Dave, my work deals with a large amount of "Air gapped" systems. This video does an amazing job at educating even the lay man on how closed networks can be infiltrated. Your video is already being passed around and we are going to have a quick huddle on your video as well as the social engineering side of gaining access. As always, its a pleasure to learn from you.

StuxNet was the turning point for me: until then I was a firm believer in “Don’t attribute to malice what can be explained by incompetence”. After that I switched to “Where there’s a will, there’s a way”.

Thanks Dave. Most videos on this subject are 45min plus. Yours is clear and precise

I've been a PLC dev for ~20 years, especially working with Siemens S7-300 PLCs. What struck me even almost a bit more than the PC-side of the worm is, that you need absolute full VERY detailed knowledge about how the PLC's internal adressing and code was done. You can't just "search" for frequency converters - you need to know exactly at which bit what exact data is expected/delivered, as there are no standards towards that at all. It's all the dev's choice, and there are no "discovery services". PLCs are, internally, ancient technology. Considering that even in "normal" private companies, these infos are heavily guarded, it's almost unbelievable that anyone unauthorized could get their hands on SUCH a deep level of internal stuff. They basically MUST have had an actual dev in their pockets - one that also managed to sneak this data out.

I was working with PLC systems at the time that Stuxnet was exposed and have always held it as a pinnacle of software engineering in its purpose and execution. It still amazes me to the is day.

Hi Dave, I came across this and started watching. Frankly after a minute I didn’t have a clue what you were talking about, so I looked at the comments. Clearly you are fantastically brilliant man, and all I saw were positive comments and respect. So from someone who once owned a ZX Sprectrum, (yes I’m that old) I think you are so well respected and admired for your content and clearly you are the man to follow for computer stuff. Peace be with you Dave x

For those interested in going deeper, I highly recommend Kim Zetter's book "Countdown to Zero Day." I read it in 2014, it's gripping and full of extreme details! Dave did a great job covering it in short format though!

Many years ago I used to work for a company selling "enterprise security" software that would help to block USB devices, stop them from exposing storage/network/etc. It would only approve certain devices and also provided encrypted device storage. We noticed some USB devices (like cameras or thumb drives) would, when first plugged in, present themselves as a CD device with autorun and something to install their drivers. Then when plugged in again they would appear as their proper camera/storage device.

Love the "The Friendly Giant" reference at the end! At least some PBS stations aired this show during the late 1960s; the theme tune is highly memorable, so it instantly identifies the show in question.

I was delighted to see the title of this video. Stuxnet is super interesting and I love your style, Dave. I expected a great presentation and I was not at all disappointed. At the time, I worked in industrial controls with Siemens PLCs and drives. Super impressive from an engineering perspective.

I've been following the subject of Stuxnet closely since mid-2016 when the "Zero Days" documentary was released, and some time after VICE did a short documentary on it too. I read the W32.Stuxnet Dossier by Symantec Security Response Team at least 5 times so far, and I'm still amazed at the level of sophistication and attack vectors used to achieve their goals - for each attack vector: the infamous 4 Zero Days for the Win32, the low-level obfuscation overloads like memcpy, and the hacks around Siemens PLC APIs. Stuxnet was Trinity/Gadget test of the 21st century. Even Michael Hayden (former CIA & NSA director) put it that way.

Love the summary (and I think you could absolutely blow your channel up with more on this topic), but from you, I'd be more interested in a technical deep dive.

Wasn't expecting a Friendly Giant reference! Thanks for the great video Dave

Don't know if you are a grandfather or not, but if you tell bedtime stories, me at 68 YO would even like to listen in. Love your ability to tell a story. I've watched several videos on Stuxnet, but you succinctly bring it to life. thanks. Keep telling stories.

Storytime with Dave is awesome.

“Careful engineering, quality assurance, and… legal input.” Isn’t that like the construction contractor’s triangle (fast, cheap, correct), you can only pick two?

