Rohit Deshpande is a Post Graduate Researcher at the Department of Geopolitics and International Relations, Manipal Academy of Higher Education, India
The ‘Stuxnet’ attack of 2010 on Iran’s Natanz nuclear facility was a watershed moment in the evolution of cyber warfare. For the first time in history, a cyber-attack had resulted in real-world physical damage to a nation’s critical infrastructure. The attack was planned at a time when the US was running out of options with regard to constraining the growth of Iran’s nuclear program. Iran’s inexorable march towards weapons grade enrichment was proving to be difficult for the US and its partners. The Stuxnet was later speculated to be created as part of a joint U.S. and Israeli intelligence operation known as ‘Olympic Games’. The impetus for ‘Olympic Games’ dates back to 2006, when President George W. Bush saw few good options in dealing with Iran. At the time, America’s European allies were divided about the cost that imposing sanctions on Iran would have on their own economies. The pressure on the US to take action was increasing by the day, both from within and its allies in West Asia. Some in the US administration were advocating a military strike, but this would have proven to be economically unviable and would also have contributed to the growing anti-American sentiment in the region. Amongst the various options being contemplated was an offbeat idea that had never been tried before.
The idea to use a cyber-weapon to cause the damage equivalent of a conventional air strike was the brain child of General James E. Cartwright who presented it to President Bush. The meticulously planned attack was implemented in two stages. At first, agents on the ground had to find a way to insert ‘beacons’ into Iran’s Natanz nuclear enrichment facility through any means possible. These ‘beacons’ were computer codes that would map out the electrical blueprint of the facility and relay the information back to the headquarters. This stage took months to come to fruition, and when the beacons had done their job, the second stage of the project came into effect. Using details obtained from the first stage, a sophisticated tailor made virus was designed to compromise the security of a specific target. In this case it was a SCADA (Supervisory Control and Data Acquisition System) system made by the German manufacturer, Siemens. A New York Times report had claimed that the CIA had tried to sabotage Iran’s nuclear program by introducing faulty parts into the systems. This probably did not yield desirable results, and therefore the Bush administration decided to up the ante. The worm introduced into the system in Natanz successfully disrupted the functioning of the centrifuges, and what followed was history. Analysts question the overall effectiveness of the attack, but there is no denying that it did slow down Iran’s nuclear program as over 1000 centrifuges had to be either repaired or replaced.
What are SCADA systems?
Humans have always tried to delegate menial, repetitive and mechanical, but important tasks to machines as humans are susceptible to fatigue which can lead to mistakes that can prove to be disastrous. Industrial automation which followed the mechanization age has resulted in the integration of computers, sensors and mechanical systems. The SCADA system, a by-product of this phase, was designed to control processes in various industries and installations. These systems function as the ‘brains’ of facilities like nuclear installations, everyday factories, oil and gas rigs and so on. Sensors detect the various events related to the system process and feed them to a computer, which based on a pre-programmed algorithm reacts to the events.
When SCADA systems came into being, no one had envisaged that they would be targeted. As a result, for the sake of efficiency, security protocols were never incorporated into them. These systems were also designed to be stand alone systems isolated from the outside world. It was much later, when the need for remote maintenance was felt, that a mechanism to manipulate them remotely was accommodated. The surfacing of the Stuxnet attacks and the vulnerability of the above mentioned SCADA systems needs to be seen in the backdrop of the emergence of cyber domain as the battlefield of the future. The Stuxnet attack is just a teaser of what is to come in the future, and demonstrates the potential of cyber weapons.
Stuxnet and India
Americans claim that the Stuxnet was supposed to limit itself to the confines of Iranian networks. However, due to a ‘flaw’ in coding, the virus spread to other parts of the world. India and several other countries were caught in the aftermath of the world’s most sophisticated cyber war. Some reports claim that India is the third most infected country only behind Iran (60% of the affected computers) and Indonesia. Certain analysts believe that systems within sensitive institutions in India have been hit by Stuxnet. A senior cyber security researcher, Jeffery Carr has even expressed the possibility of the virus having been the reason for the shutting down of India’s INSAT 4B satellite. He has claimed to have found out that the satellite used the same Siemens logic controllers and operating system that was used to control centrifuges in the Natanz plant, from the resumes of two retired scientists who worked for the Indian space establishment. The establishment was quick to dismiss this possibility and also added that they had used in-house technology in the satellite.
Despite the reports that many systems in India have been affected, the fact remains that the virus was designed for a very specific target. The code is the cyber equivalent of a laser guided missile which has a very small CEP (circular error probable). Though the virus infects some operating systems belonging to the Windows family, unless India has the same installations that use the same centrifuges and microcontrollers as the ones used in Iran, Stuxnet need not present a potent threat. However, as it has been proven that such an attack can be carried out, the possibility of an attack that uses a variation of Stuxnet designed to target hardware used in India can never be ruled out. It was Siemens in Iran – it could be GE’s (General Electric) ‘Intelligent Platform’ series or ‘Invensys’ systems elsewhere. It is worthwhile to note that majority of vendors that are in the business of developing SCADA systems are based in US and its NATO partner states.
In 2010, the ‘Outlook India’ magazine published a disturbing report which cited several instances where top level officers from DRDO (Defence Research Development Organization) and NTRO (National Technical Research Organisation) lost their laptops which contained sensitive data like ciphers used by our defence forces and intelligence agencies, vulnerable points in India’s air defence network etc. The report also claimed that in 2003, 53 computers went missing from DRDO and were later recovered with their hard disks removed. Till date, the cases haven’t been solved and none of the stolen laptops or hard drives were found. There is a very high probability that some of these disks could have had data pertaining to the hardware used in India’s missile guidance systems or other defence equipment. This data in the hands of an adversary can easily be used to launch a Stuxnet like attack on India’s SCADA systems.
Cyber attacks like the one on Iran require a lot of sophistication, resources, expertise and insider information about the target which is not usually accessible to non-state actors, and therefore it is unlikely that such an attack can be carried out without the involvement of a government. The Indian government has set up a Computer Emergency Response Team and a Critical Infrastructure Protection Centre to counter such threats. However, the effectiveness of these mechanisms is yet to be clearly ascertained. In view of the risks involved, it remains imperative for the Indian government to carry out comprehensive security reviews of the SCADA systems that are being used in various installations in the country which are vital to its national security.
Disclaimer: The views expressed in this article are personal.