Cyber Warfare's Pandora's Box

The cyber attack against Iran’s nuclear program appears to have been successful, but is there a price?

When the Stuxnet super-virus was first identified in June by a Belarus security firm, cyber-security experts across the globe worried that the infection could have a global effect. But, as software engineers continue to study lines of code in the sophisticated malware, it’s become clear to most that Stuxnet was designed as a precision weapon with a single target in mind: Iran’s nuclear program. Yet, while the virus seems to have been successful in disrupting Iran’s nuclear ambitions for the time being, Stuxnet also represents a new kind of computer virus, one that some experts fear will be used to attack power plants and industrial facilities throughout the world. If terrorists were to get their hands on Stuxnet-like technology before the West develops effective countermeasures, the results could be catastrophic.

Computer security expert Ralph Langner described Stuxnet as being akin to “the arrival of an F-35 into a World War I battlefield.” Unlike most viruses, Stuxnet was not designed to infiltrate a network solely through the internet. The computers used in Iran’s nuclear program are not connected to the internet, so that would have been a futile exercise. Instead, Stuxnet hopped from computer to computer by any means possible, always looking for its target. Experts suspect that an unsuspecting individual involved with Iran’s nuclear program eventually introduced the virus via an ordinary flash drive. Once Stuxnet found that it was where it was supposed to be, the virus went to work.

A typical virus targets a computer, almost always a PC. Stuxnet went after the Programmable Logic Controller (PLC) that controlled the thousands of centrifuges Iran installed to enrich uranium at its Natanz facility. The virus not only fooled the PLC into rapidly changing the speed of the centrifuges, it also prevented the PLC from reporting the change in speeds and it stopped the PLC from triggering any alarms. Operators were surely puzzled, for their control panels told them everything was running normally, but centrifuge after centrifuge was being wrecked by the severe changes in rotation speed. The result, many experts believe, is that thousands of the centrifuges were damaged over the course of the year that Stuxnet did its dirty work, undetected by anyone in Iran. These were high quality targets, for Iran needs centrifuges to refine the low grade uranium used for fuel into the high concentration, weapons-grade uranium.

Who did it? Most experts believe that something as sophisticated and complicated as Stuxnet could only be built using the resources of a rich nation-state. Israel and the United States are obvious candidates, but some believe that Russia and Germany may have participated in the project as well. Since the systems targeted were built by Siemens, a German firm, it seems likely that the company, the German government – or both – at least cooperated with the effort. If the reports of damage to Natanz are correct (Iran denies such reports of course) then the world owes whomever made the stealthy cyber-attack a debt of gratitude. Yet, there is another side to the coin. Now that the code is publicly available, it’s only a matter of time before a hacker with less noble ends in mind modifies Stuxnet for more nefarious purposes.

The nightmare scenario involves a clever programmer building a Stuxnet-like virus that would go after PLCs used in vital sectors of the West’s economy; facilities like power plants, oil refineries and industrial manufacturers. Such a weapon would be very attractive to terrorists around the world and it’s not hard to imagine a soulless hacker auctioning off that kind of capability to the highest bidder. Now there’s little danger of an Al-Qaeda programmer creating a weapon that destructive, even with Stuxnet to use as a blueprint. But would Al-Qaeda pay a clever infidel handsomely to provide them with the capability to wreak that kind of havoc? You bet.

Langner, who runs a cyber-security firm, says that he already has the capability to infiltrate and sabotage PLCs at industrial facilities. His firm developed proof of concept software "that manipulates controllers without any insider knowledge. If we wanted to, we could implement a configurable controller exploit framework that includes Stuxnet’s more nasty attack technology within four weeks. We won’t do it. But others probably will. They may need longer, but we don’t know if they haven’t started already.” The interface for Langner’s software is frighteningly simple, allowing a user to select a process to target and then to disable alarms, kill the process, change process variables and change outputs – all without any knowledge of the process itself.

Like other cyber-security experts, Langner hopes to influence people to utilize his services by exposing their system’s vulnerabilities. However, the fact that someone is delivering a message out of self-interest does not mean that the message is wrong. Stuxnet took the computer virus to an entirely new level, moving them beyond mostly annoying, yet manageable, ways of disrupting personal computers and networks. Now viruses can be used to sabotage industrial facilities and processes and to do as much damage as a barrage of cruise missiles. The challenge for the West will be to refine this technology so it can be used to attack the enemies of liberty and freedom to an ever-greater degree, while we simultaneously ensure that this powerful new weapon cannot be used against us.