Three days ago an updated report by the Institute for Science and International Security (ISIS) was published with the following conclusion:
While it has delayed the Iranian centrifuge program at the Natanz plant in 2010 and contributed to slowing its expansion, it did not stop it or even delay the continued buildup of LEU [low enriched uranium]. […] At the time of the attack, the Natanz FEP contained a total of almost 9,000 IR-1 centrifuges. The destruction of 1,000 out of 9,000 centrifuges may not appear significant, particularly since Iran took steps to maintain and increase its LEU production rates during this same period. […] One observation is that it may be harder to destroy centrifuges by use of cyber attacks than often believed.
They suggest that the malware was injected into systems in the supply-chain for Natanz.
Because of sanctions and trade controls, Iran operates international smuggling rings to obtain industrial control equipment, including the Siemens 315 and 417 PLCs. Although foreign intelligence agencies could infect or sabotage these PLCs abroad, they would have far greater chance of ultimately infecting Natanz by inserting Stuxnet in the core of Iranâ€™s supply chain for the centrifuge programâ€™s control systems.
This points strongly to an outsider cut-off from direct site access yet influential, which echoes a CIA method claimed to have caused the trans-Siberian pipeline disaster in 1982. On the other hand, it is said the attackers monitored and continued to modify Stuxnet, almost as if they had inside access and knowledge of their progress:
Symantec has established that Stuxnet first infected four Iranian organizations in June and July 2009. After the 2009/2010 attack, and before Stuxnetâ€™s public discovery, the malwareâ€™s operators tried to attack again. Symantec found that in March, April, and May 2010, two of the original organizations were again infected. In May, a new Iranian organization was also infected. Were the Stuxnet operators dissatisfied with destroying only 1,000 centrifuges, or were they encouraged by their success? In any case, they were improving the codeâ€™s ability to spread by the spring of 2010, according to Symantec. These improvements undoubtedly sought to enable the program to again breech Iranâ€™s security on its gas centrifuge program and destroy more centrifuges.
The report points out that the level of knowledge required for the attack had to come from a plant insider, but that the attack vector is more likely to have been from an outsider. The blended approach of Stuxnet emphasizes a loss of secrecy in their program, which may significantly affect Iran’s management of their nuclear effort far more than damage to controllers and centrifuges. The objective may have not been destruction but rather to demonstrate the sophisticated level of information leakage.