Stuxnet Worm Could Devastate Critical Systems, Experts Say

Security experts issued a warning Wednesday about the Stuxnet virus, cautioning that the sophisticated bug could put the nation's critical infrastructure at risk.

"The concern for the future of Stuxnet is that the underlying code could be adapted to target a broader range of control systems in any number of critical infrastructure sectors," Sean P. McGurk, acting director of the Homeland Security Department's cybersecurity center, told the Senate Homeland Security Committee.

DHS has analyzed Stuxnet and found that it can "gain access to, steal detailed proprietary information from, and manipulate the systems that operate mission-critical processes within the nation's infrastructure," McGurk said.

Stuxnet is highly complex and contains over 4,000 functions – "comparable to the amount of code in some commercial software applications," he said.

The Stuxnet worm first emerged over the summer and appeared to target Iranian nuclear reactors. By September, Stuxnet had infected at least 30,000 IP addresses in Iran, and was also uncovered in India, Indonesia, and Pakistan.

What is Stuxnet? It is a Windows-specific computer threat that spies on and reprograms industrial control systems, said Dean Turner, director of Symantec's global intelligence network, who also testified before the committee. Stuxnet "is also the first to include a programmable logic controller (PLC) rootkit and the first to target critical industrial infrastructure," he said.

"What makes Stuxnet unique is that it uses a variety of previously seen individual cyber attack techniques, tactics, and procedures, automates them, and hides its presence so that the operator and the system have no reason to suspect that any malicious activity is occurring," according to McGurk.

Turner said that Stuxnet is "one of the most complex threats that we have analyzed to date at Symantec" and should serve as a "wake-up call to critical infrastructure systems around the world."

Turner confirmed that the majority of infected computers appear to be in Iran, but cautioned that "speculation pointing to Iran as the likely target is just that–speculation." The large number of attacks there "may merely be a consequence of other factors," he said.

At this point, the Stuxnet perpetrators are unknown, but whoever did it had good knowledge of incident command systems, particularly those they targeted. One possible bright spot is the fact that Stuxnet is so complex, it cannot be executed by any run-of-the-mill hacker.

"Stuxnet is of such great complexity—requiring significant resources to develop—that a select few attackers would be capable of producing a similar threat, to such an extent that we would not expect masses of threats of similar sophistication to suddenly appear," Turner said. "However, Stuxnet has highlighted that direct-attacks to control critical infrastructure are possible and not necessarily spy novel fictions."

The Homeland Security Department, meanwhile, "is concerned that attackers could use the publicly available information about the code to develop variants targeted at broader installations of programmable equipment in control systems," McGurk said.

Going forward, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) "will continue to work with the industrial control systems community to investigate these and other threats through malicious code and digital media analysis, on-site incident response activities, and information sharing and partnerships," he said.

How do you fight Stuxnet? Turner urged network owners to: deploy an anti-malware solution; watch out for vendor security notifications and alerts, and apply patches; ensure that users are updated via security education and awareness programs; and be aware of their assets.

Committee chairman Joe Lieberman of Connecticut and ranking member Susan Collins of Maine, said incidents like the Stuxnet worm highlight the need for cyber-security reform. The two senators have penned a cyber-security measure - Protecting Cyberspace as a National Asset Act of 2010. It was approved by the committee, but saw no further action. Lieberman said he would make it a "top committee priority" next year.

"Stuxnet really takes the reality of the cyber threat to a new level and should awaken the skeptics," Lieberman said in a statement. "It is really chilling, in terms of its effect. I would compare it to a guided missile in conventional warfare… But the reality is that the current, porous state of our nation's infrastructure means that it wouldn't take malware as robust and sophisticated as Stuxnet to cripple many of our critical systems. We want to make sure we put proper security in place before a major attack."

About Our Expert

Chloe Albanesius

Executive Editor, News

My Experience

I started out covering tech policy in DC for The National Journal, where my beat included state-level tech news and all the congressional hearings and FCC meetings I could handle. I later covered Wall Street trading tech before switching gears to consumer tech. I now lead PCMag's news coverage.

My Areas of Expertise

Getting my start in DC means I still have a soft spot for tech policy; Congressional hearings can sometimes be as entertaining as a Bravo reality show, for better or worse. But PCMag is all about the technology we use every day, as well as keeping an eye out for the trends that will shape the industry in the years ahead (or flop on arrival). I've covered the rise of social media, the iOS vs. Android wars, the cord-cutting revolution that's now left us with hefty streaming bills, and the effort to stuff artificial intelligence into every product you could imagine. This job has taken me to CES in Vegas (one too many times), IFA in Berlin, and MWC in Barcelona. I also drove a Tesla 1,000 miles out west as part of our Best Mobile Networks project. Of late, my focus is on our hard-working team of reporters at PCMag, guiding and editing their robust coverage.

Read the latest from Chloe Albanesius

Read full bio