I disagree with about 90% of this video, and find it annoying that they do not cite references — who says there were 20 zero-days? There were only 4, and even that is debatable, as I’ve said before. It’s a shining example of how speculation has filtered its way into to fodder for sensational videos.

Oooh, scary.

I do not understand how they can avoid mentioning that the guy who is credited with having the most detailed and first knowledge of Stuxnet — Ralph Langner — calls it “very basic”. He even explains how antivirus company researchers, infamous for hyping the threat, are wrong in their analysis.

Stuxnet attack very basic. DLL on Windows was renamed and replaced with new DLL to get on embedded real-time systems (controller). It was not necessary to write good code because of the element of surprise — only had to work pretty well

Nate Lawson gives probably the best and more authoritative explanation of Stuxnet available anywhere, which also contradicts the scary video. Unfortunately, he made a major marketing mistake. He called his blog post “Stuxnet is embarrassing, not amazing“. It’s a post with a modest and realistic view of the code.

Rather than being proud of its stealth and targeting, the authors should be embarrassed at their amateur approach to hiding the payload. I really hope it wasn’t written by the USA because I’d like to think our elite cyberweapon developers at least know what Bulgarian teenagers did back in the early 90′s.

What he should have called it was something like “What the next Stuxnet will look like” or “How Stuxnet could be 100x more powerful”. That would have given him the same level of buzz or even more than the nonsense peddled in the above video.

And what this video should have said is that Iran was infected by a low-grade attack because they had poor security management practices and were compromised by an insider. I mean what are the chances that the nuclear program would have succeeded anyway, given that maintenance failures and rust in thousands of centrifuges also was causing them problems? Or to put it the other way, what are the chances that a high-rate of failure of centrifuges was unanticipated, as explained by the Institute for Science and International Security (ISIS).

The destruction of 1,000 out of 9,000 centrifuges may not appear significant, particularly since Iran took steps to maintain and increase its LEU production rates during this same period. […] One observation is that it may be harder to destroy centrifuges by use of cyber attacks than often believed.

Although the attack was well planned and targeted to exploit a specific set of issues, it leveraged weak and known-bad controls such as unnecessary services, poor isolation/segmentation and no host-based monitoring. It is truly scary too see over and over again (for more than 10 years now) that nuclear energy companies rely on obfuscation and self-assessment more than a set of security best-practices to address risks. Calling Stuxnet sophisticated gives the Iranians far too much credit for their defences and just plays into the hand of those who want to escalate international political conflict.

The Siemens CERT has posted a formal response to two CVSS level 7 vulnerabilities found in the SIMATIC S7-1200 CPU

1. Replay attack. An attacker can sniff the traffic and then send it again to issue a command to the same controller.
2. Denial of service for Firmware Version 02.00.02. Scanning the communication interface causes it to stop.

Workarounds, until the firmware is updated, are to disable unnecessary services and segment the network.

As a temporary measure, it is recommended to disable the web server. The ability to disable the web server is available in TIA Portal Version 11. In addition, it is important to ensure your automation network is protected from unauthorized access using the strategies suggested in this document or isolate the automation network from all other networks using an air gap.

The US military has finally addressed energy risks in its planning, as explained by Federal News Radio

The Pentagon sent its first-ever operational energy strategy to Congress Tuesday, laying out the military’s intent to begin treating energy as a critical military capability.

The goal is to stop focusing on energy as merely a market commodity that must be purchased in order to sustain the department’s various missions.

Defense leaders think that change in thought processes could ultimately reduce the military’s demand for petroleum and promote the development of energy alternatives, with the Pentagon as a new leader in the market.

This marks a huge shift in American policy from the Bush Administration; the government’s investment in the current wars could soon spur much faster innovation in energy efficiency and reduced civilian dependency on oil.