More and more details of the Stuxnet malware and its purpose become clear. Stuxnet appears to be the first real cyber warfare attack in history, with “real” meaning that the virus caused physical destruction of heavily fortified military targets, some of them buried 75 feet underground. Plans had been made to destroy these targets by air strikes when it became clear that sanctions alone would not stop Tehran on its way to nuclear weapon capability. Both Israel and the United States had not only planned for military action, but, in the case of Israel, even done rehearsals.

Iran’s president Ahmadinejad himself confirmed on November 29, 2010 that uranium enrichment centrifuges had been damaged by Stuxnet. The Bushehr nuclear power plant that was scheduled to go operational on August 21, 2010, did not – because of “technical problems”. Since the official explanation of what these problems are (first, it was “severe hot weather”, thereafter “a leak”) seem to be blunt attempts to fool the public, it can be suspected that Stuxnet is also responsible for Bushehr’s delay. Iran confirmed on September 25, 2010 that computer systems in the Bushehr nuclear power plant were infected by Stuxnet.

If we assume that Stuxnet managed to severely damage the steam turbine in the Bushehr nuclear power plant, repairing or replacing that turbine may cost a significant amount of money (up to several million dollars). The material damage on the centrifuges depends on how many centrifuges have been destroyed. Presently it looks like more than 1,000 centrifuges have been damaged in the Natanz facility alone, with unknown damage in Fordow and, certainly, in any unknown centrifuge plants. All this translates to another multi-million dollar damage. And replacing the damaged parts takes time. Parts for gas centrifuges and power plant turbines cannot be ordered on Ebay. They won’t be delivered by UPS overnight, but in some cases through complex smuggling networks. Getting new parts on site may take many months; in the case of the steam turbine probably over a year. During this timeframe, the Iranian nuclear program is severely crippled.

But the situation is even worse for Tehran. After having discovered Stuxnet on their control systems, the only reasonable course of action is to shut down the affected plants until all systems have been cleaned up, which appears to be the simple reason why Iran halted production in Natanz last month, shortly before admitting being hit by Stuxnet. And cleaning up systems from Stuxnet can take a long, long time. We have clients that are infected with Stuxnet and need several months to get rid of the virus. However, here we’re talking about European corporations with efficient IT operations and well-trained staff, along with a decent level of documentation and discipline. All this cannot be assumed for the situation in Iran. It can be estimated that the process of cleaning Stuxnet from all infected systems in the Iranian nuclear program, including the systems of contractors with site access, will take about a year. With an obvious lack in IT security posture, the best course of action for Tehran would be to simply scrap all computer systems involved – including those from contractors. All in all, a delay of the nuclear program of approximately two years should be expected. For the attackers, this would translate to “mission accomplished”.

According to David Sanger from the New York Times, an Israeli military official had estimated that an air strike against the Iranian nuclear program would cause a delay of two or three years. So it looks like Stuxnet achieved pretty much what an air strike would have achieved, only at much less cost, without known fatalities, and without a full-blown war in the Middle East. We have estimated that the development cost of Stuxnet is around ten million dollars. The cost of an air strike would have been a multiple, only counting material, not fatalities and injuries. A modern fighter jet has an acquisition cost around 30$ million. Assuming that only one fighter jet would have been lost in a military campaign against Iran is certainly naïve; there would have been several. And there would have been many dead bodies and many injured, significant destruction by Iranian missiles fired in retaliation, and a huge amount of collateral damage just by the oil price jumping.

All this didn’t happen with Stuxnet. Even though Stuxnet is the most expensive piece of malware in history, in military terms it was a bargain. In 2007, US Congress approved a budget of up to 400$ million for covert operations against the Iranian nuclear program. Assumed that operation Myrtus was part of that effort, it barely showed up in the books. And that’s the simple reason why we will see similar cyber attacks in the future. Many reporters who interviewed me expressed concern about this new era of cyber warfare. Well, if the alternative is conventional military strikes with explosives or maybe even weapons of mass destruction, cyber strikes might be the better deal, not only for the attacker, but especially for the attacked.

However, there is at least one reason why we shouldn’t embrace cyber warfare. Unlike bombs, missiles, and guns, cyber weapons can be copied. The proliferation of cyber weapons cannot be controlled. Stuxnet-inspired weapons and weapon technology will soon be in the hands of rogue nation states, terrorists, organized crime, and legions of leisure hackers, some of whom are just waiting for a better thrill than World of Warcraft. This is a very distinctive difference to conventional (hardware) weapons. Even if it is known, for example, how nuclear weapons are built, not everybody who wants to possess them is capable of developing or even acquiring such weapons. For cyber weapons, this will be different. Cyber weapons can and will be copied, reused, and will be available for cheap money on the Internet. At some point in time, they will even be available as freeware.

Such Stuxnet-inspired weapons will soon look different from the original. Stuxnet was precisely designed for surgical attacks on distinct targets. It is obvious from code analysis that the attackers had access to internal product and installation details, and the engineering talent to turn such technological insight into sophistically engineered attacks. There is absolutely no reason to assume that follow-up attackers will follow the same philosophy. Just to the contrary, other attackers will most likely not invest the engineering effort for similar pinpoint attacks. It is much more likely that we are going to see “dirty” digital bombs in the wake of Stuxnet, meaning bombs that hit without nearly the precision as we see it in Stuxnet. The real concerning threat of cyber weapons is not a surgical military strike as we have just seen it with Stuxnet, it is the dirty digital bomb. The dirty digital bomb is a cyber weapon that inflicts low to medium damage to a large number of random targets. It doesn’t require experts. Any idiot can assemble and use it. And while the individual damage that such dirty digital bombs can cause may not nearly be as big as in Stuxnet’s case, what makes them even more dangerous is the fact that small damage in many power plants may be worse than big damage in one specific power plant; small damage at many automotive suppliers may be worse than big damage at one specific car maker.

One aspect that has often been ignored in discussions about critical infrastructure protection is that in industrialized nations, targets for Stuxnet-inspired attacks extend deep into the private sector. For example, some economies depend to a large degree on few highly automated industries, such as Germany on its automotive industry. Even though responsible for a large portion of Germany’s wealth, this industry is quite fragile. It depends on complex supply chains that must work near real-time, with buffers cut away for cost reduction. Just-in-time and just-in-sequence not only mean big savings because so many storage facilities are no longer needed, it also means a very high dependency on few suppliers. It is no secret and has often been exploited by labor unions that because of the fragility of this system, disruptions of few elements can cause big problems, very much comparable to outages of power plants. For Germany, hitting the automotive industry hard by a cyber strike could even be worse than a power plant outage.

So even though it is not the best time of the year for bad news, we have to face the fact that the pure existence of the Stuxnet code in the Internet, ready for download and dissemination by anyone, creates a national security threat for highly industrialized nations, most notably for the United States and Germany. The economy and public life of these nations is highly dependent on undisturbed operation of the exact controller types that are attacked by Stuxnet. An ICS-CERT advisory on Stuxnet from August 2, 2010 states: “These products are widely used in many critical infrastructure sectors.” In Germany, they can even be found in almost every factory. With so plenty appealing targets in sight, it would be highly naïve to assume that rogue nation states, terrorists, and organized crime would miss the opportunity to re-use Stuxnet’s digital weapon technology, especially after it had proven so effective. If we account the risk of such follow-up attacks as collateral damage from Stuxnet, the cyber warfare approach no longer looks so smart and efficient after all.

Ralph Langner