It has never been completely clear how Stuxnet managed to gain purchase
in the computer network at Iran’s Natanz nuclear facility. One possible
explanation posits that the sophisticated and customized malware was
able to slip through a vulnerability in the plant’s supply chain.
Documents obtained from federal court cases suggest that US intelligence
was monitoring the procurement activity of NEDA Industrial Group, an
Iranian company that oversaw the computerized industrial control systems
at the Natanz facility. NEDA also had expertise with the Siemens
SCADA/ICS software used at Natanz. Armed with that information, the US
then targeted the components of the equipment that NEDA sought. State
Department cables from that time period that were more recently leaked
through WikiLeaks indicated that the US had been seeking to intercept
shipments of equipment headed for Iran. While the scenario is not
conclusive, it offers a compelling alternative to the idea that Stuxnet
arrived in the Natanz plant on a memory stick.
Article: CS Monitor