Mark Clayton
Christian Science Monitor
February 25, 2014
One enduring mystery about Stuxnet, the first cyberweapon the world has known, is this: Just how did that “digital missile” infiltrate Iran’s secret Natanz nuclear fuel-enrichment facility in the first place?
A new thesis about that, to be outlined Tuesday at a security conference in San Francisco, points to a vulnerability in the Iranian facility’s supply chain – and may hold lessons for owners of critical infrastructure in the US concerning how to guard their own industrial equipment against cyberattack.
Presented by Critical Intelligence, a cyber security firm based in Idaho Falls, Idaho, the tale of cyber infiltration comes nearly four years after the covert operation was discovered. It’s already been fairly well documented that the United States and Israel created the Stuxnet worm, which ultimately infected and destroyed about 1,000 fuel-refining centrifuges at Natanz. The surreptitious attack sowed confusion within Iran’s uranium-fuel-enrichment program, which the US suspects is aimed at creating a nuclear bomb, and delayed it for years.
But how did Stuxnet get in there? As early as 2004, US intelligence agencies identified an Iranian company, NEDA Industrial Group, that had oversight of the Natanz facility’s computerized industrial control systems, says the Critical Intelligence report, citing documents gleaned from federal court cases, leaked State Department cables, and nuclear proliferation reports.
Documents suggest that the US was monitoring NEDA’s efforts to procure components that may be needed for a nuclear weapons program, says Sean McBride, lead author of the report and director of analysis for Critical Intelligence. The report is the first to name NEDA in connection with Stuxnet.
The US, he maintains, had identified NEDA as Iran’s leading expert in SiemensStep7 software used throughout Iran’s nuclear program, including its centrifuge fuel-refining system. Then, probably in 2008, the US targeted industrial control systems equipment that NEDA had ordered from suppliers overseas.
Leaked State Department cables posted on the WikiLeaks website show the US at that time to have been seeking to intercept shipments of equipment headed to Iran.
“It’s my contention that the evidence shows the US targeted the leading Siemens control systems integrator for Natanz – and that was NEDA,” Mr. McBride says in a phone interview. “NEDA would have had all the plans for just how the Natanz system was going to be set up, the proper centrifuge speeds, when they would be turned on and off. The company had all the key information the US needed to write Stuxnet – and then a way to get the worm into Natanz.”
Sometime around 2008, computerized industrial control system equipment bound for Iran was intercepted, and Stuxnet or other malware was installed on it before it was sent on its way, McBride posits.
His thesis runs contrary to prevailing theories that a spy used a memory stick, or “thumb drive,” to introduce Stuxnet into the network. Rather, NEDA engineers unwittingly installed infected work stations or other equipment, which then proceeded to infect all of Natanz’s systems, McBride says.
Among the report’s findings are online documents showing that NEDA was involved in industrial control systems work in Iran. They include archived files in which an Iranian control systems engineer, identified only as “Behrooz,” asks during an online Siemens support forum for help dealing with an unspecified virus that he says had infected all the machines in his company’s network.
Walking around Silicon Valley with an augmented reality display on your face makes you a glasshole. On the battlefield, though, similar technology will soon turn U.S. soldiers into a lethal cross between the Terminator and Iron Man.