I wonder how many people have made an amazing achievement like Stuxnet but can't tell a single person how cool it was and they will never be acknowledged for their accomplishment.

I remember doing a siemens PLC and Scada training course a few years before this all kicked off. When covering the passwords the 'unofficial advice' was leave them all as default because you'll never get it working otherwise...

I took some Siemens courses on how to program Step 7 PLC for use in CNCs. This was before Stuxnet. I was suprised that we were told, by actual Siemens employees, to never change the WinNT login name/password. I forget those credentials now, but i do recall the password was a whole 8 characters long. I wonder if Siemens has changed that password and that no-changee policy. Cheers!

That was a very thorough overview of Stuxnet. I had no idea the level of damage, so-called 'isolated' systems could 'weather'. Considering how far technology has evolved since then, it begs the question is anything truly safe, from a determine foe?

I have seen many articles and videos on this subject. This is by far one of the best, concise, informative and entertaining wrapped into one!

That was a correct and precise description of Stuxnet that i thought i woild never hear. Great Job. Greetings from an IT security professial that used to Works on nuclear industry

Morning Dave, more great content, as always.

Could you talk more about your time working on autorun? Were the developers aware at the time of the huge security risk that feature could pose? Was it a tradeoff between usability for regular users and security, or was security an afterthought?

As a computer idiot, I still found this fascinating & interesting. Could understand the general gist of the story, but the delving into the technical sides is WAY above my paygrade!!!!! But I still enjoyed it, thanx Dave.

Enjoyed listening to the talk and made me remember a question I had asked my professor in class many years ago regarding whether it could be possible for malicious intended code that when writing data would (days of floppy drives) use an incorrect voltage level of the drive to store data initially but in time ensure the data would be lost (the malicious intent). The question was asked as a curiosity and was rejected by the professor, but listening to you talk of Stuxnet made me realize abuses of motors and other hardware is very real to the unsuspecting.

Great topic Dave. Stuxnet was a brilliant piece of work and you did a great job of explaining it at a high level.

Another master-class video on complex topics - thank you for doing these types of videos. I've sent them to my team consinstantly to learn.

I've heard that an updated version of this code was spread to the Fukushima Daiichi plant showing the plant operators normal system parameters while the reactor was driven critical.

Thank you. Very interesting. Had read a lot of news about it but had not bothered to look into the technical details.

I like that you leave me a little extra time at the end of the video so I can get my phone back out and SMASH THAT LIKE BUTTON at my leisure.

I am a long time computer user that started with computers in the late '90s I remember hearing about this malware. I agree it was a well thought out attack and I too kind of admire the thought and work that went into the malicious software.

I think my favorite Windows feature that shocked even the LAN admins was Remote Shutdown. Had the need to remotely shutdown servers in other geo areas, worked great.

at my company we dont need stuxnet to ruin the production. we just need the idiots i work with to be near a winCC computer

Great video Dave. The book written about this incident is fascinating. I spent my whole career in automation, so it was an eye opener.

Well crafted and delivered talk Dave. Even though I've heard most of it before, you managed to bring some information to the table I had not heard before. Really enjoyed the story.

Great historical review here - if you end up doing a follow up on the topic at any point, it’d be interesting to know what the internal MS conversations looked like at the time with features like autorun - was there a standard way of doing security risk assessment, how did folks make the judgment calls of low risk vs. informed risk vs. too dangerous to release, etc.

Your videos always educate me . Thank you.

Dave what always fascinated me about stuxnet - PLC code is custom on every project. Somebody had to either get their hands on the Siemens code, decide which tag was the motor speed reference, and write to it. Or, re-write the PLC code online. Not the easiest thing to do. Siemens just makes it complicated as is.

