LONDON (Reuters) - An apparent cyber attack on Iran shows the vulnerability of critical national infrastructure systems to attack through widely used computer programs and imported technology.
Iranian officials said Sunday that the Stuxnet worm had infected staff computers at the Bushehr nuclear power plant but had not affected major systems there.
The worm utilizes security holes in Microsoft Windows and a key Siemens industrial control system. Security experts suspect it was a U.S. or Israeli attack on Iran’s nuclear program.
Below are some of the key implications.
GLOBAL WAKE-UP CALL
The high-profile nature of the Stuxnet story may itself fuel a growing cyber arms race involving both developed Western powers and emerging states, particularly China and Russia.
“The Stuxnet worm is a wake-up call to governments around the world,” said Derek Reveron, professor of national security and a cyber expert at the U.S. Naval War School in Rhode Island. “It is the first known worm to target industrial control systems and grants hackers vital control of vital public infrastructures like power plants, dams and chemical facilities.”
Reports suggest the worm was uploaded onto Iranian computers over a mobile flash drive, the tiny computer drives often used to transfer data between computers.
Supervisory Control and Data Acquisition (SCADA) systems used to control major infrastructure are often kept separate from the Internet for security reasons.
“Rethinking how removable media works is appropriate,” said Naval War College’s Reveron. “My college banned flash drives years ago because they are an easy way to introduce malicious code.”
The story shows how reliant Iran seems to be on Western software and equipment from firms such as Microsoft and Siemens, even if it may not always be a licensed user. That reliance on foreign equipment is itself a vulnerability, experts say.
But Western countries are also at risk of importing hidden cyber weapons inside technology from overseas, analysts warn. Many chips used to control essential infrastructure in the U.S. and Europe are made in potential adversaries such as China.
“Given the nature of this attack... the Iranian and Western governments would be well advised to perform an in-depth inspection,” said Control Risks security expert Ian McGurk.
While most experts agree Iran was the likely main target — and some estimates suggest 60 percent of computers affected are inside the country — there has been much wider collateral damage as the worm spread around the world. India in particular has been affected.
“In some senses, cyber attacks like biological attacks are very difficult to control,” said Reveron. “If a government were to launch a cyber attack, the potential for ‘fratricide’ is very great.”
Asked if it might be the U.S., cybersecurity expert James Lewis at the Center for Strategic and International Studies in Washington said: “It could be.”
“But how about the Israelis?” he continued. “They’re good. It could be the Brits. They’re good. It could be the Russians or the Chinese for some weird reason.”
U.S. Naval War College’s Reveron said it was possible it could have been done by a group outside a government.
“Symantec estimated that fewer than 10 people working over six months could have written it,” he said, referring to the respected tech security firm that initially tied the worm to an attack on Iran. “When it comes to cyber issues, governments trail behind private industry and nonstate actors.”
Additional reporting by Diane Bartz