One year after the discovery of a sophisticated worm that was used to attack centrifuges in Iran's nuclear program, the U.S. Department of Homeland Security told Congress it fears the same attack could now be used against critical infrastructures in the U.S.

DHS "is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems. Copies of the Stuxnet code, in various different iterations, have been publicly available for some time now," Bobbie Stempfley, acting assistant secretary for the DHS Office of Cybersecurity and Communications, told the House Subcommittee on Oversight and Investigations (.pdf) on Tuesday.

The testimony comes in the wake of accusations that the U.S. was itself responsible, along with Israel, for developing and unleashing Stuxnet into the wild, thereby making it possible for the hackers, nation-state attackers and terrorists that DHS fears, to now repurpose the malware for use against critical infrastructure systems in the U.S.

Stuxnet, considered to be the first cyberweapon discovered in the wild, was found on a computer in Iran in June 2010 and was believed to have been launched in June 2009.

Private researchers who spent months digging through the code, discovered that the sophisticated malware was designed to target a specific industrial control system made by Siemens, and replace legitimate commands in the system with malicious ones. But Stuxnet wasn't out to destroy just any Siemens system - it sought out the specific system believed to be installed at Iran's nuclear enrichment plant at Natanz. Any system that didn't have the same configuration as the system Stuxnet targeted would go unharmed.

Although Stuxnet was designed to attack a specific system, researchers like Ralph Langner have pointed out that the malware could be easily tweaked to attack other industrial control systems around the world. According to Langner, an attacker would need "zero insider information and zero programming skills at the controller level in order to perform a Stuxnet-inspired attack" against other control systems.

Langner and others have vocally criticized DHS and ICS-CERT for failing to provide adequate information about Stuxnet in a timely manner. But in its testimony to Congress, DHS touted the efforts it made to analyze Stuxnet after its discovery and provide government and private entities with the information they needed to mitigate the affects of a Stuxnet infection.

"To date, ICS-CERT has briefed dozens of government and industry organizations and released multiple advisories and updates to the industrial control systems community describing steps for detecting an infection and mitigating the threat," DHS claimed in its testimony.

The testimony came just one day after the surprise news that one of the nation's top cybersecurity czars resigned abruptly and mysteriously from his job. Randy Vickers had been director of U.S.-CERT (Computer Emergency Readiness Team), a division of DHS that is responsible, in part, for coordinating the defense of federal networks and working with the private sector to mitigate cyberattacks against the nation's critical infrastructure. Vickers resigned July 22, effectively immediately, according to an e-mail that Stempfley reportedly sent to DHS staff. Vickers' Linked-in profile had already been changed to indicate his departed status from US-CERT by the time the news went public. DHS did not give any reason for Vickers' abrupt departure.

Photo courtesy Office of Presidency of the Republic of Iran

See also