Stuxnet, the first known weaponized software designed to destroy a specific industrial process, could soon be modified to target an array of industrial systems in the US and abroad, cyber experts told US senators Wednesday.
The Stuxnet malware, discovered this summer, was apparently designed to strike one target – Iran's nuclear-fuel centrifuge facilities, researchers now say. But Stuxnet's "digital warhead," they caution, could be copied and altered by others to wreak havoc on a much grander scale.
Variants of Stuxnet could target a host of critical infrastructure, from the power grid and water supplies to transportation systems, four cybersecurity experts told the Senate Committee on Homeland Security and Governmental Affairs.
"The concern for the future of Stuxnet is that the underlying code could be adapted to target a broader range of control systems in any number of critical infrastructure sectors," said Sean McGurk, acting director of the National Cyber-security and Communications Integration Center at the US Department of Homeland Security.
Stuxnet infiltrated and targeted an industrial control system software that is widely used in US infrastructure and industry, meaning the nation is vulnerable to future Stuxnet-like attacks, he said. "While we do not know which process was the intended target [of Stuxnet], it is important to note that the combination of Windows operating software and Siemens hardware can be used in control systems across critical infrastructure sectors – from automobile assembly lines to mixing baby formula to processing chemicals," said Mr. McGurk.
As of last week, 44,000 computers worldwide were still infected with the Stuxnet worm – including 1,600 in the US, said Dean Turner, head of global intelligence for Symantec Corp., the computer security firm that detailed Stuxnet's inner workings. Fifty of those US infections had worked their way from Windows operating systems into industrial control systems. It's not publicly known who created Stuxnet.
"Our level of preparedness ... in the private sector is better than it ever has been, but still has a long way to go," said Mr. Turner. "It's a cliché, but we don't know what we don't know."
Perhaps the sharpest alarm was sounded by Michael Assante, president of the National Board of Information Security Examiners. He's seen the threat up close, having held key posts in industrial control system security research at the Idaho National Laboratory and then as chief security officer of the North American Electric Reliability Corp., which is charged with power grid reliability.
"Stuxnet is, at the very least, an important wake-up call for digitally enhanced and reliant countries – at its worst, a blueprint for future attackers," he said. It is a "good example of a cyberthreat thought to be hypothetically possible, but not considered probable by many." Its sophistication "should disturb security professionals, engineers, businessmen, and government leaders alike."
Citing his research at the national lab, Mr. Assante noted that his team there had explored a similar avenue earlier – alluding apparently to a 2007 test that used Internet-delivered commands to destroy a diesel generator – prompting black smoke and bolts flying off the machine. "I have participated in research that demonstrated this capability in a controlled environment to understand how it could be done," he said. "I believe that the analysis to date has indicated that Stuxnet may be such a weapon."
Concern about vulnerability of the power grid has led to warnings and new standards. Yet the grid remains vulnerable to a Stuxnet-style threat, Assante asserted. New government standards have become a "glass ceiling" for companies to perfunctorily meet, he said, but not to exceed.
The Department of Homeland Security (DHS) and a team at the national lab have reverse-engineered and decoded Stuxnet, McGurk said. But DHS is worried that attackers "could use publicly available information about the code" to develop variants targeted at broader installations of programmable equipment in control systems, he said.
That statement may well be a slap at Symantec, which published detailed reports on precisely how Stuxnet works. Bulletins from DHS, on the other hand, omitted key details, said several cybersecurity researchers interviewed by the Monitor.
Still, lack of information-sharing is preventing readiness to combat advanced cyberthreats like Stuxnet, said other witnesses at the hearing.
"A significant cause for concern is that much of the information about cybersecurity-related threats remains classified in the homeland security, defense, and intelligence communities, with restricted opportunity to share information with security researchers, technology providers, and affected private-sector asset owners," Assante said. Restricted use of newly gained knowledge about advanced cyberthreats, he added, places "our nation’s critical infrastructure is placed at significant risk."
The witnesses gave varying assessments about how prepared the private sector is to deal with a threat of Stuxnet's sophistication.
"The chemical sector understands this evolving threat," he said. "The ACC and its members have been working for years across the sector to prepare and share information about these issues.... We continue to comprehensively improve control system security."
Assante, sounding much less enthusiastic about industry preparedness, cited technology trends that make it easier for attackers to strike control systems.
"I believe we're extremely susceptible," he said. "In fact, I believe our susceptibility grows every day. If you just look at the very trends in the technology that we deploy, we're doing things that would allow an attacker more freedom of action within these environments.... Stuxnet is an important harbinger of things that may come if we do not use this opportunity to learn about this threat and apply it."