...with too much time on their hands. You know, the ones writing viruses that require a complete "Format C:." But in this particular instance
? ( I'm actually cheering them on... )
The immediate result, however, cannot be ignored: Full start-up of the plant has been delayed by at least two or three months while the Iranians try to clean house. That is, of course, if they're telling the press the whole story; in this instance, they may be under-reporting the extent of the damage. Either way, it gives them food for thought, as well as buying other entities more time to develop a more interesting
solution to the problem of Iran going nuclear.
ETA: A pretty decent follow-up from the Times
. From the article:
While the S-7 industrial controller is used widely in Iran, and many other countries, even Siemens says it does not know where it is being used. Alexander Machowetz, a spokesman in Germany for Siemens, said the company did no business with Iran’s nuclear program. “It could be that there is equipment,” he said in a telephone interview. “But we never delivered it to Natanz.”
Now, I'm kinda thinking out loud here, but to me, this creates a few issues. For the manufacturer, sometimes the third party isn't as experienced in dealing with the equipment as a manufacturer's sales/technical rep. This has many times resulted in bad programming and the eventual service call to the manufacturer's technical reps to correct the problem.
In this instance, using a third party vendor means Siemens has no control over where their equipment is going and who is programming it; it means the Iranians are relying on someone who is not a Siemens rep to program it, possibly creating a larger vulnerability than otherwise expected; and the extended chain of custody (as it were) provides more access for intentional sabotage.
Then again, if they had been able to purchase directly from Siemens, who is to say that anyone would have had access to plant the bug to begin with?
Ah, all the loverly what-ifs....
ETA 2: Another follow-up from The Weekly Standard.
Even better than the Times
article, it even details the weaknesses of the programmable logic controllers that Stuxnet exploited.
I know I'm being repetitive, but I'll say it again: Absolutely brilliant work.