Infrastructure protectionCyberweapon blowback

Published 3 April 2012


The real concern about Stuxnet is that its existence demonstrates what is achievable; security analysts are confident that they can stop anything that is a variant of Stuxnet, but the real challenge is stopping something in the style of Stuxnet; this is where the confidence ends


In the fall of 2010 the Iranian nuclear effort was brought to a temporary halt when sophisticated malware was introduced into Iran’s uranium enrichment program. The malicious code, known as Stuxnet, was a highly specific virus targeting only Siemens supervisory control and data acquisition (SCADA) systems. In the world of cyberwarfare, it was a nuclear weapon.

On 2 July 2011, The Hacker News announced that the Stuxnet code was available for download, providing a link to obtain the code. The weapon was now available to anyone. On 1 September 2011, a worm subsequently named Duqu was discovered, and thought to be related to Stuxnet (experts have since concluded that Duqu was designed by the same people who designed Stuxnet).

In the security sector, there is an active debate as to whether or not these cyberweapons can be converted and used against the United States and its allies.

There are few known strands in this debate. One is that the worm itself is nothing special, in that it spreads indiscriminately once introduced into a system, a fundamental feature of this virus form. What is unique about Stuxnet is that it contains a malicious payload targeting specific Siemens industrial control systems. Given that the Iranian systems attacked were isolated from the Internet, some analysts believe that it was introduced into the facilities network via a flash drive device.

Coupling this information with the fact that the specific systems attacked were known and included in the virus leads to the conclusion that espionage was involved in gathering the system information needed, and introducing the worm into the Iranian facilities’ network.

This has led to the belief that Stuxnet could only have been created with nation-state support, and speculated that the United States or Israel, singly or in partnership, had created and released the worm.

Liam O Murchu, a manager of operations at Symantec Security Response, told that it would be very difficult rework the Stuxnet and use it in an attack without having the source code. “So from that point of view, it’s not so dangerous to have Stuxnet out in the wild right now. Even if you get your hands on it, you don’t have the source code to refashion it to do something else.”

The real danger is not that the code can be reused, but that its existence provides a pathway to the methodology. Code reuse is common practice, and certainly is applicable here. Tweaking the code itself, however, is not the major concern.

The real concern is that Stuxnet’s existence demonstrates what is achievable.

Security analysts are confident that they can stop anything that is a variant of Stuxnet, but the real challenge is stopping something in the style of Stuxnet. This is where the confidence ends.