26th Sep 2022

'There's a computer worm in your nuclear centrifuge'

  • 'The idea behind the Stuxnet computer worm is simple: We don't want Iran to get the Bomb,' says Ralph Langner. (Photo: Wikipedia)

With the discovery of Stuxnet, a computer worm believed to have been developed by the US government to shut down a nuclear plant in Iran, European companies like Siemens are coming under increased pressure to secure software operating 'critical infrastructure' like power plants or water treatment facilities.

"The idea behind the Stuxnet computer worm is actually quite simple. We don't want Iran to get the Bomb," Ralph Langner, the German cyber security expert who first discovered what the virus does said in March at a tech conference.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

Discovered in June 2010, Stuxnet is the first computer malware to specifically target only a certain type of industrial system - nuclear centrifuges - and is otherwise inoffensive.

Langner is convinced that the US government is behind this "very complex" piece of malware, which had around 15,000 lines of code to figure out.

While Stuxnet was designed to attack only Iranian centrifuges in Natanz which were using unauthorised copies of the Siemens software for nuclear plants, the German expert warns that it has created a precedent which, if replicated, could trigger a "cyber weapon of mass destruction".

"Unfortunately, the biggest number of targets for such attacks are not in the Middle East. They're in the United States and Europe and in Japan ... We have to face the consequences, and we better start to prepare right now," Langner told the audience.

His warning was echoed by the EU's cyber security agency (Enisa) who in October 2010 equated the discovery of Stuxnet to a "paradigm shift in threats and critical information infrastructure protection."

“After Stuxnet, the current prevailing philosophies on critical information infrastructure protection will have to be reconsidered. They should be developed to withstand these new types of sophisticated attack methods. Now, that Stuxnet and its implemented principles have become public, we may see more of these kinds of attacks," said Udo Helmbrecht, head of Enisa.

At the heart of the matter is the fact that the so-called supervisory control and data acquisition (Scada) programmes designed to operate valves, chemical pumps or to measure pressure in a sealed container, for instance in a water treatment plant, were not initially thought to be put on computers which also run Windows and are connected to the internet.

Luigi Auriemma, an IT security specialist who last month published a list of vulnerabilities and non-detected loopholes in Scada systems, told this website that "the problem is that there is a minor sense of security from their vendors. They think that a firewall is the solution to everything."

Firewalls are programmes designed to block unauthorised access, but Auriemma notes that their configuration capability is limited and that hackers can easily circumvent them, for instance by faking a trusted IP address.

Finding bugs in the software and pressing the vendors to fix them is to his mind the only solution. Germany's Siemens did fix a series of vulnerabilities detected by Auriemma in March, but that doesn't mean that their software is now attack-proof.

"There are only no known bugs available," the Italian says. Unlike other bug-hunters, Auriemma is publishing everything he finds, instead of going to the company first and waiting for them to fix it without releasing the details.

"I am for full disclosure because it forces the vendors to fix the bugs quickly. Bad guys already know them anyway. This is the first rule in security: What gets released is already known."

In the US, a computer emergency response team (ICS-CERT) has been set up by the government to respond to attacks on critical infrastructure. But in Europe, there is no equivalent

"So when a researcher decides to contact ICS-CERT and reports the bugs to them, the US is aware of security problems, but not the rest of the users of these programmes, including in Europe," he explains.

At the end of March, the EU commission tabled a few non-binding proposals on how to deal with this threat: an information sharing network among EU governments, a public-private partnership for "resilience" and pan-European exercises.

Iran opposition group criticises EU role in anti-nuclear effort

Despite strong US and European concern surrounding the Iranian regime of Mahmoud Ahmadinejad, laid bare this week by the WikiLeaks release of hundreds of US diplomatic cables, EU policy is off the mark and European governments are failing to provide support to internal opposition movements, the leader of one such group has said.

Cyber-risk from Internet of Things prompts new EU rules

With evermore connected devices on the market, new EU rules aim to minimise cybersecurity risks from innocuous household appliances and industrial operating systems — amid concern over the increasing number of cyberattacks and their cost for companies.

EU parliament spyware inquiry eyes Italian firms

An investigation by Lighthouse Reports and media partners including EUobserver found Italian firms Tykelab and RCS Lab were using surreptitious phone network attacks and sophisticated spyware against targets. The findings have spiked the interest of MEPs already probing spyware abuse.


NSO surveillance rival operating in EU

As European Parliament hearings into hacking scandals resume this week, an investigation led by Lighthouse Reports with EUobserver, Der Spiegel, Domani and Irpimedia reveals the unreported scale of operations at a shady European surveillance outfit.


The Greek Watergate

In the European Parliament hearing into espionage against Greek politicians and reporters, the spied-upon journalists recounted their experiences — but the non-answers provided by the Greek government official were embarrassing, confrontative, and institutionally vacant.


NSO surveillance rival operating in EU

As European Parliament hearings into hacking scandals resume this week, an investigation led by Lighthouse Reports with EUobserver, Der Spiegel, Domani and Irpimedia reveals the unreported scale of operations at a shady European surveillance outfit.

News in Brief

  1. Confirmed: EU drops call for 'independent' Abu Akleh probe
  2. EU plan to stop firework abuse in football stadiums
  3. More Russians now crossing Finnish land border
  4. Report: EU to propose €584bn energy grid upgrade plan
  5. Morocco snubs Left MEPs probing asylum-seeker deaths
  6. EU urges calm after Putin's nuclear threat
  7. Council of Europe rejects Ukraine 'at gunpoint' referendums
  8. Lithuania raises army alert level after Russia's military call-up

Stakeholders' Highlights

  1. UNESDA - Soft Drinks EuropeCall for EU action – SMEs in the beverage industry call for fairer access to recycled material
  2. Nordic Council of MinistersNordic prime ministers: “We will deepen co-operation on defence”
  3. EFBWW – EFBH – FETBBConstruction workers can check wages and working conditions in 36 countries
  4. Nordic Council of MinistersNordic and Canadian ministers join forces to combat harmful content online
  5. European Centre for Press and Media FreedomEuropean Anti-SLAPP Conference 2022
  6. Nordic Council of MinistersNordic ministers write to EU about new food labelling

Latest News

  1. Europe's far-right celebrates Meloni victory
  2. EU mulls more police powers for west Africa missions
  3. EU fight on illegal fishing must move from paper to online
  4. EU adding Bahamas to tax-haven blacklist
  5. Czech presidency proposes fossil-fuel tax compromise
  6. Ukraine's cyber resistance is impressive - but hard to replicate
  7. 'Grazie Italia': Far-right wins power in Rome
  8. How the EU is failing to help the hippo

Join EUobserver

Support quality EU news

Join us