A year of Stuxnet: Why is the new cyberweapon's warning being ignored?
Experts called Stuxnet a 'wake-up call' when it was identified as a cyberweapon. But even as hackers study it, there is scant evidence US utilities are bolstering their defenses against attack.
A cyberterrorist, foreign nation, or maybe just a hacktivist who wants all Internet information to be free, puts the lights out in a major American city with the click of a mouse button. For weeks.Skip to next paragraph
Subscribe Today to the Monitor
That may sound like the stuff of a movie script, yet it is precisely the kind of nasty threat posed by Stuxnet, which one year ago emerged as the world's first publicly confirmed example of a digital guided missile. It was built to cross cyberspace, zero in on a real-world computer-controlled target – and physically destroy it.
Garden-variety computer viruses may steal your bank password, but Stuxnet is by design a military-grade cyberweapon – a computer “worm” built by an advanced cyberweapons state. It was designed to seek out and destroy Iran's nuclear-fuel refining centrifuges, and it wrecked at least 1,000 of them. But its implications go much further.
RECOMMENDED: The new cyber arms race
Hackers, cybercriminals, or rogue nations can now download Stuxnet off the Internet and reverse engineer it – using its tricks as a digital template for crafting malicious software attacks that wreck industrial infrastructure, cybersecurity experts say.
Inspired by Stuxnet's success, hackers are now known to be tinkering with Stuxnet code, say experts interviewed for this story. Iran also has Stuxnet now – as do other aspiring cyberweapons nations. Some experts call it a “Pandora's box” now loose on the Internet.
A year ago, US officials and cybersecurity experts dubbed Stuxnet a “game changer” and a “wake-up call.” Yet there is scant evidence today that the warning shot has been heeded – or that power plants, refineries, water treatment or chemical facilities in the US are leaping to bolster their defenses against a “son of Stuxnet” copycat attack, these experts say. Nor are the manufacturers of the software and hardware used in industrial control systems doing enough to make their systems less vulnerable, the experts say.
“Probably the best thing Stuxnet did was to raise awareness among senior executives at large companies and industrial control system vendors,” says Robert Huber, co-founder of Critical Intelligence, an Idaho Falls-based industrial control systems security firm. “But that awareness has not translated to a shift in dollars spent on security by control system software vendors or [electric] utilities. There’ve been no significant changes in how they operate.”
Among computer security experts in critical infrastructure industries in 14 counties, two-fifths reported they had found Stuxnet on their systems, according to a survey this spring by the Center for Strategic and International Studies (CSIS) and McAfee. Among those, nearly half in the electric industry – which had the highest occurrence of Stuxnet – reported having to take action against Stuxnet.
Despite this high penetration, those critical infrastructure companies did little to respond by adding security technology to detect and stop similar threats in the future. The discovery of Stuxnet on their systems “did not seem to galvanize companies to action,” the survey said. Fewer than 20 percent of US critical infrastructure companies even bothered conducting cybersecurity audits.