Friday

29th Mar 2024

'There's a computer worm in your nuclear centrifuge'

  • 'The idea behind the Stuxnet computer worm is simple: We don't want Iran to get the Bomb,' says Ralph Langner. (Photo: Wikipedia)

With the discovery of Stuxnet, a computer worm believed to have been developed by the US government to shut down a nuclear plant in Iran, European companies like Siemens are coming under increased pressure to secure software operating 'critical infrastructure' like power plants or water treatment facilities.

"The idea behind the Stuxnet computer worm is actually quite simple. We don't want Iran to get the Bomb," Ralph Langner, the German cyber security expert who first discovered what the virus does said in March at a tech conference.

Read and decide

Join EUobserver today

Get the EU news that really matters

Instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

Discovered in June 2010, Stuxnet is the first computer malware to specifically target only a certain type of industrial system - nuclear centrifuges - and is otherwise inoffensive.

Langner is convinced that the US government is behind this "very complex" piece of malware, which had around 15,000 lines of code to figure out.

While Stuxnet was designed to attack only Iranian centrifuges in Natanz which were using unauthorised copies of the Siemens software for nuclear plants, the German expert warns that it has created a precedent which, if replicated, could trigger a "cyber weapon of mass destruction".

"Unfortunately, the biggest number of targets for such attacks are not in the Middle East. They're in the United States and Europe and in Japan ... We have to face the consequences, and we better start to prepare right now," Langner told the audience.

His warning was echoed by the EU's cyber security agency (Enisa) who in October 2010 equated the discovery of Stuxnet to a "paradigm shift in threats and critical information infrastructure protection."

“After Stuxnet, the current prevailing philosophies on critical information infrastructure protection will have to be reconsidered. They should be developed to withstand these new types of sophisticated attack methods. Now, that Stuxnet and its implemented principles have become public, we may see more of these kinds of attacks," said Udo Helmbrecht, head of Enisa.

At the heart of the matter is the fact that the so-called supervisory control and data acquisition (Scada) programmes designed to operate valves, chemical pumps or to measure pressure in a sealed container, for instance in a water treatment plant, were not initially thought to be put on computers which also run Windows and are connected to the internet.

Luigi Auriemma, an IT security specialist who last month published a list of vulnerabilities and non-detected loopholes in Scada systems, told this website that "the problem is that there is a minor sense of security from their vendors. They think that a firewall is the solution to everything."

Firewalls are programmes designed to block unauthorised access, but Auriemma notes that their configuration capability is limited and that hackers can easily circumvent them, for instance by faking a trusted IP address.

Finding bugs in the software and pressing the vendors to fix them is to his mind the only solution. Germany's Siemens did fix a series of vulnerabilities detected by Auriemma in March, but that doesn't mean that their software is now attack-proof.

"There are only no known bugs available," the Italian says. Unlike other bug-hunters, Auriemma is publishing everything he finds, instead of going to the company first and waiting for them to fix it without releasing the details.

"I am for full disclosure because it forces the vendors to fix the bugs quickly. Bad guys already know them anyway. This is the first rule in security: What gets released is already known."

In the US, a computer emergency response team (ICS-CERT) has been set up by the government to respond to attacks on critical infrastructure. But in Europe, there is no equivalent

"So when a researcher decides to contact ICS-CERT and reports the bugs to them, the US is aware of security problems, but not the rest of the users of these programmes, including in Europe," he explains.

At the end of March, the EU commission tabled a few non-binding proposals on how to deal with this threat: an information sharing network among EU governments, a public-private partnership for "resilience" and pan-European exercises.

Iran opposition group criticises EU role in anti-nuclear effort

Despite strong US and European concern surrounding the Iranian regime of Mahmoud Ahmadinejad, laid bare this week by the WikiLeaks release of hundreds of US diplomatic cables, EU policy is off the mark and European governments are failing to provide support to internal opposition movements, the leader of one such group has said.

How Amazon lobbyists could be banned from EU Parliament

Amazon is one step closer to being banned from the European Parliament after the employment committee complained of a lack of cooperation in recent years — what is the process, and when can a final decision be expected?

Opinion

Why are the banking lobby afraid of a digital euro?

Europeans deserve a digital euro that transcends the narrow interests of the banking lobby and embodies the promise of a fairer and more competitive monetary and financial landscape.

Latest News

  1. Kenyan traders react angrily to proposed EU clothes ban
  2. Lawyer suing Frontex takes aim at 'antagonistic' judges
  3. Orban's Fidesz faces low-polling jitters ahead of EU election
  4. German bank freezes account of Jewish peace group
  5. EU Modernisation Fund: an open door for fossil gas in Romania
  6. 'Swiftly dial back' interest rates, ECB told
  7. Moscow's terror attack, security and Gaza
  8. Why UK-EU defence and security deal may be difficult

Stakeholders' Highlights

  1. Nordic Council of MinistersJoin the Nordic Food Systems Takeover at COP28
  2. Nordic Council of MinistersHow women and men are affected differently by climate policy
  3. Nordic Council of MinistersArtist Jessie Kleemann at Nordic pavilion during UN climate summit COP28
  4. Nordic Council of MinistersCOP28: Gathering Nordic and global experts to put food and health on the agenda
  5. Friedrich Naumann FoundationPoems of Liberty – Call for Submission “Human Rights in Inhume War”: 250€ honorary fee for selected poems
  6. World BankWorld Bank report: How to create a future where the rewards of technology benefit all levels of society?

Stakeholders' Highlights

  1. Georgia Ministry of Foreign AffairsThis autumn Europalia arts festival is all about GEORGIA!
  2. UNOPSFostering health system resilience in fragile and conflict-affected countries
  3. European Citizen's InitiativeThe European Commission launches the ‘ImagineEU’ competition for secondary school students in the EU.
  4. Nordic Council of MinistersThe Nordic Region is stepping up its efforts to reduce food waste
  5. UNOPSUNOPS begins works under EU-funded project to repair schools in Ukraine
  6. Georgia Ministry of Foreign AffairsGeorgia effectively prevents sanctions evasion against Russia – confirm EU, UK, USA

Join EUobserver

EU news that matters

Join us