HEY DAVE - Control system engineer here with 30+ years of experience. FYI - I have used several versions of Step 7 over the years as well as several other major systems like Allen Bradley Control Logix, ABB 800xA, Schneider. I'm not a great fan of Step 7 although it does several things superbly. I prefer Allen Bradley Control Logix. I have also done robotics with Fanuc, Kuka and Adept. I also have a lot of experience with motor controls. Like everyone else in the IT industry you actually need to find one of us and have sit down and get your terminology correct and also get some of the details of this particular subject correct. When Stuxnet hit it was a big deal for the company I worked for because we had just done a major upgrade to an off shore oil & gas rig using Siemens Software. FIRST and this is important for this story. What you have called a "frequency converter" IS NOT a frequency converter. If anything its a POWER INVERTER, because its inverts AC into DC and then back into AC. Starting at the basics - the lump of electronics that switches and controls a motor is called a DRIVE because it drives the motor. it doesn't matter what type of control is being used that lump is called a drive. We do use some more specific terms like soft starter, but *in general if it drives a motor then its a drive.* Drives that can vary the speed of a motor are called VSDs (Variable Speed Drives). In the past people did call them Variable Frequency Drives (VFDs) or Variable Voltage Variable Frequency Drives (VVVFs or Triple VFs). But I have never heard either a sales rep or engineer EVER call a motor drive a frequency converter. On the subject of Uranium Enrichment. In 2005 (~5 years) before this happened I was working at the ERA Ranger Uranium Mine. As part of working there we had to do a full ANSTO induction. A normal mine stie induction is 1-2 hours. The ANSTO induction was 2 days and we covered the entire Uranium cycle from in the ground to back in the ground including a fairly detailed description of Uranium enrichment. In 2005 there was a lot of friction regarding what Iran was up to so we asked what Iran was up to. *The give away that they had a weapons program was the number of centrifuges.* In general: Fuel grade for power stations needs around 5 to 8,000 centrifuges. For military fuel grade like that used in submarines needs around 20,000 centrifuges. For weapons grade Uranium you need 40,000 centrifuges or more and we knew Iran had 55,000. Understanding motors and motor controls is how we knew they had 55,000 centrifuges. In GENERAL and there's a lot of variation in motors but basically: Normal 3phase induction motors generally operate up to 1500 rpm at 50Hz High 3phase speed induction motors operate up to 3,000 rpm at 100Hz or higher. The permanent magnet servo motors used in robotics and CNC machining centres operate up to 6,000 rpm and maybe more depending on the motor size. The SPINDLE MOTORS used in CNC machining spindles (hence why they are called spindle motors) can (depending on the size of the motor) go in excess of 30,000 rpm. Most VSDs can outputs more than the standard 50Hz and can generally go to 200Hz although I have used ones capable of 400Hz. Spindle motors go much faster and that's why they need specialised drives with much higher frequencies. There are also some very specialised ultra high speed motors that can go in excess of 100,000rpm. But those are very small motors with rare earth permanent magnets and most often used in the computer industry in disk drives. VERY IMPORTANT - There is nothing classified or spectacularly special about spindle motors or the VSDs they use other than they go a lot faster than normal motors. 1,000s are sold every month across the world as part of the machine tool industry. The thing is Iran DID NOT (in 2005) have a machine tool industry so when they bought enough motors and VSDs for 55,000 gas centrifuges people who understood Uranium enrichment knew EXACTLY what they were up to. As to what Stuxnet did inside the S7 PLCs we were advised on that because of the system our company had done. Luckily there was nothing in what we did that Stuxnet targeted. Our project was a SCADA system not a PLC system. So it was in another part of the Siemens Suite of software packages. What it did was very interesting. The S7 like most modern PLCs is a multitasking operating system. We tend to write our systems as a main cyclic task with a number of timed tasks that operate via interrupts. We do that because things like PID close loop functions work best when the operate at a consistent time interval. So we tend to put those in separate tasks running off timed interrupts. What Stuxnet did was not only insert an additional task that took control of the commands to the VSDs but that inserted task DID NOT appear in the task list. So the engineers could NOT FIND IT and could not understand why their code was not working. If you want to discuss this further I'd like to do a podcast with you. You know how this thing ran around the world and on all that stuff your 100% correct. I know what it did inside the PLCs. I also know how it found the specific laptop or desk top it was looking for. The most disturbing thing about Stuxnet wasn't what it did but it laid out the basic blueprint for what can be done to everyone's basic infrastructure. Basically everyone now has a blueprint from which to develop their own cyber weapons. Its sort of like inventing the machine gun in 1750 and then leaving them all over the place for other people to copy or derive new machine guns from. Sooner or later I expect Stuxnet clones and derived descendants to appear and do some real damage.

