Accessibility links

Breaking News

Iran's Bushehr Might Not Be Stuxnet's Target

The Stuxnet computer worm is back in the news, with Iran's Vice President Ali Akbar Salehi saying that it didn't harm the country's atomic program.

An AP report on November 22 cast suspicion on Stuxnet after "major technical problems" had forced the "temporary shutdown of thousands of centrifuges enriching uranium."

Iran's enrichment program has come under renewed focus with the conclusion of cyber experts and analysts that the Stuxnet worm that infected Iran's nuclear program was designed to abruptly change the rotational speeds of motors such as ones used in centrifuges. Such sudden changes can crash centrifuges and damage them beyond repair.

Last week The Register had a piece looking closer at Stuxnet, a worm that infects computers running Windows and is supposedly spread by USB sticks. It then goes on to target industrial control systems, which according to security expert Bruce Schneier, "run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines -- and, yes, in nuclear power plants."

The malware is designed to change the output frequencies of drives, and therefore the speed of associated motors, for short intervals over periods of months. This would effectively sabotage the operation of infected devices while creating intermittent problems that are that much harder to diagnose.

The problem with Stuxnet is that it's very difficult to establish who is responsible, partly because, as Schneier writes, the authors "were uncommonly thorough about not leaving clues in their code," but also because it's not even clear who -- or what -- was the target.


None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an unusually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates--India, Indonesia, and Pakistan--are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.

If it targets Bushehr, then it must be the United States or Israel, right? Not necessarily.

Schneier points to a number of alternative theories: that it could have been a research project that got out of control or even a dastardly conspiracy to increase funding for cybersecurity in D.C.

Another cybersecurity expert, Jeffrey Carr, has a number of other possible theories about Stuxnet's aims and origins, including that it was targeting states producing rare-earth metals or it was corporate sabotage designed to discredit Siemens (who run the control systems that Stuxnet targets).

It can be almost impossible to find out who exactly is responsible for a cyberattack. Or even, in the Stuxnet case, what the intended target is. My colleague Christian Caryl recently discussed NATO's principle of collective defense and cyberattacks with U.S. Ambassador to the alliance, Ivo Daalder, and the interview raised some interesting questions.

Here is Daalder's answer (read the interview here) to the question of whether cyberattacks would be counted as an attack against all, under NATO's Article 5:

It will be if there's an attack that has consequences that are so vast, then we would, as a council, just as we did on September 12, 2001, come together and decide how will we respond to that. And it is at that time that the question would be raised: is this the kind of attack that is sufficient to warrant an Article 5 response, an invocation of Article 5, or not? Rather than doing that before hand, and saying, by definition, it will or won't be, we're going to have to decide on the spot, in a case by case basis whether, in a cyber case, this is an armed attack.

That seems to me to be a reasonable response. With such an asymmetrical threat it might be hard to do anything but respond on an ad hoc basis. We're very much focused on the "cyber" part of cyberattacks -- the method of delivery -- but instead, when evaluating responses, we should really focus on the destruction and harm that those attacks can cause.

Bringing down a ministry's website and playing with the control systems of a nuclear power plant would seem to be of entirely different orders of magnitude.