Last year word broke of a computer virus that had managed to slip into Iran’s highly secure nuclear enrichment facilities. Most viruses multiply without prejudice, but the Stuxnet virus had a specific target in its sights—one that is not connected to the Internet. Stuxnet was planted on a USB stick that was handed to an unsuspecting technician, who plugged it into a computer at a secure facility. Once inside, the virus spread silently for months, searching for a computer that was connected to a prosaic piece of machinery: a programmable logic controller, a special-purpose collection of microelectronics that commonly controls the cogs of industry—valves, gears, motors and switches. When Stuxnet identified its prey, it slipped in, unnoticed, and seized control.

The targeted controllers were attached to the centrifuges at the heart of Iran’s nuclear ambitions. Thousands of these centrifuges are needed to process uranium ore into the highly enriched uranium needed to create a nuclear weapon. Under normal operating conditions, the centrifuges spin so fast that their outer edges travel just below the speed of sound. Stuxnet bumped this speed up to nearly 1,000 miles per hour, past the point where the rotor would likely fly apart, according to a December report by the Institute for Science and International Security. At the same time, Stuxnet sent false signals to control systems indicating that everything was normal. Although the total extent of the damage to Iran’s nuclear program remains unclear, the report notes that Iran had to replace about 1,000 centrifuges at its Natanz enrichment facility in late 2009 or early 2010.

This article was originally published with the title Hacking the Lights Out.

4 Comments

1. 1. MrEMann 01:39 PM 6/26/11

   The only mention of Linux in the article implies that it is equally insecure as Windows. Yet the computer attacks mentioned in the article are attributed only to Windows technologies (AUTOEXEC.BAT and the stuxnet virus, for example).
   
   I have trouble believing that Linux is equally insecure as Windows when several independent studies (the truly independent studies, not the "independent" studies funded by Microsoft) suggest that is far from true.
   
   Since the only mention of Linux in the article seems to be intended to tear down its reputation to be on par with Windows, I can only assume the author has some ties to the twice-convicted antitrust violating company in Redmond.
   
   The author needs to either disclose his relationship with Microsoft and its affiliates, or provide equally compelling examples of the insecurity of the Linux operating system as were provided for Windows in the article. I believe the latter will be difficult to accomplish.
   
   Ultimately the integrity of the author and of Scientific American is at stake here. This is the second time in the past two years an article in S.A. has inexplicably disparaged Linux.
   
   If these are truly errors resulting from ignorance of the differences in architecture, design and development models between Windows and Linux, I strongly urge the author and editors at S.A. to educate yourselves. To those who understand these differences, you look extremely foolish.

   Reply | Report Abuse | Link to this

2. 2. dmnicol in reply to MrEMann 01:08 PM 8/3/11

   I'm the author. I have no affiliation with Microsoft, have never had any support of any kind from Microsoft. In my entire professional career my personal computers have always been Unix based.
   
   The single reference to Linux in this article is in the sentence : "Most of these computers use common operating systems such as Windows and Linux, which makes them as vulnerable to malware as your desktop PC is."
   
   A comparison between the relative security of Windows OS and Linux is not intended, nor, frankly, derivable from that single reference to Linux.

   Reply | Report Abuse | Link to this

3. 3. David Russell in reply to dmnicol 07:29 PM 11/19/11

   Between the two OS systems Linux is much easier to secure and control. It comes with open source that allows engineers to close down or secure ports. Windows has always been easier to exploit and IE is especially a target for all hackers. With Linux or Unix the engineer can pick and chose which modules to allow, who has access to the ports and what level of security they are allowed.
   
   The bigger issue is the creation of the USB flash memory which are very concealable and can be inserted in between a normal USB device (key board, mouse etc) but in a client server environment the damage can be contained to the client and the server can be programmed to look for things that have changed dates, size or crc's.
   
   I would be much more comfortable in a UNIX environment but Linux is a suitable alternative as long as the engineers do the builds and control the builds.

   Reply | Report Abuse | Link to this

4. 4. trebisky in reply to dmnicol 10:33 AM 3/3/12

   I just read this article and was likewise upset to see Linux mentioned when in fact it was in no way implicated in the stuxnet attacks, nor could it be as any technically savvy person would know. Why is linux mentioned in this sentence or article at all? I suspected some sinister Redmond connection, as Mr. Nicol has denied -- or benign icompetence, but Mr. Nicol claims a long history of unix experience. It leaves me baffled - why the mention in this sentence, perhaps some editorial pressure so the article doesn't look like (well deserved) windows bashing?
   
   Anyone in the IT field knows (or should know) that windows and linux are worlds apart as far as security issues. To mention them in the same sentence is like mentioning general motors and BMW in the same sentence as automakers, then to go on with a long article about some blatant problem with a GM product - it most certainly makes an implication.

   Reply | Report Abuse | Link to this