I remember hearing and learning everything that I could about this attack. I remember I was sitting in first class on an airplane and I was talking to one of the Canadian major banks chief of security and he had no idea about this kind of attack. I know they are not running centrifuges, but this got on my radar and I'm just a day trader. I wonder if the guy is still head of security? This is the best detailed explanation that I've heard about the entire attack.

As a softeare engineer I highly admire the technical implementation of Stuxnet. It was a masterpiece. The use of it is another discussion.

Thank you Dave. Before watching this video I had only heard bits and pieces about this engineering marvel so it was great the hear the additional details you provided. I think about Stuxnet every time I see a thumb drive.

I'm so glad I watched this. I finally have a small glimmer of understanding this incredible work of genius. You did a great job of making this understandable!

That CBC ending continues to make me smile every time I see it.

Good video. I used to be responsible for maintaining systems that printed The government student loans statements. The government had very strict requirements. Some of which made no sense like installing certificates for government internet access even when systems never connected to the internet as they were on a very restricted network with little access to anything. I retired a couple years ago, and I am happy to not have to deal with the daily grind of illogical security requirements from people who didn’t understand computer security at a low level…

Thanks Dave! I was aware of this exploit before, but much preferred your approach in explaining the intricacies involved. Look forward to more.

A very polished presentation. It talks about a world that I have not inhabited, but highlights the hazards that face an increasingly computerised world . Thanks.

One of my favorite channels on KZbin!

Love the Friendly Giant reference at the end of the video.

Great explanation, thanks! (Loved the “Friendly Giant” reference in the outro.)

Windows 98 still run and operate westport RTG and 2 TEU crane from ship to trucks. The entire facility run with 3G signal for wireless mounted terminal (ms-dos) to operate. The entire ports environment is closed environment without internet access. Back in 2002. Dunno what infrastructure change now.

Dave, let’s give credit to Frontline, Nova and Zero Days among others for their groundbreaking work on Stuxnet. As you hinted at, it’s clear who developed it,who deployed it and why. Anyone who thinks that the worlds more powerful countries will develop norms or rules- well, I have an oil pipeline for sale for you in the North Sea.

It's incredible how this was crafted and executed. Makes me wonder who specifically (team) engineered this and what else they could truly do.

I like the homage to The Friendly Giant at the end, well done. Stuxnet is only the beginning of what will surely be an escalation of infrastructure based attacks. I'm glad I don't live near a chemical or nuclear plant, or downstream from a hydro dam. The possibilities are quite terrifying. Oh well, this is the world we made, now we have to live in it.

Autorun.inf had been widely criticized for its potential to abuse ever since its introduction in Windows 95. Yet, 15 years and four major releases later, its security implications were still not being addressed, which allowed something like Stuxnet to even happen. Yet, Microsoft emerged from the whole desaster largely unpunished.

Autoruns had to be one of the worst design decisions ever made in Windows. Disabling it is one of the first things I do to a fresh Windows installation or new computer. Having worked on PLC projects and Step7 software at the time I was highly impressed with the Symantec Stuxnet dossier.

Bravo for explaining a technical and complicated piece of software so clearly yet thoroughly. I was fascinated by all the facts, and also how you shed light on the political implications. Lastly, and quite literally, you also uploaded a high-quality video with superb lighting, incredible resolution, and high frame rate. Thank you for all the effort you put into this and for giving it away for free!

Just imagine if there is a zero day inside win recall... now that its dependent on the file explorer and required, that could be just as devastating.

