The Stuxnet worm that infiltrated nuclear facilities in Iran poses a threat to critical industries worldwide, from water and power plants to auto manufacturers, cybersecurity experts warned Wednesday.
Sean McGurk, the acting director of the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), described Stuxnet in testimony before a US Senate committee as a “game-changer.”
Stuxnet, which was detected in July, has “significantly changed the landscape of targeted cyberattacks,” McGurk told the Senate Committee on Homeland Security and Governmental Affairs.
“For us, to use a very overused term, it’s a game-changer,” he said.
Stuxnet targets computer control systems made by German industrial giant Siemens commonly used to manage water supplies, oil rigs, power plants and other facilities.
Most Stuxnet infections have been discovered in Iran, giving rise to speculation it was intended to sabotage nuclear facilities there, especially the Russian-built atomic power plant in the southern city of Bushehr.
Computer security firm Symantec said last week that Stuxnet may have been specifically designed to disrupt the motors that power gas centrifuges used to enrich uranium.
Dean Turner, director of Symantec’s Global Intelligence Network, told the Senate panel that while 60 percent of the Stuxnet infections detected were in Iran it should be seen as “a wake-up call to critical infrastructure systems around the world.”
“This is the first publicly known threat to target industrial control systems and grants hackers vital control of critical infrastructures such as power plants, dams and chemical facilities,” Turner said.
Stuxnet was so complex that only a “select few attackers” could develop a similar threat but it highlights that “direct-attacks to control critical infrastructure are possible and not necessarily spy novel fictions,” he said.
“The real-world implications of Stuxnet are beyond any threat we have seen in the past,” Turner said.
The New York Times reported in September that Stuxnet code includes a reference to the Book of Esther, the Old Testament story in which the Jews pre-empt a Persian plot to destroy them, and is a possible clue of Israeli involvement.
McGurk, the US cybersecurity official, declined to speculate about Stuxnet’s origins or objectives but said US analysis “indicates that a specific process was likely targeted.”
“While we do not know which process was the intended target, it is important to note that the combination of Windows operating software and Siemens hardware can be used in control systems across critical infrastructure sectors — from automobile assembly lines to mixing baby formula to processing chemicals,” he said.
“The concern for the future of Stuxnet is that the underlying code could be adapted to target a broader range of control systems in any number of critical infrastructure sectors,” McGurk said.
“These systems are used to operate physical processes that produce the goods and services that we rely upon, such as electricity, drinking water, and manufacturing,” he said.
“Although each of the critical infrastructure industries, from energy though water treatment, is vastly different, they all have one thing in common: they are dependent on control systems to monitor, control, and safeguard their processes,” he said.
McGurk warned that “a successful cyber attack on a control system could potentially result in physical damage, loss of life, and cascading effects that could disrupt services.”