The Stuxnet worm: investment implications?

what it is

Stuxnet is a computer worm that was discovered last year.  Most, if not all, that is publicly known about the worm is summarized in a lengthy report that Symantec, the anti-virus company, posted recently on its website.  Although there’s tons more information about stuxnet on the Symantec website alone, I think deeper investigation would be overkill for a stock market investor.

Stuxnet’s main characteristics are:

–it is targeted at a specific type of industrial process control computer made by Siemens.  The controller, as the name implies, is a computer that directs the operation of industrial machinery:  typically pipelines, power grids or power plants, including nuclear power plants

–the purpose of the worm is to take control of the industrial process from the owners and give it to the worm’s creator.  The worm could contain instructions for the industrial process to either shut down or disable itself (explode?) at a future time.

–the worm is not propagated through the internet.  It is passed from one infected computer to another through wired connection.

–the worm uses flaws in Windows to spread

–45,000 control devices around the world are infected so far, according to Microsoft

–60% of them are located in Iran, according to Symantec, with Indonesia and India distant seconds

–Symantec estimates that it took a group of five-ten skilled programmers six months to create the worm, meaning 5,000-10,000 man-hours of work

It seems a reasonable assumption that the main target of stuxnet is Iran, since there’s where the bulk of the infected controllers are.  Given that there is little free flow of information either within that country or between Iran and the western world, it’s hard to assess how successful the worm is. The Iranian government has admitted that the stuxnet worm has infected the Siemens systems in its nuclear reactor at Bushehr, though.

Some have argued that the sophistication of stuxnet and the large amount of time and money that had to have gone into its construction that it  must be part of a cyberwar project masterminded by some national government and aimed at disabling Iran’s nuclear program. This makes sense and it fits with the widely publicized attacks earlier this year on Google that the company traced to a mainland Chinese military college.

Also, power plants and utility grids are typically not connected to the internet, in order to minimize the chance of software contamination.  So inserting the stuxnet worm into, for example, the Bushehr nuclear reactor system requires some James bond-like human activity to get the process started.  Someone has to insert the worm into a Windows laptop that will be physically plugged into the industrial site’s wired LAN, so that it can be transmitted to the industrial controller through uploaded instructions.  So the creator of the worm has to find a person with physical access to the targeted industrial system and either trick or compel him into loading the worm into his computer and introducing it into the target.  Not a feat you or I could easily accomplish.

investment implications

I think we’ve already seen one–INTC’s acquisition of MFE.  The idea of the combination is to provide anti-intrusion protection hard-wired into the processors that run industrial controllers.

In general, though, for now I think the stuxnet issue is one simply to be aware of so that you can be alert for new developments.

I can imagine three general paths the infected controller story can take:

1.  It ends up having no practical investing significance.  This would make it like the phenomenon of PC viruses, where there is an initial problem but which is readily solved and where there are many problem-solvers and the prevention industry becomes quickly commoditized.  Either that, or it remains something like the Cold War, present only in the background of government to government activity and invisible to most of us.

2.  It’s more like SARS or the avian flu.  That is, it becomes a significant threat to global commerce and actually disrupts world economic activity for a period of time, but is ultimately brought under control.  Yes, future outbreaks are possible, but a general system for control is in place.

3.  It becomes a serious and lasting threat.

The arguments against this are the time and effort required (at present, at least) to construct a worm similar to stuxnet, and the issue of obtaining physical access.

On the other hand, there’s the question of what one might call collateral damage.  Let’s suppose stuxnet was created by some government with an interest in slowing down or disabling the Iranian nuclear program.  Nevertheless, industrial controllers in Indonesia, India, Azerbaijan, the US and Pakistan have become infected, presumably unintentionally, as well.   If unintentional, I think it’s likely that the creator of the worm couldn’t be sure either of the precise point where physical access to the target could be achieved, or of its timing.  So he had to cast a wide net and accept the possibility that lots of controllers other than the target would be affected.

This alternative becoming more likely would have the clearest investment implications.  Power and energy transmission and distribution companies would become less attractive, despite high dividend yields.  INTC would probably have a significant growth spurt.


Leave a Reply

%d bloggers like this: