What Can Iran Do Without Computers?

[Spengler]

What Can Iran Do Without Computers? on the Spengler Blog


by David P. Goldman


The short answer is: Pelt Israel with unguided missiles from southern Lebanon. In today's Spengler essay at Asia Times Online, I evaluate Iran's susceptibility to cyberwar. The Islamic Republic pirates virtually all its software and almost all of its competent software engineers have emigrated, which suggests that the mullahs do not even have the capacity to distinguish sabotage from mere incompetence.

Iran has so few skilled programmers that it could be that the security services do not have the capacity to distinguish sabotage from incompetence. That may explain why Tehran blames foreign intelligence services for a recent succession of economic reverses, including the near-collapse of the local markets for gold and foreign exchange.

Iran's economy has teetered towards disaster since early 2008, as I reported at the time (Worst of times for Iran Asia Times Online, June 24, 2008). Official data at the time reported that Iranian households spent 10% more per month than they earned, a rough gauge of the size of the underground economy (smuggled consumer goods, alcohol, opium, prostitution and so forth).

Iranians coped with inflation in the 20% range by fiddling. Tehran's decision to lift fuel subsidies last month will put poorer households under water, and Iranian authorities have warned of possible riots. A run by foreign-exchange dealers on the Iranian rial reportedly led to street fighting between currency traders and police last week. After refusing to sell dollars to the market, Iranian banks on October 10 flooded the market with foreign currency to break the run.

How much of the country's economic and financial chaos is due to incompetence and theft, and how much reflects economic sabotage, may never be known, if the Cold War is any guide.

That makes the Lebanese border -- which Ahmadinejad is scheduled to visit this month -- even more of a prospective flashpoint, for Iran likely will go with what it knows it has.

[kurt9]

The issue of pirated software is no means limited to Iran. The entire developing world runs on pirated software and much of it has worms and spyware embedded in it. My friends in Malaysia use pirated software and I have always hassled them about using legitimate software to avoid these issues. The semiconductor plants in Malaysia are very strict about making everyone use legitimately licensed software so as to minimize these kinds of problems.

China's economy uses lots of pirated software. However, they tend to buy it from places that they trust. I suspect that a lot of viruses and spyware is written by Chinese people themselves. Taiwan is well-known as a major source of viruses and spyware. Perhaps much of the malware in Iran originally comes from China. No doubt Pakistan's nuclear program, which is heavily supported by the Chinese, has computers and control systems that are infested with Chinese-made spyware, "backdoors", and the like. The Chinese would be fools not to do this as this would give them a measure of control if things should spiral completely out of control in Pakistan.

[Spengler]

Kurt9, your point is well taken. No-one wants Iran to get nuclear weapons (except maybe North Korea).

Developing countries have much weaker programming capacity than the numbers would suggest. Most of their universities are diploma mills mass-producing incompetents. One Indian entrepreneur recently returned home after a spell in the US and set out to higher programmers, and found that roughly 1 in 20 came up to US standards -- and that's India, which has plenty o top-rank programmers. There's a lot of reporting to the effect that Stuxnet was a Chinese operation against India that accidently hit Iran (a bit of a stretch, but nothing's impossible).

When it comes down to it, China, India, Taiwan, Korea, and a few other developing countries can muster the skills to protect their IT infrastructure (I am not sure about Malaysia). In terms of vulnerability, Iran is near the top of the list. Saudi Arabia may have the skills, but it can buy them.

[Pastaneta]

You mean Saudi Arabia may not have the skills Spengler?

At the end of the day, if you buy it you are at the mercy of the supplier... Saudi Arabia is another dead country walking...

[kurt9]

Most of their universities are diploma mills mass-producing incompetents.

Yeah, I have heard this as well. Stuxnet may well have been made by either a Chinese or Russian. Together, the Chinese and Russians make something like 90% of the world's computer viruses and other malware. Most of the Russian stuff is intended for cyber-theft whereas much of the Chinese stuff is just for pure malicious harm.

Anyways, preventing infection of a control system is relatively easy. You put the PLC program development package on a dedicated laptop that is not used for any other purpose AND which is never connected to the internet. The laptop contains the program development software and nothing else. At least this is how I did it when I used to to PLC-based control system development. I suspect the Iranian control system engineers, like most people, were sloppy and used their general purpose laptop computers to do the control system program development. Of course these would get infected, then the virus would then download itself along with the PLC program onto the PLC's CPU.

It was clear from the articles about it that Stuxnet got onto the PLCs from the development software and not the SCADA/HMI. Stuxnet worked by downloading itself onto the PLC's CPU, which can only be done from the development software itself, not from the SCADA/HMI.

[Richard Greene]

You mean Saudi Arabia may not have the skills Spengler?

At the end of the day, if you buy it you are at the mercy of the supplier... Saudi Arabia is another dead country walking...

Supposedly, one of Iran's biggest problems re the alleged Stuxnet cyber-terrorism was its total dependence on foreign-made technology and non-Iranian technicians for development of a nuclear infrastructure, both of which could be infiltrated by those multi-lingual, multi-cultural, all-powerful, ever-conspiring...Jews.

Happily, this exact problemita exists for the Saudis, wherever they turn.

This is certainly not 1960s-era Spy vs. Spy.

[madafonos]

Would be pleased to have you on any contract, Spengler -- in particular, the intel Red Team sort. Note also that insinuation may prove sufficient to drive desired responses, even if the 'real' capability does not presently exist.

