The Stuxnet worm was a "game-changer," and the country must develop better approaches to address today's cyber-threats.
Those were two of the sentiments that came out of a hearing today by the U.S. Senate committee on Homeland Security and Government Affairs. First detected in June and publicized in July, Stuxnet is the first threat known to target systems used to control and monitor industrial processes.
Sean McGurk, the acting director of the Department of Homeland Security's National Cybersecurity and Communications Integration Center, called Stuxnet a "game-changer," noting that its underlying code could be adapted to target a broader range of control systems in any number of critical infrastructure sectors.
"We have not seen this coordinated effort of information technology vulnerabilities, industrial control exploitations completely wrapped up in one unique package," he said.
Since the worm was first publicized, researchers have been pulling back the covers on the malware, piece by piece. Just recently, Symantec reported evidence that Stuxnet changes the behavior of frequency converter drives that control motor speed.
Many of the Stuxnet infections have occurred in Iran, leading many to suspect the country's nuclear power plant in Bushehr. But all that is just speculation, Dean Turner, director of the global intelligence network for Symantec Security Response, told the committee.
"The intended target of Stuxnet is not known," he said. "We know less about who could have written Stuxnet than the target itself. What we do know is that whoever was behind it has good knowledge of ICS [industrial control systems], particular those systems that they targeted."
In a survey released last month, Symantec found more than 50 percent of the critical infrastructure companies polled experienced what they felt was a politically motivated cyber attack. Many industrial control systems today need to be modernized to allow deployment of up-to-date anti-malware technologies, Turner said, and patches need to be applied as soon as possible. Organizations also need to know their assets, identify their perimeter security operations, and maintain a high level of situational awareness so they can detect and stop Stuxnet-like threats, he said.
Mark Assante, President and Chief Executive Officer of the National Board of Information Security Examiners, told the committee it is necessary to establish new regulations in the form of risk-based performance requirements that emphasize value-learning and innovation, while discouraging the creation of a "predictable and static defense."
"Unfortunately, the NERC [North American Electric Reliability Corporation] CIP [Critical Infrastructure Protection] standards have become a glass ceiling for many utility security programs, which prevents the emergence of the very type of security programs we need to deal with Stuxnet-like attacks," he said.
Critical infrastructure asset owners and control system vendors should be required to report ICS-specific security incidents, and the U.S. government must provide up-to-date information on attacker activity and techniques, Assante added.
"My greatest fear is that we're running out of time to learn these important lessons," he said. "Ultimately we know that our conventional approach to more common security threats will be necessary but woefully insufficient to protect us from threats like the Stuxnet worm."