Gholamreza Jalali, head of Iran’s civilian defense, accused Siemens of providing technical assistance and sample code for the Siemens-build SCADA systems that control the centrifuges and other critical systems at the Bushehr nuclear power plant. Windows-based PCs controlling the systems were among more than 60,000 in Iran struck and damaged in 2010 by what security experts said was a carefully designed and directed virus attack. Iranian government officials blame the United States and Israel for the attack. The German Siemens is now, apparently, an accomplice, though Jalali offered no specifics on why he believed Siemens cooperated with those who directed Stuxnet, or more evidence that it was the U.S. and Israel that did it.
“Our executive officials should legally follow up the case of Siemens SCADA software which prepared the ground for the Stuxnet virus,” he told the told Iranian news services. Russia’s ambassador to NATO has also demanded investigations into the malware attack, warning that it could have sparked a “Chernobyl tragedy” by causing centrifuges refining uranium to spin out of control. Israel admitted it did test the Stuxnet virus after it was identified, but officials from both Israel and the United States have denied any direct involvement. Both Israeli and U.S. officials have acted suspiciously smug about the attack, which sounds like an admission of guilt. There is no hard evidence confirming that, however.
The attack was more than just script kiddies looking for new things to brag about, though.
Not only is Stuxnet reputedly one of the most sophisticated and effective attack programs, according to some of those who have dissected it, it appears to have been part of a larger campaign in which two Iranian nuclear scientists were murdered and another critically injured.
Given the stakes (nuclear), Iran’s resolve to take revenge in kind (cyber-militia) and heightened tensions in the region (several decades worth), it’s Jalali is actually dialing down the rhetoric by calling for legal avenues of counter-attack rather than something bloodier.
On the other hand, an anonymous hacker who claims he or she was taking revenge for an “illegitimate firing” claims to have penetrated security of the giant wind farm run by a Florida electrical utility.
“Bgr R” claims to have found a weakness in Cisco security management software used it to hack into the SCADA systems used to control the turbines on a 200 megawatt wind turbine system outside Albuquerque, New Mexico owned by Florida Power & Light subsidiary NextEra Energy Resources.
NextEra said it has no evidence of having been hacked, and no damage to show for it.
In an email interview with IDG News, Big R showed screenshots as evidence of the penetration, which looked legitimate enough to cast doubt on the claim being a hoax, but didn’t offer conclusive proof.
Stuxnet was the first concerted attack on the kind of public utilities and facilities that could create disasters in the real world as well as the digital one.
A wind farm doesn’t have the same kind of risk potential. And this one might not even have been hacked.
If the next phase of computer insecurity is a series of sudden blackouts, brownouts, traffic-system outages, obscene messages on digital highway-construction signs and the like, I doubt anyone’s going to enjoy the advance of digital violence into meatspace.