Cyberattack: Stuxnet’s revelation
and Shodan’s window into vulnerability

In 2010, details began to emerge about a cyberattack on Iranian uranium-enrichment centrifuges, which drew worldwide attention to industrial control systems. The United States and Israel created the worm, according to a recent New York Times report, with the aim of disrupting the Islamic republic's nuclear program. Hackers inspired by the Stuxnet attack quickly discovered just how accessible many of the world's control systems were.

A team of hackers apparently designed and deployed Stuxnet, an extraordinarily sophisticated software "worm" with malicious code that exploited four zero days, the name given to previously unknown vulnerabilities.

The worm rapidly spread across the Internet, but most of the computers and systems infected were in Iran.

At the Iranian nuclear processing facility in Natanz, the worm was probably introduced into the computer network through an infected thumb drive, specialists say.

Stuxnet took command of a Siemens S7, an industrial control system.

Eventually, the affected S7 sent misleading data to monitors while directing uranium-enriching centrifuges to spin at speeds well beyond their tolerances. Hundreds apparently were damaged.

The Siemens S7 is a small box designed to control a wide variety of industrial machines and devices. Hackers have identified several vulnerabilities in its system.

Internet-connected devices, including the S7 and other control systems, were once largely invisible. However, a search engine, Shodan, has now made it possible to locate devices that are even loosely connected to the Internet. Shodan has found and mapped almost 100 million devices in the past three years.

Hackers have successfully entered, and sometimes manipulated, water- and sewer-treatment plants, particle accelerators and other systems.

Government and industry officials are scrambling to improve security of industrial control systems by creating layers of defense: stronger password protections and physical separations that cannot be breached by wireless connections.

GRAPHIC: Patterson Clark and Robert O'Harrow Jr. - The Washington Post. Published June 4, 2012.