21st Sep 2021

'There's a computer worm in your nuclear centrifuge'

  • 'The idea behind the Stuxnet computer worm is simple: We don't want Iran to get the Bomb,' says Ralph Langner. (Photo: Wikipedia)

With the discovery of Stuxnet, a computer worm believed to have been developed by the US government to shut down a nuclear plant in Iran, European companies like Siemens are coming under increased pressure to secure software operating 'critical infrastructure' like power plants or water treatment facilities.

"The idea behind the Stuxnet computer worm is actually quite simple. We don't want Iran to get the Bomb," Ralph Langner, the German cyber security expert who first discovered what the virus does said in March at a tech conference.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

Discovered in June 2010, Stuxnet is the first computer malware to specifically target only a certain type of industrial system - nuclear centrifuges - and is otherwise inoffensive.

Langner is convinced that the US government is behind this "very complex" piece of malware, which had around 15,000 lines of code to figure out.

While Stuxnet was designed to attack only Iranian centrifuges in Natanz which were using unauthorised copies of the Siemens software for nuclear plants, the German expert warns that it has created a precedent which, if replicated, could trigger a "cyber weapon of mass destruction".

"Unfortunately, the biggest number of targets for such attacks are not in the Middle East. They're in the United States and Europe and in Japan ... We have to face the consequences, and we better start to prepare right now," Langner told the audience.

His warning was echoed by the EU's cyber security agency (Enisa) who in October 2010 equated the discovery of Stuxnet to a "paradigm shift in threats and critical information infrastructure protection."

“After Stuxnet, the current prevailing philosophies on critical information infrastructure protection will have to be reconsidered. They should be developed to withstand these new types of sophisticated attack methods. Now, that Stuxnet and its implemented principles have become public, we may see more of these kinds of attacks," said Udo Helmbrecht, head of Enisa.

At the heart of the matter is the fact that the so-called supervisory control and data acquisition (Scada) programmes designed to operate valves, chemical pumps or to measure pressure in a sealed container, for instance in a water treatment plant, were not initially thought to be put on computers which also run Windows and are connected to the internet.

Luigi Auriemma, an IT security specialist who last month published a list of vulnerabilities and non-detected loopholes in Scada systems, told this website that "the problem is that there is a minor sense of security from their vendors. They think that a firewall is the solution to everything."

Firewalls are programmes designed to block unauthorised access, but Auriemma notes that their configuration capability is limited and that hackers can easily circumvent them, for instance by faking a trusted IP address.

Finding bugs in the software and pressing the vendors to fix them is to his mind the only solution. Germany's Siemens did fix a series of vulnerabilities detected by Auriemma in March, but that doesn't mean that their software is now attack-proof.

"There are only no known bugs available," the Italian says. Unlike other bug-hunters, Auriemma is publishing everything he finds, instead of going to the company first and waiting for them to fix it without releasing the details.

"I am for full disclosure because it forces the vendors to fix the bugs quickly. Bad guys already know them anyway. This is the first rule in security: What gets released is already known."

In the US, a computer emergency response team (ICS-CERT) has been set up by the government to respond to attacks on critical infrastructure. But in Europe, there is no equivalent

"So when a researcher decides to contact ICS-CERT and reports the bugs to them, the US is aware of security problems, but not the rest of the users of these programmes, including in Europe," he explains.

At the end of March, the EU commission tabled a few non-binding proposals on how to deal with this threat: an information sharing network among EU governments, a public-private partnership for "resilience" and pan-European exercises.

Iran opposition group criticises EU role in anti-nuclear effort

Despite strong US and European concern surrounding the Iranian regime of Mahmoud Ahmadinejad, laid bare this week by the WikiLeaks release of hundreds of US diplomatic cables, EU policy is off the mark and European governments are failing to provide support to internal opposition movements, the leader of one such group has said.

Europol wants to host EU cyber crime centre

The EU's joint policy body, Europol, is angling to host a new European cyber crime centre, with the European Commission due next year to decide where to put its new defence against online threats.

EU struggling to fight cyber crime

Faced with increasing cyber attacks, the EU is looking at a new law criminalising the use of 'zombie' computers and is setting up a 'cyber crime' agency and special teams of IT firefighters. But specialists and data privacy defenders remain unconvinced.

The EU and cyber security

Cloud computing, smartphones, viruses attacking nuclear plants. In the October Focus, the EUobserver turns its attention to cyber security and EU's attempts to set up rules for safer navigation on the internet.

EU companies banned from selling spyware to repressive regimes

European companies selling online surveillance technology have come under increasing criticism from NGOs and the European Parliament after it emerged their products had helped regimes in Iran, Egypt and Libya to clamp down on protesters.

Fraud against EU dropped 20% last year

There were a total of 1,056 fraudulent irregularities in 2020, with a combined financial impact of €371m. Currently, Cyprus, Denmark, Finland, Germany, Ireland, Netherlands, Slovenia and Spain do not have domestic anti-fraud plans.

Auditors slam EU Commission on green investments

The European Court of Auditors called for more consistent EU action on sustainable finance. The European Commission, by its own estimation, will need to invest €1 trillion a year to transition to a zero-carbon economy by 2050.

Stakeholders' Highlights

  1. Nordic Council of MinistersNATO Secretary General guest at the Session of the Nordic Council
  2. Nordic Council of MinistersCan you love whoever you want in care homes?
  3. Nordic Council of MinistersNineteen demands by Nordic young people to save biodiversity
  4. Nordic Council of MinistersSustainable public procurement is an effective way to achieve global goals
  5. Nordic Council of MinistersNordic Council enters into formal relations with European Parliament
  6. Nordic Council of MinistersWomen more active in violent extremist circles than first assumed

Latest News

  1. First refugee deaths confirmed on Belarus-EU border
  2. EU kept in dark on ex-commissioner's new lobby job
  3. Fraud against EU dropped 20% last year
  4. French outrage over US security deal exposes EU frustrations
  5. Auditors slam EU Commission on green investments
  6. Youth migration 'costing West Balkans up to €5.5bn a year'
  7. Central & Eastern Europe: What Merkel did for us
  8. Netherlands against more rights for rejected asylum-seekers

Join EUobserver

Support quality EU news

Join us