Iran’s state news agency reported on 26 September that the bug, known as Stuxnet, had infected computers at the country’s Bushehr nuclear power plant. The Iranian government is said to have denied the report.
But information security experts say the threat is real and sightings of the Stuxnet worm have been reported across Europe and around the world.
According to Stephen Wolthusen, a researcher in the Information Security Group at Royal Holloway, University of London, Stuxnet is different to viruses that attack normal PCs. This is the first kind of malware that can infiltrate the system that controls industrial equipment such as sensors, actuators, pumps and valves.
The system, which is called a programmable logic controller (PLC), runs supervisory control and data-acquisition software (SCADA).Such computerised control systems are the backbone to industrial automation.
If these systems are compromised, Wolthusen said there could be a variety of worst-case scenarios ranging from power plants switching off to explosions in the oil and gas industry.
‘It’s very easy to come up with some kind of doomsday scenario,’ he said. ‘So far we’ve just been incredibly lucky.’
Wolthusen said Europe’s ageing nuclear power plants will be mostly resilient to the digital virus because most safety-critical components are run on analogue technology.
It is believed that the virus made its way into the Iranian nuclear plant via a USB stick. Wolthusen said the Stuxnet authors designed the virus to exploit vulnerabilities in Microsoft Windows to give remote hackers the ability to introduce malicious code into a popular PLC manufactured by Siemens.