I need to write about this, because it is very important to get the message out. I don’t want to take anything away from my colleagues who have recently written on it, like my friend Sam Curry at RSA – whose blog entry on Stuxnet really gets to the heart of the threat and that “worlds have collided.”

I want to take a slightly different approach to the threat. Sam and others are absolutely correct, this is a “big deal” when a piece of malicious code can control programmable logic controllers, i.e. the things that make the world go around – from nuclear power stations to traffic lights to subway routing systems. What concerns me most about Stuxnet was its targeting. If you’ve read the news, Stuxnet is believed to have been implemented in a targeted fashion against Iran’s uranium enrichment facility in Natanz and potentially the reactor complex at Bushehr. 60% of the known infections are in Iran, with critical systems basically brought to a standstill.

Now, let’s make the hypothetical leap that some nation-state(s) did not want Iran to develop these nuclear capabilities. There is clear evidence in the past, if you remember your history, that when certain nation-states did not like the nuclear progress of another country, it would physically bomb that capability off the map. Ask the residents of Osirak, Iraq what they remember about June 7th, 1981. The burning question is if Stuxnet was a cyber-version of Operation Opera. I am not going to say that Israel or the US was behind Stuxnet. I’ll let others do that. I would rather focus on the strategy itself.

In war, collateral damage is an unfortunate but expected consequence. Even laser and GPS guided smart bombs can throw shrapnel into the house next door and kill innocent victims. The problem is, Stuxnet is not as smart as 2000lbs of guided steel and explosives. When targeting a system from a cyber-warfare perspective, it’s hard to know what defenses and controls are really in place, and who might be innocently standing by. When attacking a nuclear facility’s control systems, the risks are enormous. What I am saying is that I would prefer an Osirak to a Chernobyl any day of the week.

Unfortunately, like the first atomic bomb detonation, the beast is now unleashed. Luckily, the sheer complexity of Stuxnet would be hard to produce outside of the resources of a nation-state or well-funded organization. But I can guarantee there are people trying now that we should probably be concerned about. This could be a bit of “FUD” on my part – but no matter how I look at it – this new threat scares the heck out of me. Consider what is now possible when you step on your next train or subway, or when you drive through a traffic light.