An extraordinary stroke of digital espionage by the United States may forever change the way manufacturing companies look at the security and vulnerability of their operations.
The New York Times reported on January 15 that American and Israeli intelligence were apparently behind a computer worm called Stuxnet that severely damaged Iran’s nuclear centrifuges in 2010, setting back that nation’s controversial nuclear weapons program by several years. The Times asserted that Stuxnet, the most sophisticated cyberweapon ever developed, caused the centrifuges to spin out of control while playing back recordings of normal operations so technicians were unaware of what was happening.
It marked one of the first instances in which nations used computer malware to cause physical damage to the machinery of another. The Times reported that U.S. intelligence began by obtaining information about the vulnerabilities of the Siemens P.C.S.-7 controllers used to operate the Iranian centrifuges and then tested the scheme on Iranian-type machinery kept by by Israel.
The Siemens controllers are the same ones used by thousands of manufacturing companies around the world to operate industrial machinery. Computers drive virtually all advanced manufacturing by translating the electronic engineering of products and parts to computer numeric controlled (CNC) machinery to fabricate everything from paper to jet engines with astonishing tolerances.
“It’s like a playbook,” said Ralph Langner, an independent computer security expert in Hamburg, Germany, who was among the first to decode Stuxnet. “Anyone who looks at it carefully can build something like it,” he told the Times. Mr. Langner is among the experts who express fear that the attack legitimized a new form of industrial warfare, one to which the United States is also highly vulnerable.
The vulnerability of computer-controlled manufacturing machinery is especially troublesome for Massachusetts, where the manufacturing sector is both highly automated and global in scope. Walk around any Massachusetts factory floor and you’re likely to see five-axis machining centers, printing presses or plastic injection-molding machines with almost as much computer hardware and software as tool bits.
The Stuxnet attack ultimately opens up a broad new set of security concerns for manufacturers who until now thought the worst consequence of a computer virus was crashed laptops. What happens now that a business competitor, a disgruntled employee or some hacker sitting in an Internet café in Asia can write computer code capable of making multi-million dollar production machinery run off the rails?
There is, unfortunately, a growing body of answers to that question. Cyber attackers in recent years have shut down nuclear plants, municipal water systems, a tram system in Poland and even the traffic lights in Los Angeles.
As early as 2008, Siemens and the Idaho National Laboratory told a conference: “Currently, a cyber attack on industrial control systems is one of the only ways to induce real-world physical actions from the virtual realm of the Internet. This is leading to an increased level of interest in industrial control systems by ‘black hat’ groups.”
The message to manufacturers – you’re going to need a bigger lock.