STEVE INSKEEP, HOST:
About two years ago, a sophisticated cyber-attack struck Iran's nuclear program. The computer worm used in that attack was called Stuxnet.
RENEE MONTAGNE, HOST:
Researchers described it as the world's first cyber-superweapon. Many suspect the United States was involved.
INSKEEP: Now comes fear of blowback. Some security experts worry that a similar cyber-weapon, or even the same one, could be used to attack the United States. NPR's Tom Gjelten reports.
TOM GJELTEN, BYLINE: The Iranian nuclear plant targeted by Stuxnet had something in common with power plants and oil refineries and water treatment facilities here in the United States: The equipment in all these places is run by computers. You get control of the computer, you control the equipment. You can even destroy it.
Cybersecurity experts have known this for years, but until Stuxnet came along, no one had launched a cyber-attack along this line. Now it's happened.
The Stuxnet attack in Iran physically destroyed centrifuges by working through the computers that controlled them. But now, the people who operate industrial plants in the U.S. need to be prepared for something like Stuxnet being used against them.
MARK FABRO: What happens is when the adversary was actually doing that...
GJELTEN: The Department of Homeland Security has a cybersecurity training program at the Idaho National Laboratory in Idaho Falls. Instructor Mark Fabro takes power plant or refinery security officers through a demonstration - essentially a game - where they get an idea how an adversary could penetrate their computer systems without being detected.
FABRO: Wouldn't it be great for the adversary to be able to manipulate the system and not let the operator see it? Then you get into some very, very interesting ideas.
GJELTEN: Fabro could be describing Stuxnet. One of the features of the worm was that it hid itself, sending messages that everything was normal when, in fact, Stuxnet was in control.
For these training sessions, the instructors have set up a mock control room - like what would be found in a power plant, for example. The trainees play like they're the plant operators, monitoring the computers that control the plant equipment. In the initial phase of the exercise, everything seems normal. Then all of sudden, things start to go wrong.
UNIDENTIFIED MAN #1: It's running kind of slow. It's running really slow. So we got...
UNIDENTIFIED MAN #2: I can't get to my network scans.
UNIDENTIFIED MAN #1: We got something, we got something.
GJELTEN: The cyber attacking team is in a separate room upstairs. Unbeknownst to the defenders, the attackers have worked their way into the heart of the computer system that runs this facility, right down to the lights in the control room. And they're ready to pounce.
FABRO: So here, if this is live, we'll kill, we want to, yeah, take this one out. Trip it. And trip it. And our next feed going back to the camera, it should be - it should be dark very soon.
GJELTEN: Sure enough, about 30 seconds later, the power goes out in the control room. The plant operator and his team realize they're in big trouble.
UNIDENTIFIED MAN #3: This is not a good thing. Our screens are black, the lights are out. We're flying blind.
GJELTEN: In this case, the exercise is being staged, just for some visiting reporters. The attack is on a pumping station. The idea is that it's a manufacturing plant or water treatment center or another facility where pumps are used. And before long, it's the cyber attackers who are running the show, not the plant operators.
UNIDENTIFIED MAN #1: So right now we have no control. So we don't have control of the process. You know, it looks like it's running itself.
GJELTEN: Suddenly, the pumps in this facility turn on. No one in the control room has done anything. But before long, the pumps are pushing water into a catch basin.
UNIDENTIFIED MAN #3: It's pretty bad now. We don't have control of the control system, which is in this cabinet here. Water's falling into the basin here, and we're powerless, right now, to do anything. We can only just wait and watch the spill happen as it's happening.
GJELTEN: If this were an electric utility, the turbines could be spinning out of control right now; if it were a refinery, tanks could be bursting. Pipelines could be blowing up — all because the cyber-attacker has been able to take over the computer system that controls the operation.
In general terms, this is the way Stuxnet worked with the centrifuges at the uranium enrichment plant in Iran. About a thousand were disabled when Stuxnet ordered them to spin at the wrong rate. Now we have to worry someone will use a similar worm to attack critical facilities here in the U.S.
MIKE ASSANTE: It's a matter of time.
GJELTEN: Mike Assante is a former chief of security for the North American electric grid.
ASSANTE: Stuxnet taught, not just us, from a defender perspective, what's possible, but it taught the rest of the world what's possible, and honestly it's a blueprint.
GJELTEN: Assante says he worries about Stuxnet. So does Joe Weiss, a top U.S. expert on the industrial control systems used in power plants, refineries, dams, and other parts of the U.S. infrastructure.
JOE WEISS: Stuxnet was the first case where there was a nation-state activity to physically destroy infrastructure. Nothing like this had occurred before.
GJELTEN: Not with a cyber-weapon, anyway. Weiss has written a textbook on how to protect industrial control systems. He says the most dangerous aspect of cyber-weapons like Stuxnet is that there's no computer patch or easy fix that operators can use to defend their plants from this kind of attack.
WEISS: Some of these are not going to be able to be protected. And we're going to need to figure out, how do we recover from events like this that we simply can't protect these systems from?
GJELTEN: So there are two ways to think about Stuxnet. For people who've worried about Iran getting a bomb, Stuxnet was something to celebrate: It set back Iran's nuclear program. But for people who worry about the security of American facilities, Stuxnet represented their worst nightmare: a dangerous computer worm that in some form could disable a power plant, an oil refinery, or some other piece of the U.S. infrastructure. And one against which we may have no defense.
The next question: Did a U.S. government agency develop Stuxnet as a weapon to use against Iran? And if the United States is developing offensive cyber-weapons, how do we deal with the possibility that those weapons might also be used against us?
That story tomorrow. Tom Gjelten, NPR News.