
Iran Accuses Siemens of Helping U.S. and Israel Develop Stuxnet - ssclafani
http://www.haaretz.com/news/international/iranian-military-official-siemens-helped-u-s-and-israel-in-cyber-attack-on-nuclear-program-1.356419
======
redthrowaway
Stating the obvious, really. This had the US and Israel written all over it
from the get-go. Clearly Siemens would have had to supply technical
information in order to help build the worm. If not them, then somebody with
intricate, source-code level knowledge of Siemens' SCADA system. Knowing how
governments work, it's far more likely they would simply have approached
Siemens and offered them incentives.

This of course raises troubling questions about how much illegality we'll let
the government get away with in pursuit of goals we mostly agree are
necessary, but I'm okay with it, in this instance. We'll see if that remains
true next time.

~~~
daeken
I take an odd stance here. If the US government did have a part in this, I
support what they did (as I don't believe that Iran should have nuclear
weapons), but not that they did it. While it affects everyone, this is not our
war, and I believe that this action on Iran, if it was actually the US, was an
act of war, even if not a traditional one. I'm very conflicted here, but at
the end of the day I just _can not_ support the US on this, even if it is a
problem for every one of us.

~~~
shii
The cognitive dissonance is a little too thick to parse. Are you saying if
another nation other than the USA had done the deed, you'd be cool with it,
since it comes to an end that you support?

~~~
daeken
No, I'm saying that the ends don't justify the means. I don't think that Iran
should have nuclear capabilities, but that it's not our battle to fight, and
thus the US (and any other nation) should not be attacking it.

~~~
redthrowaway
So, to clarify, you think it's a bad thing if Iran gets nukes, but nobody has
the right to try and stop them?

~~~
rdtsc
Another way to interpret "nobody has the right to stop them" is that
officially a "nobody" stops them i.e. a nameless shadow organization with
everyone involved having the highest level of clearance and a program having a
high degree of compartmentalization.

------
snowwindwaves
I develop control systems for power generation. Current trends are towards
more and more automation, interconnectedness, collecting of business
information and integration with smart grids. None of this should take place
over the public internet... Private fiber or microwave would be nice, but
isn't in the budget for many operations, so VPN over the internet is the
compromise.

Stuxnet was spread by infected USB keys, so even a totally separate network
wouldn't have helped them there.

PLCs and HMI software are a security nightmare, 30 years of legacy protocols,
hardware, and client deployments to support and now all of the sudden it is
under attack and no network can be considered safe.

~~~
maayank
Actually, that's interesting: did the stuxnet event made the demand for
security in such system higher?

------
blantonl
Why would the US and Israeli governments actually need help from Siemens?
Their SCADA equipment is almost certainly deployed widespread across both
countries' power plants, nuclear sites, and other locations. And, does anyone
actually think that Siemens doesn't supply SCADA equipment to the US
government?

I'd also bet that a lot of their SCADA software is reused across multiple
industries, so the exposure to attack vectors is probably pretty enormous.
Couple that with the "it can't happen to us" mentality that these large
industrial companies have with regards to highly specialized software and,
well.... what you see is what you get.

------
thematt
I believe this was already explained, but I can't remember where. Siemens had
been working with the Idaho National Laboratory to identify vulnerabilities in
the PCS systems, which were then used in the exploits that Stuxnet leveraged.
The US intelligence agencies that developed Stuxnet could have used INL as a
front for interacting with Siemens or they could have simply taken the
vulnerabilities after they had been identified as part of that joint effort.
Either way I'm sure there was help from Siemens somewhere throughout the
process, but not necessarily for the explicit purposes of creating the Stuxnet
worm.

------
gojomo
Perhaps the US/Israel discovered the prospect for this particular kind of
software-based functional sabotage in defensive analysis of their own similar
industrial systems. That analysis would have deserved vendor technical
cooperation, perhaps even source code and engineering design documents, for
wholly legitimate reasons, as a matter of course.

It shouldn't be surprising that any especially insidious risks discovered
during that process could then be shared with the more covert and offensive
branches. That wouldn't be Siemens' fault at all.

------
adulau
In 2008, the Idaho National Laboratory was working on the Siemens PLC and even
made a presentation about it:
<http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf> (Page 59 and Page
60 are quite interesting as they use the security test case "Infiltrate PCS 7
ES and modify configuration").