A superb explanation and presentation! Kudos!

This was a great video. Thank you and to those who created Stuxnet.

I like how you discussed the moral and ethical dimensions as well. Often overlooked.

Excellent explanation - I covered it today in a live tutor-led OT cybersecurity course and Siemens PLC Step 7 software exercise. It really brough my understanding to life.

I love hearing this story to this day, thanks dave

Thanks Dave, that was a lot easier to digest than the Symantec 68 page document!!!

Please do more of these breakdowns!

A very detailed and succinct, yet easy to digest explanation. Thank you.

Thanks for making an incredibly interesting operation understandable.

4:20 There are a number of layers when it comes to industrial communications. If you operate on high level where you can have encryption, your com lines can be fairly safe, but on any of the lower levels, it's literally bare bits flying around with no encryption what so ever, due to latency being a major issue in industrial environment, not to mention packet complexity being the enemy, as it increases prices of equipment and cost of operations. Also, it's obvious this was a high level tool, as they designed it with the topology of the environment it'll operate in in mind. Insider information is crucial with this one, as trying to sabotage the industrial plant would hardly be possible if the engineers there knew the first thing about air gapping their systems and isolating all the layers of the plant from each other. Yet, it would introduce some latency in operations, but that is not a problem when using modern fuzzy logic capable controllers. The robustness will allow the controller to be independent for some time, compensating for the network taking it's sweet time encrypting/decrypting data. The way I see it, they didn't even consider that someone might be enacting sabotage through the internal data channels.

Excellent video, Dave! Congratulations!

Stuxnet redefined "plug and play" with a twist of international cyber warfare, turning malware into a pitch for the zero-day startup scene.

This is a great video! Very interesting. The level of sophistication is astounding.

I work on similar systems. One thing we have in place is the airgapped systems also have their own active directory, don't have trusts, have no wireless or bluetooth or such, have removable storage disabled, and no computers are user accessible. I'm not saying it would be impossible but it would require physical intrusion

And just incredible that the whole industry worldwide relies and runs on Windows. Manufactures of equipement with control, all windows based. I used to work in an industry with DIGITAL VAX infrastructure. Never had 3 monthly security patches like now a days.

Forget the complexity and how sophisticated this was....my mind is blown by the 500kb payload.. can't have a "hello world" done nowadays without downloading 200mb of dependencies and blowing 1gb of ram while running it. Thank you for the detailed video. This was fascinating!

I think the overarching moral of this story is that if you’re a national actor with intent to undermine international orders don’t use computers that run operating systems built by those you consider your enemy. Seems obvious, but it wasn’t. The real question I have is whether or not the OS architecture was designed intentionally for just such a purpose.

Nowadays companies tend to disable mass storage support through GPO unless especially required. And some go through loads of viruses scanning before allowing a device to be plugged in. But this wouldn't have changed anything in this case as the use of the USB key would probably have been seen as legit, through social engineering or supply chain infiltration. And digging autorun would have not saved them due to the first 0 day mentioned... I really like this deep analysis of that malware, thank you

I would love to hear more cyber security stories!

Well, researched and presented, thank you!

Impressive video. Loved every second.

Great explanation as always. Also, I really want your spiral lamp.

Outstanding commentary thanks

Excellent overview! Thank you.

Was VERY happy when the title to this video popped up in my feed ... Time for an afternoon cup of tea (UK based)

My quick research found stuxnet was around 500 kb in size. What it achieved in such a small size is amazing.

Outstanding presentation!

Dave's intro always makes me wonder. When you retire from Microsoft & you're walking out on your last day to retire at 50... do they actually stop you at the door & say: "Wait a sec - please show us your ID badge. For security reasons, we can't let you leave the building until we put a RETIRED stamp on it." ;)

Ive always found this story absolutely fascinating. This was a fantastic presentation of it, Im happy to sit through the story again when Dave tells it.

Conficker - another autorun beauty which caused me a lot of stress. Cheers Dave.