By now, you've probably heard
of Stuxnet, the mysterious computer worm that infects Windows computers running
software designed by Siemens, the German industrial giant. The software,
Simatic WinCC, is what's known as a SCADA system -- "supervisory control and
data acquisition" -- and it's used to help run everything from traffic systems
and pipelines to nuclear plants.
Siemens has known about Stuxnet for
some time, and has been tracing
the worm's spread on its website. In July 2010, the company knew of only
one industrial facility affected. By September 7, it was reporting that 15 systems
had been hit worldwide. (The worm was first discovered in June by
VirusBlokAda, a little-known Belarussian security firm.)
For months, the discussion
about the virus stayed within the cybersecurity community, but once speculation
began to mount that it was aimed at Iran's nuclear facilities, the news went,
er, viral. Amid the uproar last week, Iranian officials admitted
that their facilities had indeed been hit, though they didn't specify which
Even with all the media
attention, much remains mysterious about Stuxnet. We know it's a sophisticated
piece of malware, one that experts say could only be produced by a high-powered
team with insider knowledge of industrial software. We know it was spread using
USB thumb drives. But there's a lot we don't know. Here's my attempt to lay out
some of the big open questions.
1. What was
the target? Although the worm has affected computers in Indonesia, India,
Pakistan, and elsewhere in addition to Iran, security researchers who have been
pouring over Stuxnet for months say it appears aimed at a very specific target.
According to Siemens, "The behavioral pattern of Stuxnet suggests that the
virus is apparently only activated in plants with a specific configuration. It
deliberately searches for a certain technical constellation with certain
modules and certain program patterns which apply to a specific production
process." Two German experts, Ralph
Langner and Frank Rieger,
have offered competing
theories as to what that target might be, both of them in Iran, where most
of the affected machines are.
Langner guesses that Stuxnet is
aimed at Bushehr, Iran's civilian nuclear power plant, which is slated to go
online this fall. Langner's case rests largely on the fact that Bushehr runs
Siemens software and that Russian contractors would have had access to the
facility -- and that they would have used USB drives to set up the system.
Rieger counters that Natanz, Iran's
uranium enrichment plant, is a more likely target. Not only is it more of a
proliferation threat, there's suggestive evidence that it actually may have
been affected by sabotage. (More on this later.) He also points out that Natanz
is more likely to have the kinds of identical nodes, in this case "cascades" or
groups of centrifuges, that would be susceptible to an attack.
2. Who did
it? The obvious culprit is Israel, which has both the sophisticated
technology and the motive to sabotage Iran's nuclear program, which it deems a
mortal threat. An eerily prescient Reuters
article published in July 2009 quotes Scott Borg, a U.S. cybersecurity
expert, speculating that Israel might want to do so, adding that "a
contaminated USB stick would be enough" to cause real damage to Iranian
Other countries, such as the United States,
China, and Russia, probably have the capability, but only one -- the United
States -- has a clear motive (some might add France and Germany to this list).
One could spin complicated theories as to why Russia would want to sabotage its
own facility, but Occam's Razor probably applies here -- and other reporting
has indicated that the
United States and Israel have, in fact, approved a covert sabotage campaign
that may include a cyber component.
3. Did it
work? Who knows? Outside analysts have been speculating
for years that Western intelligence agencies have been sabotaging
Iranian enrichment efforts, but they're usually talking about false-flag operations
to sell Iran damaged centrifuge components. They point to signs that the number
of centrifuges Iran is operating dropped precipitously last year, or
of nuclear accidents, or the sudden and unexplained resignation last year of Gholam
Reza Aghazadeh, the head of the Iranian nuclear program. For what it's worth,
encountering any problems as a result of Stuxnet, and there's little evidence
to the contrary. But there could be hidden issues that pop up later on, or Iran
could simply be lying.
4. What does
it do? The reporting on this question has been maddeningly vague. Siemens
says that Stuxnet "can theoretically influence specific processes and
operations in a very specific automation environment or plant configuration in
addition to passing on data," though it has been unable to verify that finding
in testing. Supposedly, the worm was designed to send data to a server in
Malaysia, which may or may not have been a "command center" that could seize
control of PLCs or Programmable Logic Controllers, components used to operate
and monitor industrial machinery. The consensus among people who've studied the
code seems to be that its aim is sabotage, not simply espionage. But exactly how
that was supposed to work remains unclear.
5. Why did
it spread so widely? John Markoff, the longtime tech reporter for the New York Times, takes
on this question in today's paper. "If Stuxnet is the latest example of
what a government organization can do, it contains some glaring shortcomings,"
he writes. "The program was splattered on thousands of computer systems around
the world, and much of its impact has been on those systems, rather than on
what appears to have been its intended target, Iranian equipment." He only
offers one theory, however: "One possibility is that they simply did not care.
Their government may have been so eager to stop the Iranian nuclear program that
the urgency of the attack trumped the tradecraft techniques that traditionally
do not leave fingerprints, digital or otherwise."
A couple points here. One is that Stuxnet
does not seem to have had an "impact" on all those systems, for the reason
noted in #1 above: It wasn't aimed at them. Second, it may be that the worm's
designers needed it to spread within
Iran to be effective -- i.e. from one computer to another within the same
facility, or between facilities -- but that there was no way to prevent it from
propagating further. Finally, there's some debate among researchers as to
whether the virus was programmed to "expire" on a certain date, supposedly in January
2009. In other words, it wasn't supposed
to spread, but somehow it did anyway, possibly through Russian contractors.
6. Why would
anyone run a nuclear plant using Windows? I've got no answer for this one.