Overview[edit | edit source]

In September 2010, media reports emerged about a new form of cyber attack, the Stuxnet worm that appeared to target Iran, although the actual target, if any, is unknown. Through the use of thumb drives in computers that were not connected to the Internet, the malicious program infected computer systems that were used to control the functioning of a nuclear power plant. Once inside the system, Stuxnet had the ability to degrade or destroy the software on which it operated.

[Stuxnet] was a 500-kilobyte computer worm that infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant. It targeted Microsoft Windows machines and networks, repeatedly replicating itself. Then, it sought out Siemens Step7 software, which is also Windows-based and used to program industrial control systems that operate equipment, such as centrifuges. Finally, it compromised the programmable logic controllers.

The key compromise was that Stuxnet placed itself in a critical path where it could not only disrupt the plant process, but also disrupt/manipulate the information flow to the system operator. In this particular instance of Stuxnet, it caused the fast-spinning centrifuges to tear themselves apart, while fabricating monitoring signals to the human operators at the plant to indicate processes were functioning normally.

Stuxnet could spread stealthily between computers running Windows — even those not connected to the Internet [via infected USB drives]. It exploits vulnerabilities associated with privilege escalation, designed to gain system-level privileges even when computers have been thoroughly locked down. That malware is now out in the public spaces and can be reverse engineered and used again against CPS.[1]

Although early reports focused on the impact on facilities in Iran, researchers discovered that the program had spread throughout multiple countries worldwide.

The Stuxnet trojan/virus is the first publicly known worm to target industrial control systems. The threat posed by Stuxnet has been portrayed as beyond anything seen before. Its goal was to sabotage a real-world industrial plant, not disrupt abstract IT systems. It was aimed at industrial control systems with the intention to reprogram PLCs — [ programmable logic controllersdevices used for control of processes] in a manner that would sabotage the plant, hiding the changes from programmers or users. Stuxnet has highlighted the potential to directly attack industrial control systems used in critical national infrastructure, including energy, water, and transport sectors.[2]

Cyber threat[edit | edit source]

The emergence of the Stuxnet worm is the type of risk that threatens to cause harm to many activities deemed critical to the basic functioning of modern society. The Stuxnet worm covertly attempts to identify and exploit equipment that controls a nation's critical infrastructure.

Stuxnet used the cyber interface to the target system to impact its physical operation and cause safety and reliability concerns. In concept, malware with capabilities similar to those displayed by Stuxnet could maliciously alter the operational state of any CPS by compromising cyber subsystems (e.g. digital data feeds from sensors, digital files used by cybernetic control systems to control machine operation, and digital data storage used to record system state information) in ways that adversely affect safety, reliability, resilience, privacy and financial bottom lines. Such malware could also collect and exfiltrate intellectual capital that could inform attackers' future attempts to threaten system performance.[3]

A successful attack by a software application such as the Stuxnet worm could result in manipulation of control system code to the point of inoperability or long-term damage. Should such an incident occur, recovery from the damage to the computer systems programmed to monitor and manage a facility and the physical equipment producing goods or services could be significantly delayed.

Stuxnet remains the only known cyberattack that actually broke something. If nothing else, it showed that, if equipment can be damaged by commands generated by digitized control systems, and these controls can be reprogrammed remotely, and the means to reprogram such controls are accessible to the outside world, then they might be damaged by cyberattack.[4]

Depending on the severity of the attack, the interconnected nature of the affected critical infrastructure facilities, and government preparation and response plans, entities and individuals relying on these facilities could be without life-sustaining or comforting services for a long period of time. The resulting damage to the nation’s critical infrastructure could threaten many aspects of life, including the government’s ability to safeguard national security interests.

References[edit | edit source]

  1. Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff, at 53.
  2. Richard Piggin, Control Network Security Lessons from Stuxnet, Consulting-Specifying Engineer (Feb. 3, 2011) (full-text).
  3. Mobile Medical Applications: Guidance for Industry and Food and Drug Administration Staff, at 53.
  4. Crisis and Escalation in Cyberspace, at 40 n.2 (emphasis in original).

Source[edit | edit source]

See also[edit | edit source]

External resources[edit | edit source]

  • John Borland, "A Four-Day Dive Into Stuxnet's Heart" (Threat Level Blog (Wired)) (Dec. 27, 2010) (full-text).
  • European Network and Information Security Agency, Stuxnet Analysis (Oct. 7, 2010) (full-text).
  • Nicolas Falliere, Liam O. Murchu & Eric Chien, W32.Stuxnet Dossier, Ver. 1.4 (Feb. 2011) (full-text).
  • Institute for Science and International Security, "Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? Preliminary Assessment" (Dec. 22, 2010) (full-text).
  • David Kushner, "The Real Story of Stuxnet," IEEE Spectrum (Feb. 26, 2013) (full-text).
  • Kim Zetter, "Stuxnet Timeline Shows Correlation Among Events" (Threat Level Blog (Wired)) (July 11, 2011) (full-text).
Community content is available under CC-BY-SA unless otherwise noted.