by Austin Bay
October 20, 2010
Can a worm bust a hydroelectric dam, on command?
The cyber-warrior scenario goes something like this: If theworm is a computer worm (or other digital malware) infecting a dam's computersystem, it might be possible to use the malicious code to take control of thesupervisory operating system. The attacker then orders the computer to open thedam's gates and thus create a destructive flood inundating cities downstream.The computer worm would breach the dam with deniable finesse, rather than theconcrete and traceable mess left by a high explosive bomb or a nuclear weapon.
Enter the Stuxnet computer virus, first detected this pastsummer. If Stuxnet is not "weaponized malware" designed to strike aspecific target and achieve specific military results, it is certainly animproved cyber-attack tool and a step closer to the dam-busting malwarescenario.
Computer experts understand and respect its threat.StrategyPage.com, on Oct. 3, described Stuxnet as "the first piece ofmalware to damage the computer systems which control industrial plants,"and its emergence should serve as "a wake-up call to the world."StrategyPage compared Stuxnet's strategic military implications to theintroduction of intercontinental ballistic missiles in the 1950s -- weaponsthat could strike global targets.
The comparison is dramatic but also apt. Stuxnet-typeweapons can worm their way around the globe, wreaking havoc. Modern life relieson microchips. Computers and digital devices run power grids and communicationssystems. This blunt fact remains, however: If a device utilizes digital code,it is vulnerable to abuse or outright attack by hackers, criminals andcyber-warfighters. Just how vulnerable is a subject of ferocious debate -- asocietally vital debate that Stuxnet's appearance has intensified.
Power grids can include nuclear reactors. Stuxnetspecifically targets a "supervisory control and data acquisition"(SCADA) system manufactured by Germany's Siemens Corp. It just so happens Iranuses this controller in several major industrial and research facilities,including its nuclear reactor at Bushehr and uranium enrichment center atNatanz.
Now for the politics and Stuxnet's likely raison d'etre:Iran's militant Islamist regime claims Bushehr is a peaceful project intendedto produce electricity. However, its ruling nut cases like President MahmoudAhmadinejad routinely threaten to destroy Israel. They refer to Israel as a"one-bomb state" -- meaning one large Iranian nuclear weapon wouldeliminate the entire nation.
The Israelis take these threats to their survival seriously.Israel bombed Iraq's Osirak nuclear reactor in 1981 and likely denied Iraq'sSaddam Hussein a nuclear weapon.
Iran's nuclear sites, however, are very long-range targetsfor Israeli aircraft or missiles.
Sabotage by malware offers an alternative. A Stuxnet-typevirus lurking in a nuclear plant's computer could blinker safety systems, jamcontrol boards, jimmy valves, blind sensors and more. The plant operator thenhas a choice -- either operate and risk a Chernobyl incident or shut down the reactor.
Stuxnet may not have taken Bushehr to such a meltdownmoment, but the next Stuxnet might. Iran acknowledges it has several thousandinfected computers and controllers, but claims its facilities (and byimplication, its weapons program) have suffered no significant damage.
If the Israelis did launch the attack, and the worm slowedIran's nuclear quest, then Stuxnet was a military success comparable to theRAF's 1943 attack on Germany's Ruhr Valley hydroelectric dams. Cracking thedams was not a war-winning coup de main, but damaging them hindered the Naziwar effort by disrupting electrical power generation and diverting Germanreconstruction resources.
Microsoft Corp. has released software "fixes" thatplug several of the software "holes" the Stuxnet worm exploits.That's good news for the thousands of truly peaceful facilities usingvulnerable controllers. The ex post facto fix, however, is indicative of adangerous status quo. Computer defenses tend to be reactive. The malwarestrikes, the damage occurs, and then the cyber-cavalry arrives.
I'm all for the destruction of Iranian nuclear weapons, butI want to protect Hoover Dam. Stuxnet signals that the cyber-war for digitalsovereignty has begun in earnest.