Son of Stuxnet? Variants of the cyberweapon likely, senators told
The Stuxnet cyberworm could soon be modified to attack vital industrial facilities in the US and abroad, cybersecurity experts warned Wednesday at a Senate hearing.
Stuxnet, the first known weaponized software designed to destroy a specific industrial process, could soon be modified to target an array of industrial systems in the US and abroad, cyber experts told US senators Wednesday.Skip to next paragraph
Subscribe Today to the Monitor
The Stuxnet malware, discovered this summer, was apparently designed to strike one target – Iran's nuclear-fuel centrifuge facilities, researchers now say. But Stuxnet's "digital warhead," they caution, could be copied and altered by others to wreak havoc on a much grander scale.
Variants of Stuxnet could target a host of critical infrastructure, from the power grid and water supplies to transportation systems, four cybersecurity experts told the Senate Committee on Homeland Security and Governmental Affairs.
"The concern for the future of Stuxnet is that the underlying code could be adapted to target a broader range of control systems in any number of critical infrastructure sectors," said Sean McGurk, acting director of the National Cyber-security and Communications Integration Center at the US Department of Homeland Security.
Stuxnet infiltrated and targeted an industrial control system software that is widely used in US infrastructure and industry, meaning the nation is vulnerable to future Stuxnet-like attacks, he said. "While we do not know which process was the intended target [of Stuxnet], it is important to note that the combination of Windows operating software and Siemens hardware can be used in control systems across critical infrastructure sectors – from automobile assembly lines to mixing baby formula to processing chemicals," said Mr. McGurk.
As of last week, 44,000 computers worldwide were still infected with the Stuxnet worm – including 1,600 in the US, said Dean Turner, head of global intelligence for Symantec Corp., the computer security firm that detailed Stuxnet's inner workings. Fifty of those US infections had worked their way from Windows operating systems into industrial control systems. It's not publicly known who created Stuxnet.
"Our level of preparedness ... in the private sector is better than it ever has been, but still has a long way to go," said Mr. Turner. "It's a cliché, but we don't know what we don't know."
Perhaps the sharpest alarm was sounded by Michael Assante, president of the National Board of Information Security Examiners. He's seen the threat up close, having held key posts in industrial control system security research at the Idaho National Laboratory and then as chief security officer of the North American Electric Reliability Corp., which is charged with power grid reliability.