The Shape Of Warfare To Come-Israel Or The US Attack's Iran's Nuclear Program

Stuxnet worm causes worldwide alarm
By Joseph Menn and Mary Watkins
Published: September 23 2010 19:39 | Last updated: September 23 2010 19:39
No one knows the ultimate goal of the Stuxnet computer worm, which has infected an unknown number of industrial controls worldwide and can stealthily give false instructions to machinery and false readings to operators.

It could destroy gas pipelines, cause a nuclear plant to malfunction, or cause factory boilers to explode. Perhaps it already has.

It is also unclear whether it can be effectively rooted out. Many companies may not even know that they have it.

What is clear, though, is that warnings by private experts and some former government officials – that the electricity grid and other critical industries were highly vulnerable to malicious hacking – were on target, and that a new era of computerised assaults had begun.

“This is very, very scary,” said Joe Weiss, a veteran US industrial control safety expert, adding that Congress needed to give utility regulators the authority to mandate protection measures.

Stuxnet is the first known worm to target and tamper with industrial controls, in this case through a common industrial programme sold by Siemens, the electronics and engineering group. The worm has been most active in Iran, suggesting it as the location for the target, but Indonesia, India and Pakistan have also reported infections, according to Symantec, a technology security provider.

Security researchers who have been working for more than a year to decrypt and disentangle the program have become increasingly alarmed. A combination of factors is prompting this concern: the new category of target, multiple levels of sophistication that they say points to a national government as the sponsor, and the difficulty in combating the threat due to poor communication between computer experts and industry officials.

The researchers have recently been able to decipher what rogue commands are being given to the control software, but they cannot tell what impact those commands have without knowing what equipment is on the receiving end.

So far, said Symantec expert Liam O’Murchu, analysts have not even been able to learn what sector Stuxnet is after, only that there is a target and that it must be valuable.

“We have all the blocks of code but we can’t tell what it means on a real system,” he added.

If nuclear energy or the electricity grid is involved, the worm would therefore have added resonance, as the US and other countries have invested in the so-called “smart grid”, which would connect more industrial operations to the internet. A core problem is that the specialised controls for electricity, transportation, and other critical functions are typically less protected than corporate computer networks, and are often connected to standard machines.

Stuxnet didn’t even rely on the master computers – those that run the targeted Siemens control systems – being hooked up to the internet. It spread initially via handheld drives that are inserted into computer USB ports. It then exploited a number of previously unknown holes in Windows, the operations software, by running itself automatically on PCs without any action from the user.

That in itself would be an impressive feat. But it was just the staging area for the real mission. Stuxnet then copied itself to thousands of other machines, in each case looking to see if a certain configuration of the Siemens programme was in place.

If the worm found that it was, it then used stolen digital certificates meant to authenticate new software – another extreme rarity – and burrowed more deeply.

Stuxnet checks for certain condition readings in some types of industrial function. If it finds what it wants, it can give new orders. So far no “back door” has been found that would allow for additional remote control by the authors.

David Emm, a senior security researcher at Kaspersky, the internet security company, said the way Stuxnet was operating was “potentially indicative of involvement by a government, because of the level of sophistication”.

It would have taken a team of 10 specialised programmers about six months of full-time work to complete, Mr O’Murchu said, and some would have needed detailed knowledge of the target industry.

Copyright The Financial Times Limited 2010. You may share using our article tools. Please don't cut articles from FT.com and redistribute by email or post to the we