Q. Who created it?
Whoever knows the answer to this isn't telling 2014 but if cybersecurity researchers, the Iranian government and vocal Internet users are to be believed, the two prime suspects are the U.S. and Israeli governments.
Q. How does it work?
Stuxnet seeks out little gray computers called programmable logic controllers, or PLCs. The size and shape of a carton of cigarettes, PLCs are used in industrial settings from pretzel factories to nuclear power plants. Unfortunately, security researchers say the password requirements for the devices are often weak, creating openings that Stuxnet (or other viruses) can exploit. Siemens made the PLCs that ran Iran's centrifuges; other makers include Modicon and Allen Bradley. Once introduced via computers running Microsoft Windows, Stuxnet looks for a PLC it can control.
Q. How big is the problem?
Millions of PLCs are in use all over the world, and Siemens is one of the top five vendors.
Q. After Iran, did Siemens fix its devices?
Siemens released a software tool for users to detect and remove the Stuxnet virus, and encourages its customers to install fixes Microsoft put out for its Windows system soon after the Iran attack became public (most PLCs are programmed from computers running Windows.) It is also planning to release a new piece of hardware for its PLCs, called a communications processor, to make them more secure 2014 though it's unclear whether the new processor will fix the specific problems Stuxnet exploited. Meanwhile, the firm acknowledges its PLCs remain vulnerable2014 in a statement to ProPublica, Siemens said it was impossible to guard against every possible attack.
Q. Is Siemens alone?
Logic controllers made by other companies also have flaws, as researchers from NSS labs, a security research firm, have pointed out. Researchers at a consulting firm called Digital Bond drew more attention to the problem earlier this year when they released code targeting commonly used PLCs using some of Stuxnet's techniques. A key vulnerability is password strength 2014 PLCs connected to corporate networks or the Internet are frequently left wide open, Digital Bond CEO Dale Peterson says.
Q. What makes these systems so tough to protect?
Like any computer product, industrial control systems have bugs that programmers can't foresee. Government officials and security researchers say critical systems should never be connected to the Internet 2014 though they frequently are. But having Internet access is convenient and saves money for companies that operate water, power, transit and other systems.
Q. Is cost an issue?
System manufacturers are reluctant to patch older versions of their products, government and private sector researchers said. Utility companies and other operators don't want to shell out money to replace systems that seem to be working fine. Dan Auerbach of the Electronic Frontier Foundation, formerly a security engineer at Google, says the pressure on tech companies to quickly release products sometimes trumps security. "There's an incentive problem," he said.