27 September 2010
Dave Clemente
(Former Chatham House Expert)


Recent news that Iranian nuclear infrastructure was targeted by malicious computer software comes as no great surprise. There are numerous countries that wish to deter Iran's nuclear ambitions. However, the sheer sophistication of the Stuxnet worm has captured the attention of security experts and government officials around the world. Most commentary has focused on the technical skill required, but of particular interest is how this incident highlights the manner in which dependency can lead to vulnerability.

The Stuxnet worm broke through a number of highly secretive and valuable computer 'back doors' to access its target, believed to be the Bushehr nuclear reactor or the Natanz uranium enrichment plant. These plants, like many others, use industrial control systems known as SCADA (supervisory control and date acquisition). Though the unique and proprietary nature of these systems serves as a measure of protection, and is bolstered by tightly controlled physical and internet access, this recent attack demonstrates that degrees of vulnerability do exist. It must also be remembered that the attack was not delivered by a hacker sitting in front of a screen; it was injected into a computer through a USB stick guided by human hands. This method of delivery was only made possible by an insider, which points the finger more strongly towards nation state involvement.

For both the public and private sectors this raises the awkward question of dependency - upon foreign software, hardware, engineering, and technical expertise - that could lead to vulnerability in a critical system. The Iranians are heavily reliant upon others to build and maintain their complex nuclear infrastructure, and the Stuxnet attack was made possible due to a combination of these dependencies. No state builds all their computer components, so to a certain extent every country around the world is vulnerable to similar attacks, were they to face an equally skilled and motivated adversary.

Security professionals monitoring computerised industrial plants (refineries, factories, power plants) around the world could be forgiven a bit of panic. Recent accounts suggest that Stuxnet was more than a tool of espionage, and was designed to be a targeted cyber weapon, one that could infiltrate control systems and reprogram vital operating functions, perhaps tampering with a turbine, pressure valve or cooling system. It appears that this particular cyber weapon had one primary function, to trigger the self-destruction of its target in the physical world. Previously this capability has received a great deal of attention and speculation, but until now has not been demonstrated. Though the extent of the damage remains unclear, the Iranian enrichment process has suffered unexplained setbacks in the past year.

Governments would be wise to wake up and take notice of this attack and its lessons. The Iranian nuclear facilities are extremely isolated with tightly controlled access. Though ringed with safeguards, critical national infrastructure around the world is generally more accessible than the Iranian sites (both physically and electronically) and therefore more vulnerable. There are very few, perhaps only a handful, of nation states or corporate entities capable of mustering the resources needed to guide this particular weapon from creation to destruction. The Stuxnet worm demonstrates that with enough time and resources even a highly isolated target can be compromised.

Dependency on computer networks to perform complex tasks and control sensitive systems continues to grow. The human element remains an enduring avenue of weakness, and one which no technical solution will fully resolve. Agility and robust risk management strategies are required to keep these dependencies from morphing into vulnerabilities, and there is substantial work to be done in this arena. Government ministers and captains of industry beware, the pointy end of cyber warfare just got a lot sharper.

More information about Cyber Security work at Chatham House