Son of Stuxnet? Variants of the cyberweapon likely, senators told
The Stuxnet cyberworm could soon be modified to attack vital industrial facilities in the US and abroad, cybersecurity experts warned Wednesday at a Senate hearing.
(Page 2 of 2)
"Stuxnet is, at the very least, an important wake-up call for digitally enhanced and reliant countries – at its worst, a blueprint for future attackers," he said. It is a "good example of a cyberthreat thought to be hypothetically possible, but not considered probable by many." Its sophistication "should disturb security professionals, engineers, businessmen, and government leaders alike."Skip to next paragraph
Subscribe Today to the Monitor
Citing his research at the national lab, Mr. Assante noted that his team there had explored a similar avenue earlier – alluding apparently to a 2007 test that used Internet-delivered commands to destroy a diesel generator – prompting black smoke and bolts flying off the machine. "I have participated in research that demonstrated this capability in a controlled environment to understand how it could be done," he said. "I believe that the analysis to date has indicated that Stuxnet may be such a weapon."
Concern about vulnerability of the power grid has led to warnings and new standards. Yet the grid remains vulnerable to a Stuxnet-style threat, Assante asserted. New government standards have become a "glass ceiling" for companies to perfunctorily meet, he said, but not to exceed.
The Department of Homeland Security (DHS) and a team at the national lab have reverse-engineered and decoded Stuxnet, McGurk said. But DHS is worried that attackers "could use publicly available information about the code" to develop variants targeted at broader installations of programmable equipment in control systems, he said.
That statement may well be a slap at Symantec, which published detailed reports on precisely how Stuxnet works. Bulletins from DHS, on the other hand, omitted key details, said several cybersecurity researchers interviewed by the Monitor.
Still, lack of information-sharing is preventing readiness to combat advanced cyberthreats like Stuxnet, said other witnesses at the hearing.
"A significant cause for concern is that much of the information about cybersecurity-related threats remains classified in the homeland security, defense, and intelligence communities, with restricted opportunity to share information with security researchers, technology providers, and affected private-sector asset owners," Assante said. Restricted use of newly gained knowledge about advanced cyberthreats, he added, places "our nation’s critical infrastructure is placed at significant risk."
The witnesses gave varying assessments about how prepared the private sector is to deal with a threat of Stuxnet's sophistication.
"The chemical sector understands this evolving threat," he said. "The ACC and its members have been working for years across the sector to prepare and share information about these issues.... We continue to comprehensively improve control system security."
Assante, sounding much less enthusiastic about industry preparedness, cited technology trends that make it easier for attackers to strike control systems.
"I believe we're extremely susceptible," he said. "In fact, I believe our susceptibility grows every day. If you just look at the very trends in the technology that we deploy, we're doing things that would allow an attacker more freedom of action within these environments.... Stuxnet is an important harbinger of things that may come if we do not use this opportunity to learn about this threat and apply it."