A powerful computer virus called the Stuxnet worm has apparently targeted Iran's Bushehr nuclear power plant and infected computer systems from Asia to Europe and the United States. The capability of this malicious software is raising questions about the vulnerability of nuclear, electrical and other types of industrial facilities.
While Iranian officials say infected systems at the Bushehr nuclear power plant are safe, those who work in cyber security are not as calm, and note that the attack opens the door for a range of threats that until now were largely theoretical.
Sami Saydjari, the president and founder of the Cyber Defense Agency says the creation of this malicious software or malware shows that people are now willing and have the capability to attack industrial systems. "To begin targetting industrial control systems and to put people's lives at risk and systems at risk. That's a big change," he said.
Stuxnet Targeted Control Systems
Researchers say Stuxnet was designed to target control systems like those used at the Bushehr plant in Iran. In particular, they say it targets supervisory control and data aquisition systems or SCADA systems designed by the German company Siemens.
They say that after finding a way into a plant's system, the worm can simply steal data or potentially wreak havoc, causing its systems such as cooling pumps to malfunction.
Saydjari says the vulnerability of power plants should be a big concern, but notes that the threat is not limited to nuclear and electrical plants alone. "Any industrial control systems, like for example chemical plants - it's been speculated that one could induce disaster in a chemical processing plant like a cracking plant for petrochemical or a chemical production plant creating a Bhopal like situation which could cause an explosion that would kill a large number of people," he said.
State Actor? Private Group?
So far, the worm appears to have had its largest success in Iran where anti-virus computer company Symantec says it has infected more than 60,000 computers.
This - and the fact that the attack was highly sophisticated - has led some to believe that only a nation state could have been behind the attack. The United States and Israel have been named as two possible countries that have such capability and political motive for carrying out such an attack.
But some cyber security and technology analysts say it is still too early to make a final judgement.
Randy Abrams, the director of technical education at ESET, an Internet security company that has researched Stuxnet says that while the sophistication of the attack suggests a nation state could have been involved, that doesn't necessarily have to be the case.
He says it could have been a group of highly skilled people that had their own different agenda. "One possible motive for it could have been someone with a very strong understanding of these SCADA systems and strong technical skills, probably working with one or two other people, [who] wanted to draw attention to the fact that these SCADA systems are woefully unprotected and are vulnerable to attack," he said.
Adam Segal of the Council on Foreign Relations says that at this point the attack still raises more questions than it has answered and notes that it is hard to tell what the intended target may have been.
"Right now, the consensus seems to be that it was focused on these industrial systems in Iran, but we could several weeks from now find out that they were in fact focused on industrial systems in India, Pakistan or Indonesia where there seems to be this spread. I think at this point we are all just speculating, we just don't really know," he said.
Stuxnet Threatens Critical Infrastructure, More Security Needed
How the virus got into the systems such as those used at Iran's nuclear power plant is another big question. Most industrial control systems are air-gapped or not directly connected to the Internet. Cyber security analysts and researchers say that the most likely way the virus got into the SCADA systems at Iran's nuclear power plant was from a thumb drive.
"One potential way that it could have spread so quickly through so many countries and targeted SCADA systems is if the author or one of the perpetrators of the attack had simply gone to a SCADA convention, a conference, and inserted a thumb drive into the PC used for presentations because frequently at these conferences, each presenter will provide a USB key that has their presentation. And when you have a single PC like that, spreading through USB is child's play," Abrams said.
What is clear, most agree, is that the capabilities of Stuxnet pose a serious threat to those who operate industrial control systems and that operators as well as governments across the globe need to do more to boost security.
Sami Saydjari says what the public is beginning to see is much like what the world saw decades ago when nations raced to control space in the late 1950s after the launch of Sputnik, a race to gain the upper hand in cyber space.