Stuxnet

Stuxnet is the malware first publicly disclosed in June 2010 by the Belarusian antivirus firm VirusBlokAda (and analysed in depth shortly after by Symantec, ESET, and Kaspersky). It targeted Siemens S7-300 PLCs running very specific frequency-converter configurations — Vacon (Finland) and Fararo Paya (Iran) drives operating at the RPM range characteristic of gas-centrifuge uranium enrichment. It propagated via USB sticks. It exploited four zero-day Windows vulnerabilities in a single payload — an unprecedented expenditure of operational capital. It rewrote PLC ladder logic to drive enrichment centrifuges to destruction while reporting normal speeds to the control room.

The Symantec dossier (Falliere, O Murchu, Chien, 2011) is the canonical technical reference.

Why it mattered architecturally

Stuxnet ended the air-gap conversation. The Iranian Natanz facility was as close to a textbook air-gapped industrial environment as existed anywhere — no IP routes from corporate IT to the centrifuge controllers, physical perimeter, vetted personnel. Stuxnet got in anyway, on a USB stick almost certainly carried by a maintenance contractor.

The lesson generalised: air gaps don’t fail catastrophically. They fail quietly, at the seams, where a contractor’s laptop or a vendor’s remote-support tunnel or a removable medium dissolves the boundary just enough for an attacker to walk through. The audit report still says air-gapped. The diagram still has a dashed line. Reality has moved on.

What it did technically

The interesting parts of the payload, in rough order of novelty:

• Four Windows zero-days in a single binary — escalation, propagation via removable media (LNK shortcut), via printer spooler (MS10-061), via SMB (MS10-046). Burning four zero-days in one campaign was without precedent at the time.
• Stolen code-signing certificates from Realtek and JMicron, used to sign the kernel driver components so they would load on Windows without warnings.
• Specific PLC targeting — would only act on Siemens S7-300 CPUs configured with a specific number of Profibus drives matching one of two product IDs, only at certain frequencies.
• PLC rootkit — modified the PLC’s runtime to lie about its internal state to the engineering software (Step 7) and the operator HMI. The first publicly known PLC rootkit.
• Centrifuge-destructive logic — drove the rotor speed up briefly past safe operating limits, then back to nominal, then occasionally down to half speed. Repeated cycle damaged centrifuges over months while reporting nominal RPMs upstream.

Where it fits the substation context

Substation environments are not Stuxnet targets — the attacker would not pick GOOSE-trip logic over centrifuges with the same toolset — but the delivery mechanism generalises directly. The vendor laptop that gets carried between substations, the engineering USB stick, the removable medium that crosses zone boundaries — these are the conduits Stuxnet exploited and they exist unchanged in the modern substation.

The IEC 62443 zone-and-conduit response is to treat the engineering laptop as a mobile conduit with its own SL-T and explicit controls (full-disk encryption, no general-purpose internet access, signed firmware images only, signed-driver enforcement). The 62443 catalogue does not magically eliminate the route Stuxnet took. It forces it to be drawn on the diagram and engineered, which is the harder problem the standard exists to surface.

What followed

Industroyer (2016, then Industroyer2 in 2022) was the first public ICS malware to target power-grid protocols natively — IEC 60870-5-104 and IEC 61850 GOOSE — without needing the Stuxnet-style USB delivery to reach the PLC. CHERNOVITE’s PIPEDREAM toolkit (CISA AA22-103A, April 2022) was the first publicly attributed pre-deployment ICS toolkit generic across multiple PLC vendors. The arc has been from “Stuxnet was a one-off, well-resourced campaign” to “ICS-aware tooling is something an adversary expects to need”.