'One of a kind' Stuxnet worm remains a serious mystery

Threat is real, but its origin and target are still unknown, Senate panel told

Industry and government security experts testifying Wednesday called the Stuxnet worm a wake-up call for critical infrastructure security because of its ability to manipulate control systems for physical industrial processes.

“Stuxnet is one of a kind,” said Sean McGurk, acting director of the Homeland Security Department’s National Cybersecurity and Communications Integration Center, which did some of the early analysis of the malicious code. “It is a game changer.” He spoke at a hearing before the Senate Homeland Security and Governmental Affairs Committee.

In the past, automated systems that control physical infrastructure or industrial processes have been breached by nontargeted threats that attack the information technology systems with which they are connected, said Michael J. Assante, CEO of the National Board of Information Security Examiners, a nonprofit certification group. But Stuxnet has taken the threat to a new level because it specifically targets control systems and has the ability to reprogram logical controllers to change or interrupt physical processes.

These changes could be subtle, resulting in minor changes to a finished product, or they could destroy a system. The one bright spot in Stuxnet is that it is so sophisticated it is not likely to be a common threat.

“It is an incredibly large and complex threat,” said Dean Turner, director of Symantec’s Global Intelligence Network, which has studied the worm. “Only a select few groups are capable of creating such an attack.”

But its threat is real, and Symantec has identified 44,000 unique Stuxnet infections worldwide, 60 percent of them in Iran, where it is believed the infection started with a USB drive containing the code.


Related coverage:

Stuxnet reveals vulnerabilities in industrial controls


Stuxnet was discovered in June, and DHS received its first sample of the code from the German CERT, which obtained it from a German manufacturer of control equipment that appears to be targeted by the worm.

“The device is ubiquitous,” McGurk said of the equipment. It is used around the world in agriculture, energy generation and distribution, water treatment and manufacturing.

Despite the analysis of the Stuxnet code, much still remains unknown about it, particularly who created it and who its target is. Because it is focused in Iran and seems to target a specific type of equipment used in that country’s nuclear enrichment plants, there has been speculation that Iran’s nuclear program was the target and that it was created by another country, possibly Israel or the United States.

But neither McGurk nor Turner would speculate about the worm’s target or its origin.

“Nothing in the code points to a specific point of origin,” McGurk said. It is assumed that the authors were well financed, but that does not necessarily mean it was a government project, he said. Organized cybercriminals also could have access to the money and resources needed to create the worm.

As for its target, “it would require an incredible amount of knowledge” to identify it, McGurk said.

Turner said the speculation about the authors, based on the apparent target, is just that – only speculation.

The hearing was called by committee chairman Sen. Joseph Lieberman (I-Conn.) and ranking Republican Sen. Susan Collins of Maine, who have co-sponsored a comprehensive cybersecurity bill now pending in the Senate. Industry representatives testifying Wednesday support passage of the bill as part of an effort to create a more unified, risk-based approach to IT security across both the public and private sectors. The bill would give DHS’ National Center for Cybersecurity and Communications the lead in coordinating efforts between government and industry.

The Protecting Cyberspace as a National Asset Act, S. 3480, was passed out of the committee in June but the Senate has not taken action on it. The sitting 111th Congress has time to consider the bill during the short time remaining before the introduction of the 112th Congress, which Collins urged it to do.

“I personally think it is an ideal issue for the lame-duck Congress to take up,” she said.

Lieberman expressed little hope that the bill would be passed by this Congress. “It’s unfortunate that the clock will run out on us before we have a chance to complete negotiations with other committees and with the administration, who I regret to say did not engage as early in the process of developing this legislation as was necessary,” he said.

Assante summed up a number of steps that industry believes are necessary to close the security gap in the physical critical infrastructure:

  • Remove and remediate weaknesses, vulnerabilities and security designs in industrial control systems.
  • Design and integrate security and forensic tools into control environments, while investing in people.
  • Prioritize efforts based on consequences of directed and well-resourced attacks against high-risk segments of the critical infrastructure.
  • Organize a well-funded, multi-year research & development program to design a more resilient infrastructure.
  • Establish risk-based performance requirements that value learning and promote innovation. Legislation should include better defined federal authority to address specific and imminent cybersecurity threats to critical infrastructures with emergency measures.
  • Require critical infrastructure asset owners and control system vendors to report industrial control system specific security incidents, and the government must provide up-to-date information to asset owners and operators.
  • Invest in the workforce that defends and operates infrastructure systems.

Reader Comments

Thu, Nov 18, 2010 DHS Observer Washington, DC

A key reason for Stuxnet being a DHS wakeup call is failure by the past administration's senior Infrastructure Protection (IP) leadership to address the cyber threat competently. That top IP leadership was blinded by its own technophobia, so it narrowly focused on advocating for guards, gates, fences, heavy flower pots and other physical protection. Senators Lieberman and Collins are wise to propose this visionary bill, but they've included a major flaw. Far too much authority and ability to continue impeding the new Director of Cybersecurity and Communications would remain vested in the DHS Assistant Secretary for IP. We've learned through years of DHS failure in this area that properly addressing cybersecurity requires substantial technical competence and clear authority. The Senators would improve their bill greatly by requiring the Assistant Secretary of IP to transfer all related authority, liaison, personnel and funding to the new Director. The Director should not be hamstrung by dealing with an organization whose legacy is strikingly Luddite and, consequently, whose staff has never been qualified to deal with technology. Bottom line ==> amend the bill to put the Director fully in charge of cybersecurity (within DHS) and restrict the Assistant Secretary of IP to dealing solely with physical security matters.

Thu, Nov 18, 2010 Jeffrey A. Williams

I don't know why Stuxnet for some was a 'Wake-up call'. There has been dectors for Stuxnet-like worms around for several years now. The only explination I can determine why some were surprised by Stuxnet is that many eroniously believe that they were already protected, and/or had not done their pro-active penetration testing diligently and frequently.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above