In November 2010, Stuxnet attacked Iran's gas centrifuge nuclear fuel-enrichment program at Natanz. The cyberweapon infiltrated Natanz's industrial-control systems and ordered subsystems operating the centrifuge motors to spin too fast, making them fly apart, expert Ralph Langner told The Christian Science Monitor. The attack was made to resemble random breakdowns so plant operators would not realize a software weapon was behind it.
The newspaper said Stuxnet may have set back Iran's nuclear program for years.
While bigger software companies were frustrated, Langner, working in Hamburg, tested Stuxnet's "payload" code in his lab and labeled it a cyberweapon aimed at Iran's nuclear program, the Monitor said.
Langner speculated Stuxnet was launched by a technologically sophisticated nation such as the United States or Israel.
But in an interview with the newspaper, Langner warned with Stuxnet now downloadable from the Internet as a "blueprint," "any dumb hacker" can build and sell cyberweapons to terrorists who might want to put the lights out in a U.S. city or "release a toxic cloud."
"The most dangerous development is that [the U.S. Department of Homeland Security] and asset owners completely failed to identify and address the threat of copycat attacks. ... With every day [that] cyberweapon technology proliferates, the understanding of how Stuxnet works spreads more and more," Langner said. "All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares."
He adds, "There is no way to prevent the production and transfer of bits and bytes that can be transferred anywhere in the world by Internet. Arms control with satellite surveillance is impossible. ... So I'm afraid cyber-arms control won't be possible. That's why the best option we have to start to counter this threat is to start protecting our systems -- control systems, especially -- in important facilities like power, water and chemical facilities that process poisonous gases. Funny thing is, all these control systems, if compromised, could lead to mass casualties, but we still don't have any significant level of cybersecurity for them."
All this would be costly, he said.