As re: domestic 'Iran' situation, cf:

Gold merchants strike in Iran
~ Ryan Mauro, 12 Oct 10

... see also WT's near-daily Iran opposition (PMoI and others) updates. Although not a Debka-style site, still requires corrective lenses for incorporation into analyses.

madafonos
Agent d'Information au Processus Industriels, DGSE


FN: Concur on all points, kurt9. There are other IA techniques to address such vulnerabilities (only some discussed in open literature), but isolated dedicated systems (no accessible ports or proverbial super-glued USB ports) are both inexpensive and robust solution.

[MarcH]

This was thought provoking and insightful column, but I'm concerned that the anti-jihad blogosphere broad front (for lack of a better term) is "high fiving" too quickly over Stuxnet and contributing to an unwarranted ratcheting down of public concern over Iranian WMD/missile developments.

Here are a few concerns in the back of my mind:

1. Iranian weapons developers don't have to protect the entire Iranian economy or even the entire military sector from infected software, just a narrower part related to missile/nuclear development. That is still a tall order but perhaps not impossible for a resourceful police state with still significant oil revenues and foreign helpers.
2. Iran doesn't have to build a nuclear weapons force which is as powerful, efficient, versatile and failsafe as the US system or even the Israeli or Indian. They win this round if they can just credibly demonstrate that they have a few warheads for demonstration and possible disruptive strategies.


It was my impression that Spengler was one of the strongest voices calling for an immediate US military attack on the Iranian nuclear/missile program. Was I correct and is that still your position David?

[Spengler]

Regarding the question of whether to bomb Iran's nuclear installations:

Why take chances?

Bomb them anyway.

[Terry]

Spengler the fact that the Mullahs are using a Windows based computer system to manage such a critical system just shows how inept they are. Any freshman computer science student will know that Windows based systems are unreliable and prone to security attacks and viruses and should never be used for critical systems such as the ones dedicated to national security.

In the US and UK most critical systems are based on UNIX systems. UNIX systems are robust and reliable and in my experience I have never come across a virus aimed at UNIX systems. The French have their own operating system, which gives them a degree of independence over their nuclear weapons.

Can’t speak for the Russians or Indians, one thing is for certain their not as short sighted as the Iranians. I have asked the question but only get a blank stare. During the Cold War the USSR relied on low tech manual infrastructure to control and mange their nuclear weapons.

[Pastaneta]

Terry:

The Mullahs are living in the Middle Ages. They are clueless about modern technology... This is why their choices is as it is.

[Yab Yum]

Regarding the question of whether to bomb Iran's nuclear installations:

Why take chances?

Bomb them anyway.

The Iranians (the people) like Americans and hate the mullahs. This wouldn't help.

[PaulR]

Spengler - I don't get you.

You have in the past called the Iranians master-strategists, long-term planners for domination of the middle-east through their "puppies," and that they are "playing chess in the middle-east while we play checkers," and the like.

But you also note the obvious contradictions in their society and their glaring weaknesses - massive corruption, public hatred of the mullahs, economic decline, rampant crime and prostitution - in sum, a society on the verge of collapse. If this is true, they can hardly be fearsome master-strategists, because their country could all come tumbling down at any moment. Indeed, it seems as though the Mullahs (and their friends in Lebanon) could be taken-down quickly with some real sanctions and active support of opposition within their country.

So which is it????

[Spengler]

The fact that Iran has become a serious contender for regional hegemony despite its backwardness shows that Iran has been clever and America has been stupid. The fact that the Iranians are clever does not mitigate the effects of their evil--including a collapsing kleptocracy--nor does it make them immune to sophisticated attack. They still are very dangerous. Russia had a mortally wounded economy in the 1980s but the American victory in the Cold War was hardly a given in 1981.

[kurt9]

In the US and UK most critical systems are based on UNIX systems. UNIX systems are robust and reliable and in my experience I have never come across a virus aimed at UNIX systems.

Internet security is an issue we took very seriously even back in 1995.

Actual control is always done with either PLC's or, in the case of certain process applications, DCS's. PC's are used only for the SCADA/HMI, with the control system itself designed to run independently of the SCADA/HMI. The SCADA provides the user interface and data logging functions. In the 90's, I used SCADAs that ran on OS/2 or UNIX. The OS has to be a pre-emptive multi-tasking and multi-threaded. Windows certainly did not have this capability until the release of XP in 2000, and its still debatable if Windows can be considered pre-emptive multi-threaded and multi-tasking.

When IBM abandoned OS/2, a guy I was working with in Japan created a version of his favorite SCADA/HMI, Wizcon, to run on Linux. It was this Linux version of the Wizcon SCADA that he used on all future automation projects. Linux is good and of the proprietary Unix products, Sun's Solarus Unix is the best. However, the purchase of Sun by Oracle leaves the future of Solarus in doubt. Linux is probably the best OS to use for the SCADA/HMI application.

To believe that any OS is immune to viruses and hacking is delusional. You have to assume that the hackers are going to try to hack your system regardless of the OS used and design and run your system appropriately. The SCADA/HMI computers (which run Linux OS) should be used for the SCADA function only and have no other application software put on them. If the SCADA computers are to be connected to a MES (manufacturing execution software) through something like Tibco network (running a proprietary communication protocol), this intranet should be firewall protected and the office computers running the MES should be firewalled off from the rest of the office network. In no way should the MES be able to make any remote commands to the SCADA software at all. The purpose of the MES is to monitor the manufacturing process and to allow the office staff make decisions with regards to inventory management and monitoring of costs.

Somehow, I doubt the Iranians working on their nuclear and other projects have their act together to ensure these safe computing practices.