Skip to: Content
Skip to: Site Navigation
Skip to: Search

From the man who discovered Stuxnet, dire warnings one year later

Stuxnet, the cyberweapon that attacked and damaged an Iranian nuclear facility, has opened a Pandora's box of cyberwar, says the man who uncovered it. A Q&A about the potential threats.

By Staff writer / September 22, 2011

German industrial control systems expert, Ralph Langner, poses for a portrait in Boston on Tuesday.

Ann Hermes/Staff


One year ago a malicious software program called Stuxnet exploded onto the world stage as the first publicly confirmed cyber superweapon – a digital guided missile that could emerge from cyber space to destroy a physical target in the real world.

Skip to next paragraph

It took Ralph Langner about a month to figure that out.

While Symantec, the big antivirus company, and other experts pored over Stuxnet's inner workings, it was Mr. Langner, an industrial control systems security expert in Hamburg, who deciphered and tested pieces of Stuxnet's "payload" code in his lab and declared it a military-grade cyberweapon aimed at Iran's nuclear facilities.

Days later, he and other experts refined that assessment, agreeing Stuxnet was specifically after Iran's gas centrifuge nuclear fuel-enrichment program at Natanz.

After infiltrating Natanz's industrial-control systems, Stuxnet automatically ordered subsystems operating the centrifuge motors to spin too fast and make them fly apart, Langner says. At the same time, Stuxnet made it appear random breakdowns were responsible so plant operators would not realize a nasty software weapon was behind it.

In the end, Stuxnet may have set back Iran's nuclear ambitions by years. But it also could prove a Pyrrhic victory for its still-unknown creator – a sophisticated cyberweapons nation state that Langner argues could be the US or Israel. Like the Hiroshima bomb, Stuxnet demonstrated for the first time a dangerous capability – in this case to hackers, cybercrime gangs, and new cyberweapons states, he says in an interview.

With Stuxnet as a "blueprint" downloadable from the Internet, he says, "any dumb hacker" can now figure out how to build and sell cyberweapons to any hacktivist or terrorist who wants "to put the lights out" in a US city or "release a toxic gas cloud."

What follows are excerpts of Langner's comments from an extended interview:

CSM: How would you characterize the year since Stuxnet – the response by nations, industry and government?

LANGNER: Last year, after Stuxnet was identified as a weapon, we recommended to every asset owner in America – owners of power plants, chemical plants, refineries and others – to make it a top priority to protect their systems.... That wakeup call lasted only about a week. Thereafter, everybody fell back into coma. The most bizarre thing is that even the Department of Homeland Security (DHS) and Siemens [maker of the industrial control system targeted by Stuxnet] talked about Stuxnet being a wakeup call, but never got into the specifics of what needed to be done.

CSM: What do you think has been the most important or dangerous development to emerge since you identified Stuxnet as a weapon?

LANGNER: The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks.... With every day [that] cyber weapon technology proliferates; the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares.

CSM: How should nations and critical infrastructure owners deal with the threat of Stuxnet-like attacks or deter them?


Read Comments

View reader comments | Comment on this story