Stuxnet--a computer worm more sophisticated and potentially more destructive than any previously discovered--has been attacking industrial facilities for about a year. Who made it and why remain a mystery, but security professionals regard it as so extraordinarily complex that it could only be the work of a nation-state or a sophisticated, well-financed private group.
Dr. Udo Helmbrecht, executive director of ENISA, a European cyber-security agency, calls it a "new class and dimension" of malware. "Stuxnet is really a paradigm shift," he says. "The fact that perpetrators activated such an attack tool can be considered as the 'first strike'--i.e., one of the first organized, well prepared attacks against major industrial resources."
The worm enters Windows-based industrial control systems of factories, chemical plants, power plants and transmission systems by way of a corrupted memory stick and is thought to do such things as change autonomously the speed of pumps and other equipment, thus creating dangerous situations of over-pressure or under-pressure. It doesn't need human guidance to work its mischief.
It first was discovered in Malaysia but has now been detected in industrial facilities in China, Iran, Germany, Canada, the U.S. and elsewhere. The Christian Science Monitor called it "essentially a precision, military-grade cyber missile," its exact target yet unknown. Experts have speculated it might originally have been engineered to disable Iran's Bushehr nuclear plant.
The explosion that leveled a San Bruno, California, neighborhood in September--sending flames 300 feet into the air--wasn't the first and likely will not be the last conflagration caused by a ruptured natural gas pipeline (in this case, one belonging to the Pacific Gas & Electric Company).
San Bruno's fire and explosion destroyed 53 homes and damaged 120 more. It killed seven and injured more than 50. "The central ball of fire," said a reporter for the S.F. Chronicle, "raged past nightfall before abating. By then, houses on several blocks and thick stands of trees were engulfed in flames."
The death toll wasn't the worst in pipeline history. An incident ten years ago in Carlsbad, New Mexico, killed 12. Pipeline blasts in the past five years have killed 60 and injured 230.
Though roughly half these incidents were the fault of parties other than utilities (builders, say, or cable companies who accidentally dug into underground pipes), pipeline operators themselves were at fault in at least two dozen cases where they dug into their own lines. Other incidents for which they were responsible involved corrosion, faulty equipment and operator error. The cause of the San Bruno incident is still under investigation.
The age of a pipeline matters less than inspection and maintenance. So says Carl Weier, head of the Pipeline Safety Trust, a government-financed watchdog group. "Most of the pipelines in this country are 40 to 50 years old. If properly maintained, they don't present a danger."
But even a new pipeline, he says, will go to failure if not well inspected and maintained. Corrosion caused the Carlsbad event, according to inspectors who examined the wreckage. Weier thinks the danger of future explosions could be defused by better and more frequent inspection, especially in rural areas, where pipelines get a thorough going-over only once every seven years.