For the last few months, a sophisticated computer worm has wriggled its way between some of the most critical control systems in the world.
The timing of the worm’s release, combined with several clues buried in its code, has led some experts to speculate that the worm, dubbed Stuxnet, was originally designed to sabotage an Iranian nuclear facility, possibly the enrichment plant in Natanz, roughly 180 miles south of Tehran. This week, officials in Iran confirmed that Stuxnet had been found on systems inside the plant, although they denied that it had caused any harm.
But Stuxnet has since spread to hundreds more industrial systems within Iran and around the world. Experts say this highlights a worrisome weak spot in critical infrastructure that could become a new focus for saboteurs and malicious hackers.
Stuxnet infects computers by using previously unseen flaws in Microsoft’s Windows operating system. It has most likely spread via hand-carried USB flash drives. From an infected Windows computer, it targets a specialized type of computer known as a programmable logic controller, or PLC. These computers are widely used in critical infrastructure, including manufacturing, water processing, power generation, and transportation. PLCs connect to, and control, devices used to perform many tasks, from opening a door to increasing the flow of fuel inside a power plant.
Stuxnet is the first example of attackers targeting the specialized computers that control industrial operations, security experts say. “It goes down into the embedded device, inserts itself, and starts doing command-and-control,” says Walter Sikora, vice president of security solutions for Industrial Defender, a security consultancy that focuses on critical infrastructure. “This is an area that was unprecedented in terms of a virus or a worm or any other kind of malware.”
The worm’s code focuses on a type of PLC made by Siemens. A pattern in the code–designed to match that of a specific application–suggests that the worm’s authors had a specific facility in mind. On the target system, the program would inhabit a privileged place where it could monitor and control many devices.
“The ability to not only target a certain type of system but to surgically and elaborately get whatever you want from a machine to which we will never be able to attribute back to you–that’s scary,” says Phyllis Schneck, vice president and chief technology officer for security firm McAfee’s public sector group.