The Stuxnet worm was the first known example of a digital weapon developed by the U.S. government — and it actually worked. Discovered in 2010, it had already destroyed several nuclear centrifuges in Iran. Now, veteran computer security reporter Kim Zetter has an action-packed book about it. We've got an excerpt.
If you really want to understand the future of warfare, don't miss Zetter's Countdown to Zero Day. It's out now, and Zetter will be joining io9 for a Q/A about it on Monday.
INDUSTRIAL CONTROLS OUT OF CONTROL
Fifty miles outside Idaho Falls, Idaho, on a vast desert prairie owned by the Department of Energy's Idaho National Lab, a handful of engineers shivered against the cold as they paced around a generator the size of a small bus parked on a slab of concrete. It was March 4, 2007, and the workers were making final safety checks for a groundbreaking test they were about to conduct.
About a mile away at the lab's visitor's center, a group of officials from Washington, DC, as well as executives from the power industry and NERC, the North American Electric Reliability Corporation, gathered in a theater warming their hands around cups of steaming coffee as they waited for a live feed of the demo to begin.
In 2010, when the Symantec researchers discovered that Stuxnet was designed to sabotage Siemens PLCs, they believed it was the first documented case in which digital code had been used to physically destroy equipment. But three years earlier, on this Idaho plain, the Aurora Generator Test had demonstrated the viability of such an attack.
It was around eleven thirty a.m. that March day when a worker back in Idaho Falls got the signal to launch a stream of vicious code against the target. As the generator's 5,000-horsepower diesel engine roared over speakers in the lab's small theater, the spectators stared intently at a screen searching for signs of the code's effects. At first, there were none. But then they heard a loud snap, like a heavy chain slapping against a metal drum, and the steel behemoth rattled briefly as if shaken awake. Several seconds passed and they heard another snap—this time the generator lurched and shuddered more violently as if jolted by a defibrillator. Bolts and bits of rubber grommet ejected from its bowels toward the camera, making the observers wince. About fifteen seconds passed before another loud snap sent the machine lurching again. This time, after the vibrations subsided, the generator spit out a puff of white smoke. Then suddenly, bam! the machine heaved again before coming to a final rest. After a lengthy pause, when it seemed the beast might have survived the assault, a plume of angry black smoke billowed from its chambers.
Only three minutes had elapsed since the test began, but that was all it took to reduce the colossal machine to a smoldering, lifeless mess of metal and smoke. When it was all done, there was no applause in the theater, just stunned silence. To rock a piece of equipment the size of a tank should have required exceptional force. Yet all it had taken in this case was twenty-one lines of malicious code.
The test had been exhaustively planned and modeled for weeks, yet the force and violence of the attack still took its engineers by surprise—"a moment of incredible vividness," Michael Assante, one of the architects of the test, said. It was one thing to simulate an attack against a small motor perched atop a table, but quite another to watch a twenty-seven-ton machine bounce like a child's toy and fly apart.
The test provided certified proof that a saboteur didn't need physical access to destroy critical equipment at a power plant but could achieve the same result remotely with just a piece of well-crafted code. Three years later, when Stuxnet was found on machines in Iran, no one who worked on the Aurora project was surprised that a digital attack could cause physical destruction. They were only surprised that it had taken so long for such an attack to show up.
Reprinted from Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Copyright © 2014 by Kim Zetter. Published by Crown Publishers, an imprint of Random House LLC.