Several journalists had asked if it would be possible that the attackers intercepted some of the control system shipments to Iran, installed Stuxnet on the controllers, and let them loose again on their way to Natanz. After all, it is known that this had been done before as some kind of best practice for sabotage.

 | intercept-infect-infiltrateWhile that is possible, it doesn’t make sense, since new controllers will be fully configured by local engineers during commissioning. However, that doesn’t invalidate the intercept scenario as such. For years, Siemens uses USB sticks to deliver license keys. So when you purchase a license of the Simatic Manager engineering software, you’ll get a license key on USB along with the distribution medium (CD). You definitely got to plug that USB stick into the engineering station in order to install the software. Infecting the license keys from an intercepted shipment would guarantee that the virus ends up on good targets, from which it can spread further. We don’t say that this is the way it happened, we just say this is a valid scenario.

Note: Eric Byres, Andrew Ginter and Joel Langill have just released a very good joint white paper on infection paths.