An image from the Iran International Photo Agency shows a view of the reactor building at the Russian-built Bushehr nuclear power plant. The Stuxnet worm was found on personal computers at the facility, but Iranian authorities said "major systems" were undamaged.
An image from the Iran International Photo Agency shows a view of the reactor building at the Russian-built Bushehr nuclear power plant. The Stuxnet worm was found on personal computers at the facility, but Iranian authorities said "major systems" were undamaged. IIPA/Getty
It is not yet clear whether the "Stuxnet" computer worm has caused any damage to the industrial control systems it has penetrated, but security experts say it still qualifies as a potential cyber-superweapon.
"In the worst case, we would have seen power plants explode or dams burst," says Derek Reveron, a technology specialist at the Naval War College.
Since its discovery earlier this year, the sophisticated Stuxnet worm has infected at least 15 industrial plants in a variety of countries. Security experts who have analyzed the worm say it had the ability to zero in on its computer target and locate the hardware that controls equipment systems at industrial facilities.
"Whether it's a flow meter or a temperature [gauge], this threat got very far into the control systems of the real world," says Gerry Egan, a security response director at Symantec, the computer security company. "This attack was not about stealing information. This attack was about physically doing things, [like] turning a dial, reading a sensor."
Turning a dial on a gas pipeline conceivably could have blown it up. Tinkering with the centrifuge in a nuclear plant could have rendered it ineffective. At least in theory, the Stuxnet worm could have had the effect of a bomb.
There are no reports yet that the Stuxnet worm actually did any physical damage in the countries where it has been found. Authorities in Iran, the country most significantly affected, say the worm was found on some personal computers at the Bushehr nuclear power plant but that "major systems" were undamaged.
The high number of Stuxnet infections in Iran has prompted speculation that the United States or Israel may have been behind the attack. After several months of research, the security experts at Symantec have concluded that the Stuxnet worm probably could not have been created by a single individual.
"We think anywhere from five to 10 people probably were needed, with a variety of different skills, over as long as a six-month period to try and put this very sophisticated attack together," says Egan. "So that definitely points away from somebody like a typical hacker in their front bedroom or a garage doing this as a hobby toward something that was extremely organized and very well funded."
The Stuxnet worm, Egan says, was designed to take advantage of four computer vulnerabilities that had gone undetected until the attackers used them. Such "zero day" flaws are rare. In all of 2009, Egan says, only 12 were found anywhere. In addition, the Stuxnet creators made the worm capable of disguising itself and managed to steal two digital security "certificates," giving the worm an appearance of authenticity.
"My overall take is that it was a nation-state, using one of its precious cyberwar packages, which now cannot be used again," says Richard Clarke, author of Cyber War: The Next Threat to National Security and What to Do About It. Other cyber experts argue that well-funded, well-organized private groups might have been able to design and put the Stuxnet worm into operation, but it was not clear what their motive would have been.
It is likely, in fact, that much about the Stuxnet attack will remain a mystery. "Only the attacker knows what it wanted to achieve, and only the victims know what it has achieved," says Reveron of the Naval War College.
In an actual war scenario, uncertainties about both the perpetrator and the intended target would make it difficult for a country to respond to a cyberattack. An Iranian newspaper Sunday quoted a senior Iranian official as saying the Stuxnet worm was created "in line with the West's electronic warfare against Iran," but the report cited no evidence to back up that claim.
There is also a lesson in the Stuxnet episode for any government considering the use of a cyberweapon against another country: The possibility of collateral damage is high. Stuxnet infections have so far been reported in many countries over a wide geographic area.
"Once a computer worm is released in the wild, it will move freely," says Reveron. "This makes it extremely difficult to weaponize something like this, because you can't necessarily insulate your own systems from the attack."