Bulletin / ‘Countdown to Zero...

‘Countdown to Zero Day’ By Kim Zetter - Book Review

Author: Charlie Maclean-Bristol, Training Director, FBCI, FEPS

This week Charlie reviews 'Countdown to Zero Day' by Kim Zetter. The book is all about the virus that sabotaged Iran’s nuclear efforts and shows how the existence of this malware can have the same destructive capability as a kinetic attack!

Last night I finished the book ‘Countdown to Zero Day’ by Kim Zetter and I thought I would share a brief review of the book and what we can learn from reading it. The book is all about the Stuxnet malware, which was used around 2010, developed allegedly by the Americans and Israelis to sabotage the Iranian nuclear programme. The malware was aimed at trying to sabotage their centrifuges, which were being used to enrich nuclear material that are essential components of a nuclear weapon. A cyber weapon was chosen to do this, as it could be done stealthily and hopefully without detection, rather than having to deal with the consequences and political fallout of a kinetic attack. Zetter takes the reader through details of how the Iranians were developing their nuclear programme, as well as how Stuxnet was discovered by an antivirus team, how it was forensically examined to understand its purpose and who it was aimed at. The book also covers the vulnerability of PLC controllers and SCADA systems to cyber attacks, the attacks that have been conducted to date and how attacks can be executed on various systems. The final chapter looks at the morality of the attack. This was the first use of a cyber weapon to attack another country by a nation state.

This book is very readable, especially for a non-technical reader and I would recommend it to anyone interested in cyber, cyber warfare and the protection of industrial systems.

There are a number of lessons and learning points I took away from the book. The first being the sheer brilliance and excellent level of sophistication of the attack. The centrifuges in question were situated in a bunker deep underground and not one centrifuge was connected to the internet. Stuxnet had to get onto the controllers of the centrifuges undetected, then sabotage the production of enriching uranium without being detected by the control room controlling the system. They also had to take care not to destroy a centrifuge because if a few were destroyed, the Iranians would figure out the cause, the malware would be detected and then removed quickly. The malware was designed to be passed by either a computer that was used to programme the controller for each centrifuge or by a thumb drive. It was also designed to only install itself on the Siemens S7 PLC Controller which was known to be used for controlling the centrifuges and only attacked a controller that spun at an extremely high frequency, which centrifuges do.

This attack was specifically targeted so Stuxnet didn’t go and cause disruption to other systems and machinery. Once it got into a centrifuge for several days, the malware just watched the control traffic that was sent back to the control centre. When the malware knew the normal signal traffic patterns, it increased the frequency of the centrifuge slightly every so often. It was enough to drastically reduce the effectiveness of the process plus cause damage to the centrifuge, while at the same time masking the changes so that the control centre thought the process was running smoothly. Due to this clever malware, the enrichment process was disrupted, centrifuges broke down, everyone was none the wiser and nobody could detect the problem. I personally believe that this was a brilliant attack, to degrade your enemies system’s without them ever knowing and who is causing the problems, is ingenious.

This book discusses the time, level of technological knowledge and the cost associated with developing such a sophisticated malware programme and how it could have been developed by a nation state. In the same way that the level of sophistication of the SolarWinds hack last year could only have been carried out by a nation state. What we should be aware of is that if this attack was built in 2005-2009, how much more sophisticated and capable are the agencies which built this attack now? Are our institutions being attack or degraded without us knowing, or are there attacks ready to be deployed and they are waiting for the correct circumstances or adversary to unleash them?

Zetter didn’t just concentrate on the Stuxnet attack, but talked more widely about cyber attacks on infrastructure. Many of the details in this book can be found in this bulletin I wrote earlier this year.

One of the scary events that this book described was the Aurora Generator Test in 2007, run by the Idaho National Laboratory. Its purpose was to see if a cyber attack could destroy the physical components of an electric grid. The test for this was a 2.5MW generator which could be used to power roughly around 1500-2500 homes. The experiment used a computer program to rapidly open and close a diesel generator's circuit breakers out of phase from the rest of the grid. During the experiment, the generator was physically destroyed within 3 minutes and it could have been done quicker if those conducting the experiment had not stopped it in phases to review the damage. Parts of the generator were found 80 feet away!

The cyber attacks on the Ukraine Grid in 2015 led to 230,000 people being cut off from power is another example of how vulnerable utilities are to cyber attacks. I know there are programmes in the UK to harden utilities from cyber attacks, but Stuxnet demonstrates that an attack executed with enough time, resources and technical know-how is a possibility. I suspect that there is an unwritten rule amongst nation states that a large cyber-attack on another’s critical infrastructure would be considered an act of war so they have refrained from doing so. If we know that this type of attack is possible, we should make sure that we have considered the risk and we have suitable mitigation measures in place.

You might be interested in the following stories

Process Controls, SCADA and Cyber Security

Credential Stuffing - A different type of cyber attack

Beware of the self-wiggling mouse – Cyber vulnerabilities in the water industry

You may be interested in the following course

BCT Certificate in Cyber Incident Management (NCSC Certified Training) course

Sign-up to our newsletter