Experts Say Critical Infrastructure Sectors Have Made Little Cybersecurity Progress
Iran may lack the cyber capabilities to build a sophisticated digital weapon like Stuxnet – unleashed 15 years ago to sabotage the same nuclear facility the United States bombed in June – but the United States still lacks basic safeguards to stop far less advanced retaliatory attacks, analysts warned Tuesday.
See Also: Beyond Replication & Versioning: Securing S3 Data in the Face of Advanced Ransomware Attacks
Almost certainly created by U.S. and Israeli intelligence agencies, Stuxnet was first discovered in 2010 after it targeted centrifuge control systems made by Siemens and disrupted uranium enrichment at Iran’s Natanz facility (see: How US Cyber Ops May Have Assisted the Midnight Hammer Strike).
Stuxnet and the recent airstrike each stirred fears of Iranian retaliation – and cybersecurity experts told a House subcommittee Tuesday that critical infrastructure remains dangerously under protected.
In September 2024, the FBI and Department of Homeland Security launched a probe into a cyberattack on a Kansas water treatment facility, an incident that occurred roughly a year after Iranian hackers targeted Israeli-made controllers used in American facilities (see: Internet-Exposed OT Devices at Risk Amid Israel-Hamas War).
House Homeland Security Committee Chair Andrew Garbarino., said during a Tuesday hearing dedicated to the legacy of Stuxnet that the cyber weapon “demonstrated the importance of securing operational technology.” Threat actors are targeting “key vulnerabilities in industrial control systems,” said the New York Republican.
Tatyana Bolton, executive director of the Operational Technology Cyber Coalition, told lawmakers Iranian actors have specifically targeted critical infrastructure entities – focusing on the water and energy sectors – and launching increasingly advanced attacks on OT networks. Tehran is drawing on the help of organized criminal enterprises, cyber mercenary groups and state-sponsored proxies, she said.
OT security is “significantly underfunded and under prioritized,” she warned.
“Even the Department of Defense has yet to complete the fundamental step of identifying and inventorying its OT assets,” she added. “Congress must urgently answer the question of who has accepted these critical risks.”
Analysts say Iran has expanded its cyber arsenal since the Stuxnet attack, developing disruptive and destructive malware, data-wipers and ransomware. Units linked to the Iranian Revolutionary Guard Corps like CyberAv3ngers are also known to have recently targeted industrial control systems in the U.S. and Israel, focusing on programmable logic controllers (see: Beware the CyberAv3ngers).
Rob Lee, CEO and co-founder of Dragos, recommended Congress focus on improving public-private partnerships, saying that “the effectiveness of these arrangements is inconsistent.”
“Unfortunately, Stuxnet did not remain unique for long in its destructive capabilities,” Lee told lawmakers. “I sincerely hope that we do not learn to normalize and accept this as we have sadly collectively normalized and accepted increasing attacks on civilian OT infrastructure.”
Panelists urged Congress to treat critical infrastructure security as a matter of national security, prioritizing vulnerable OT systems that have faced an onslaught of attacks in recent months. Bolton also recommended the committee reauthorize the Cybersecurity and Information Sharing Act of 2015, which she described as “crucial to information sharing and strengthening U.S. collective defense.” The law faces a looming September deadline and potential setbacks in making its way through Congress before expiring, despite broad bipartisan backing and support from the private sector (see: Key Cyber Law’s Lapse Could Mute Threat Sharing Nationwide