Siemens hasn't come out with many details, but Computerworld reports confirmation from Siemens that "we detected the virus in the SCADA systems of 14 plants in operation but without any malfunction of process and production and without any damage." Reportedly, "most" of the infected plants are in Germany, with others in the United States, South Korea, and Iran. Given the large number of infected PCs in Iran and a dearth of reported infections in the United States and Europe, to me it seems odd that Siemens found so many infected SCADA systems in Germany.
It also raises the question of how many Siemens S7/315-2 systems are located in Iran. Siemens hasn't released that information. Siemens is under a great deal of pressure to stop doing business (totalling $700 million in 2009) with Iran, but that's another story.
In a revelation that's sure to embarrass the company, Stuxnet uses default Siemens passwords to pwn the SCADA system. But Siemens has warned its customers to not change the default password, for fear of crashing their systems. That's security, eh?
Clearly, Stuxnet is the product of several very sophisticated programmers, who were intimately aware of Windows zero-day security holes, probably (but not certainly) before Microsoft found out about them. It's highly unlikely that the same people who wrote the PC infection routines also wrote the Siemens-specific code. Work on Stuxnet has gone on for more than a year. It isn't a weekend project by a bunch of high schoolers. But beyond that, all we have is speculation.
Is Stuxnet a clandestine effort by some top-secret government group to snoop on, or take over, Iran's showcase nuclear power plant -- one that's been under construction, with several breaks, for the past 35 years? If so, which government or governments? What's to be gained?
Could it, instead, be the effort of a wealthy individual or organization attempting a grand round of corporate espionage, aimed at large production facilities in Europe run by specific Siemens SCADA systems?
Is Siemens involved? I can think of a dozen scenarios where direct involvement by Siemens is quite plausible, regardless of the intended target.
I've heard one quid pro quo conspiracy theory that tickled my American fancy: Iranian intelligence invented Stuxnet and infected Bushehr employees' PCs to bolster resentment toward the West.