet will die a peaceful death,” he says. “But we’re going to stay on top of it until we feel comfortable that the threat is no longer there.”
Lack of details leads to rumors and speculation
Still, the consistent shortfall in Stuxnet details from government has led to rumors and speculation. One theory circulating is that the Defense Department feared somehow exposing nuclear systems by detailing Stuxnet fixes.
Another more obvious theory is that Israel may be behind the cyber attack on Iran – and US officials don’t want to provide Iran with a road map for fixing computers inside their nuclear facilities. Iranian authorities have admitted that Stuxnet infiltrated their nuclear power plant.
“The real question is: Did the US government know the target,” says one cyber security expert in the private sector who asked not to be named because he works with the government sector and fears losing its business. “Did the US government know Stuxnet’s target and say, ‘No, no, no – we don’t want this information [about how to defang Stuxnet] out there. It’s highly plausible that people knew Iran was the target and didn’t want all the details about how to fix Stuxnet to get out right away.”
But Scott Borg, who directs the US Cyber Consequences Unit, an independent cyber research center, says because malware attacks are so hard to source, he would not be too quick to assume the US is withholding information to help Israel, or even that Iran was the target, despite the apparent predominance of Stuxnet infections reported in Iran.
The most plausible explanation is that private sector researchers are winning the race on getting information out because they are better at it.
“Most experts [on control systems] are in the private sector and sometimes they are just faster,” Mr. Borg says. “Everyone in government has to follow proper procedure. In the private sector you go for the right answer, cut every corner to get their first. It’s easier to do this work in very informal settings.”
Others, however, told the Monitor there is every sign that US government researchers at the Idaho National Laboratory knew a lot more about Stuxnet and how to defeat it – far more than has yet been released by the government. Government researchers, they say, knew well before most information about it was released publicly by private companies.
Government might have decided to release less information publicly about Stuxnet, Borg said, and supply it instead to Siemens with the details needed to fix the problem with its own customers, thereby safeguarding a valued relationship.
“There’s this decision making process,” he said. “Do we hurt trusted relationships, other governments, vendors, our own military? This is why you get this disparity between what is released from government and what’s released privately.”
Still, such decisions can leave even professionals “incredibly frustrated because they ended up looking like goofballs,” a former senior government official, who asked not to be named because he still works with government, says of US researchers on Stuxnet. “They had done good work. They knew a lot – and had gotten to a good place with [Stuxnet] before anybody else. But in public they looked like they weren’t on top of their game. These guys did an incredible level of work that never got out in enough technical detail.”
Meanwhile, back in Germany, Mr. Langner posted another blog item – this one an eight-point critique of what he writes is critical, but missing information not raised in the most recent Sept. 29 ICS-CERT advisory on Stuxnet.
“Why explain in great length all the funny files that Stuxnet installs and not saying how to simply pull the plug by deleting one file?” he writes.
Joe Weiss, a managing partner at Applied Control Solutions, which sponsored the conference where Langner spoke, is disappointed that government officials at the conference provided few details about Stuxnet.
‘Why are they holding back?’
“Neither the Department of Energy or DHS has been giving us any real help on this issue,” says Mr. Weiss. “If they’ve got the information, why the heck wasn’t that information being sent to our infrastructure owners? Why are they holding back?
He and others say there is more than a little irony in federal officials touting last week’s Cyber Storm III, the government’s third big war game, as great preparation for a cyber attack with the backdrop of Stuxnet, the first known cyber superweapon to make its appearance in the public realm.
But to charges of offering late and incomplete information on this major new threat, DHS’s Mr. McGurk says his agency has no apologies for not listing all the gory details, which he said is intentional when it occurs.
“I wouldn’t say information was intentionally withheld because it wasn’t complete,” he says referring to the ICS-CERT alerts on Stuxnet since July. Sometimes it’s best to go to work directly with the chemical industry or petroleum industry, he notes.
That may entail sharing some detailed information the government knows but wants to keep to itself and those who most need to know it – information, he says, that is “not something we are going to put publicly on a public website.”