This June, computer systems at Iran’s first nuclear power plant at Bushehr discovered a potent new worm. “Studies conducted show some personal computers of the Bushehr nuclear power plant workers are infected with the virus,” the facility’s project manager, Mohmoud Jafari, told Iran’s official Islamic Republic News Agency. He said the virus hasn’t caused major damage and won’t affect the scheduled completion of the plant next month. Ralph Langner, a German cyber-security researcher, suspects that the Bushehr plant may already have been wrecked by the virus. Bushehr’s expected startup in late August has been delayed for unknown reasons. (One Iranian official blamed the delay on hot weather).
And that is what makes this new malware, called Stuxnet (after one of the files in its code), malicious rather than just irksome – it is the world’s first known malware designed specifically to destroy a real-world target, a factory, a refinery, or just maybe a nuclear power plant. Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected USB flash memory. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems. It is likely, in other words, the work of a nation rather than some kid in his basement.
Of particular interest to cyber warfare experts is Stuxnet’s ability to “fingerprint” the computer system it infiltrates to determine whether it is the precise machine the attackware is looking to destroy. If not, it leaves it alone. It is this digital fingerprinting of the control systems that shows Stuxnet to be not spyware, but rather attackware meant to destroy, Mr Langner says. His analysis also shows, step by step, what happens after Stuxnet finds its target. Once it identifies the critical function running on a programmable logic controller, or PLC, made by Siemens, the malware takes control. One of the last codes Stuxnet sends is an enigmatic “DEADF007.” Then the fireworks begin, although the precise function being overridden is not known, Mr Langner says. It may be that the maximum safety setting for RPMs on a turbine is overridden, or that lubrication is shut off, or some other vital function shut down. Whatever it is, Stuxnet overrides it.
As an interesting sidebar, James Lewis, a cybersecutity specialist at the Center for Strategic and International Studies (CSIS) at Georgetown University [Washington DC], said that while it isn’t clear whether Iran was specifically targeted by the Stuxnet worm, leading suspects in mounting such an attack would include Israel, US, and the UK. In addition, Russia, France and Germany also would have the capability to conduct this type of attack, said Mr Lewis, who frequently advises the Obama administration. “Bushehr is a good target” to be compromised, he said. “The Iranians should be worried.”
Perhaps not coincidentally, Israel’s pursuit of options for sabotaging the core computers of foes like Iran, along with mechanisms to protect its own sensitive systems, were unveiled last year by the military intelligence chief, Major General Amos Yadlin. Fending off or inflicting damage to sensitive digital networks are interconnected disciplines. Israeli high-tech firms, world leaders in information security, often employ veterans of military computing units. Being untraceable, it also provides a nearly complete cover of plausible deniability.
What bothers me about all of this, aside from the obvious, is the reaction from the technical community. Reminds me of a problem we had with the scientists working on the Manhattan Project.
The eminent physicists, chemists and engineers working on inventing a way to invent a controlled nuclear explosive, wanted to share their work with the scientific community at large. J Robert Oppenheimer, leader of the scientific team, argued forcefully that by communicating with their colleagues, valuable input could shorten the development period. Brigadier General Leslie Groves, director of the Manhattan Engineering District, as the project was officially known, was equally adamant. “No”.
The secrets eventually got out, of course, mainly through the efforts of Klaus Fuchs and the Rosenbergs, but it was delayed beyond the point of having to face a nuclear armed Soviet Union, Nazi Germany or Imperial Japan (all of whom were working on the same problem) during the hostilities.
In Stuxnet’s case, Mr Langner is laying out the code he has dissected on his website. He shows step by step how Stuxnet operates as a guided cyber missile. Three top American industrial control system security experts, each of whom has also independently reverse-engineered portions of Stuxnet, confirmed his findings to the Christian Science Monitor. In other words, Mr Langner is conducting a tutorial on his website on how to weaponize computer viruses.
The intent is as pure (and naïve) as Professor Oppenheimer’s, but this feels as pregnant with mayhem as General Groves feared then.
 Siobhan Gorman, Computer Worm Hits Plant in Iran, in Wall Street Journal, September 27 2010, p. A12.
 Mark Clayton, Stuxnet malware is “weapon” out to destroy … Iran’s Bushehr nuclear plant?, in The Christian Science Monitor, September 21 2010.
 To get technical for a moment, Stuxnet is the first malware known to target and infiltrate industrial supervisory control and data acquisition (SCADA) software used to run chemical plants and factories as well as electric power plants and transmission systems worldwide.
 Clayton, op cit.
 Gorman, op cit.
 Security sources said Israel awoke to the potential of cyber warfare in the late 1990s, when the Shin Bet hacked into a fuel depot to test security measures and then realized the system could be reprogrammed to crash or even cause explosions.
 Dan Williams, Cyber takes center stage in Israel’s war strategy, Reuters, September 28 2010.
 Clayton, op cit.