I disagree with about 90% of this video, and find it annoying that they do not cite references — who says there were 20 zero-days? There were only 4, and even that is debatable, as I’ve said before. It’s a shining example of how speculation has filtered its way into to fodder for sensational videos.

Oooh, scary.

I do not understand how they can avoid mentioning that the guy who is credited with having the most detailed and first knowledge of Stuxnet — Ralph Langner — calls it “very basic”. He even explains how antivirus company researchers, infamous for hyping the threat, are wrong in their analysis.

Stuxnet attack very basic. DLL on Windows was renamed and replaced with new DLL to get on embedded real-time systems (controller). It was not necessary to write good code because of the element of surprise — only had to work pretty well

Nate Lawson gives probably the best and more authoritative explanation of Stuxnet available anywhere, which also contradicts the scary video. Unfortunately, he made a major marketing mistake. He called his blog post “Stuxnet is embarrassing, not amazing“. It’s a post with a modest and realistic view of the code.

Rather than being proud of its stealth and targeting, the authors should be embarrassed at their amateur approach to hiding the payload. I really hope it wasn’t written by the USA because I’d like to think our elite cyberweapon developers at least know what Bulgarian teenagers did back in the early 90′s.

What he should have called it was something like “What the next Stuxnet will look like” or “How Stuxnet could be 100x more powerful”. That would have given him the same level of buzz or even more than the nonsense peddled in the above video.

And what this video should have said is that Iran was infected by a low-grade attack because they had poor security management practices and were compromised by an insider. I mean what are the chances that the nuclear program would have succeeded anyway, given that maintenance failures and rust in thousands of centrifuges also was causing them problems? Or to put it the other way, what are the chances that a high-rate of failure of centrifuges was unanticipated, as explained by the Institute for Science and International Security (ISIS).

The destruction of 1,000 out of 9,000 centrifuges may not appear significant, particularly since Iran took steps to maintain and increase its LEU production rates during this same period. […] One observation is that it may be harder to destroy centrifuges by use of cyber attacks than often believed.

Although the attack was well planned and targeted to exploit a specific set of issues, it leveraged weak and known-bad controls such as unnecessary services, poor isolation/segmentation and no host-based monitoring. It is truly scary too see over and over again (for more than 10 years now) that nuclear energy companies rely on obfuscation and self-assessment more than a set of security best-practices to address risks. Calling Stuxnet sophisticated gives the Iranians far too much credit for their defences and just plays into the hand of those who want to escalate international political conflict.