In a Senate committee hearing, cyber-security and critical infrastructure experts discussed the implications of the Stuxnet worm on the country's industrial plants.
The Stuxnet worm was a "game-changer," and the country must
develop better approaches to address today's cyber-threats.
Those were two of the sentiments that came out of a hearing today by the
U.S. Senate committee on Homeland Security and Government Affairs. First
detected in June and publicized in July, Stuxnet is the first threat
known to target systems used to control and monitor industrial processes.
Sean McGurk, the acting director of the Department of Homeland Security's
National Cybersecurity and Communications
Stuxnet a "game-changer,"
noting that its underlying code could
be adapted to target a broader range of control systems in any number of
critical infrastructure sectors.
"We have not seen this coordinated effort of information technology
vulnerabilities, industrial control exploitations completely wrapped up in one
unique package," he said.
Since the worm was first publicized, researchers have been pulling back the
covers on the malware, piece by piece. Just recently, Symantec
that Stuxnet changes the behavior of frequency converter
drives that control motor speed.
Many of the Stuxnet infections have occurred in Iran,
leading many to suspect the country's nuclear power plant in Bushehr. But all
that is just speculation, Dean Turner, director of the global intelligence
network for Symantec Security Response, told the committee.
"The intended target of Stuxnet is not known," he said. "We
know less about who could have written Stuxnet than the target itself. What we
do know is that whoever was behind it has good knowledge of ICS [industrial
control systems], particular those systems that they targeted."
In a survey released last month, Symantec
than 50 percent of the critical infrastructure companies polled
experienced what they felt was a politically motivated cyber attack. Many
industrial control systems today need to be modernized to allow deployment of
up-to-date anti-malware technologies, Turner said, and patches need to be
applied as soon as possible. Organizations also need to know their assets,
identify their perimeter security operations, and maintain a high level of
situational awareness so they can detect and stop Stuxnet-like threats, he
Mark Assante, President and Chief Executive Officer of the National Board of
Information Security Examiners, told the committee it is necessary to establish
new regulations in the form of risk-based performance requirements that
emphasize value-learning and innovation, while discouraging the creation of a "predictable
and static defense."
"Unfortunately, the NERC [North American Electric Reliability
Corporation] CIP [Critical Infrastructure Protection] standards have become a
glass ceiling for many utility security programs, which prevents the emergence
of the very type of security programs we need to deal with Stuxnet-like
attacks," he said.
Critical infrastructure asset owners and control system vendors should
be required to report ICS-specific security incidents, and the U.S.
government must provide up-to-date information on attacker activity and
techniques, Assante added.
"My greatest fear is that we're running out of time to
learn these important lessons," he said. "Ultimately we know that our
conventional approach to more common security threats will be necessary but
woefully insufficient to protect us from threats like the Stuxnet worm."