by Austin Bay
October 20, 2010
Can a worm bust a hydroelectric dam, on command?
The cyber-warrior scenario goes something like this: If the
worm is a computer worm (or other digital malware) infecting a dam's computer
system, it might be possible to use the malicious code to take control of the
supervisory operating system. The attacker then orders the computer to open the
dam's gates and thus create a destructive flood inundating cities downstream.
The computer worm would breach the dam with deniable finesse, rather than the
concrete and traceable mess left by a high explosive bomb or a nuclear weapon.
Enter the Stuxnet computer virus, first detected this past
summer. If Stuxnet is not "weaponized malware" designed to strike a
specific target and achieve specific military results, it is certainly an
improved cyber-attack tool and a step closer to the dam-busting malware
Computer experts understand and respect its threat.
StrategyPage.com, on Oct. 3, described Stuxnet as "the first piece of
malware to damage the computer systems which control industrial plants,"
and its emergence should serve as "a wake-up call to the world."
StrategyPage compared Stuxnet's strategic military implications to the
introduction of intercontinental ballistic missiles in the 1950s -- weapons
that could strike global targets.
The comparison is dramatic but also apt. Stuxnet-type
weapons can worm their way around the globe, wreaking havoc. Modern life relies
on microchips. Computers and digital devices run power grids and communications
systems. This blunt fact remains, however: If a device utilizes digital code,
it is vulnerable to abuse or outright attack by hackers, criminals and
cyber-warfighters. Just how vulnerable is a subject of ferocious debate -- a
societally vital debate that Stuxnet's appearance has intensified.
Power grids can include nuclear reactors. Stuxnet
specifically targets a "supervisory control and data acquisition"
(SCADA) system manufactured by Germany's Siemens Corp. It just so happens Iran
uses this controller in several major industrial and research facilities,
including its nuclear reactor at Bushehr and uranium enrichment center at
Now for the politics and Stuxnet's likely raison d'etre:
Iran's militant Islamist regime claims Bushehr is a peaceful project intended
to produce electricity. However, its ruling nut cases like President Mahmoud
Ahmadinejad routinely threaten to destroy Israel. They refer to Israel as a
"one-bomb state" -- meaning one large Iranian nuclear weapon would
eliminate the entire nation.
The Israelis take these threats to their survival seriously.
Israel bombed Iraq's Osirak nuclear reactor in 1981 and likely denied Iraq's
Saddam Hussein a nuclear weapon.
Iran's nuclear sites, however, are very long-range targets
for Israeli aircraft or missiles.
Sabotage by malware offers an alternative. A Stuxnet-type
virus lurking in a nuclear plant's computer could blinker safety systems, jam
control boards, jimmy valves, blind sensors and more. The plant operator then
has a choice -- either operate and risk a Chernobyl incident or shut down the reactor.
Stuxnet may not have taken Bushehr to such a meltdown
moment, but the next Stuxnet might. Iran acknowledges it has several thousand
infected computers and controllers, but claims its facilities (and by
implication, its weapons program) have suffered no significant damage.
If the Israelis did launch the attack, and the worm slowed
Iran's nuclear quest, then Stuxnet was a military success comparable to the
RAF's 1943 attack on Germany's Ruhr Valley hydroelectric dams. Cracking the
dams was not a war-winning coup de main, but damaging them hindered the Nazi
war effort by disrupting electrical power generation and diverting German
Microsoft Corp. has released software "fixes" that
plug several of the software "holes" the Stuxnet worm exploits.
That's good news for the thousands of truly peaceful facilities using
vulnerable controllers. The ex post facto fix, however, is indicative of a
dangerous status quo. Computer defenses tend to be reactive. The malware
strikes, the damage occurs, and then the cyber-cavalry arrives.
I'm all for the destruction of Iranian nuclear weapons, but
I want to protect Hoover Dam. Stuxnet signals that the cyber-war for digital
sovereignty has begun in earnest.