The Stuxnet worm, a complicated piece of malware apparently engineered to disrupt Iranian uranium enrichment, could be modified to attack more industries, according to experts speaking to the Senate Homeland Security and Governmental Affairs Committee.

The widespread interconnection of corporate networks and use of SCADA systems means that industrial infrastructure is increasingly vulnerable to software attack. Such control systems are used in virtually every industry—food production, vehicle assembly, chemical manufacturing—and are commonly exposed to insecure networks. This leaves them vulnerable to tampering, such as with Stuxnet, as well as intellectual property theft.

The Stuxnet worm was both complex, using a range of techniques to infect machines and spread through networks, and carefully targeted, with a payload specifically designed to attack Siemens SCADA software. Together, these properties together make it uniquely dangerous. Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the committee that the "implications of Stuxnet are beyond any threat we have seen in the past."

The majority of infections were found in Iran, which has led the Iranian government to describe the attacks as an "electronic war [...] against Iran." The authors of the worm are still unknown, though the complexity and careful design point at a well-resourced and sophisticated attacker. Though the committe was warned that Stuxnet-like attacks could target many industries, they were also told that the complexity of the malware was such that such attacks may nonetheless remain rare, too difficult for most would-be hackers to pull off.

The experts said that industry and government alike must do more to protect critical infrastructure from attack. Michael Assante, head of the newly created, not-for-profit National Board of Information Security Examiners, told the Senators that control systems should be isolated from other networks to make them harder to penetrate. "We can no longer ignore known system weaknesses and simply accept current system limitations," he said. "We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts to address" computer security challenges.

Senator Joe Lieberman, the panel's chairman, said that computer security legislation would be a top priority once lawmakers return to work in January.