House hearing will use Stuxnet to search for novel ways to confront OT cyberthreats

Congress is set to revisit Stuxnet — the malware that wreaked havoc on Iran’s nuclear program 15 years ago  — next week in the hopes that the pioneering attack can guide today’s critical infrastructure policy debate, CyberScoop has learned.

The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing July 22 to examine the operation that, according to independent reports, was carried out by the U.S. and Israeli governments and targeted Iran’s nuclear enrichment facilities in Natanz.

Witnesses listed for the hearing are Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition; Kim Zetter, cybersecurity journalist and author of “Countdown to Zero Day”; Dragos CEO Robert Lee; and Nate Gleason, Lawrence Livermore National Laboratory program leader, according to a copy of the notice.

Stuxnet malware included a rootkit for programmable logic controllers and was built specifically to target industrial systems. Deployed at the Natanz facility before 2010, it was engineered to covertly manipulate the speed of the rotors used to spin nuclear centrifuges, causing them to accelerate and slow unpredictably. The Institute for Science and International Security estimated in 2010 that the worm led to the damage and removal of more than 1,000 centrifuges, or approximately 10% of Iran’s total enrichment capacity at the time.

But the subcommittee led by Rep. Andrew Garbarino, R-N.Y., is interested in more than a history lesson.

“Stuxnet signaled a new age in the targeting of operational technology, an attack vector that has increased in complexity over the past 15 years,” Garbarino said in a statement to CyberScoop. “This moment showed how malware can be used to target and potentially cripple critical infrastructure operations, which has raised the stakes for critical infrastructure resilience for sectors across the globe.” 

Stuxnet also kicked off an era where many countries — and the United States in particular — have seen its domestic critical infrastructure come under threat from criminal and nation-state hacking groups.

“Today, bad actors will not hesitate to use malware to gain a foothold in the services Americans rely on every day and wreak havoc on our way of life,” Garbarino said. “Given increasing threats to critical infrastructure from actors such as Volt Typhoon, it is important to examine the legacy of Stuxnet – –the world’s first cyber weapon.”

In the 15 years since Stuxnet, U.S. critical infrastructure has itself been pilloried by cybercriminals, ransomware groups and nation-states alike. Policymakers are revisiting Stuxnet in the hopes that it can help them learn to better defend their own domestic industries.

A committee aide told CyberScoop that Stuxnet “is part of the story of OT cybersecurity.”

“It marked a pivotal moment in critical infrastructure resilience and the way we think about both offensive and defensive cyber operations,” the aide said. “Now that we are at the 15-year mark since the discovery of Stuxnet, it is timely to review how the cyber threat landscape has evolved to ensure our OT is resilient, especially as DHS warns about heightened threats from Iran against critical infrastructure.”

The hearing also comes weeks after the U.S dropped a total of 12 “massive ordnance penetrator” bombs on several Iranian nuclear facilities, including Natanz, during Operation Midnight Hammer.

The aide added that the lessons could be valuable to legislators with Congress set to tackle a pair of important cybersecurity laws that are set to expire this year.

“We still see gaps in understanding about the risks [in OT] – something we are striving to address through the reauthorizations of CISA 2015 and the State and Local Cybersecurity Grant Program,” the aide said.

Bolton brings a wealth of cybersecurity experience in the federal government, Congress and the private sector. She has worked at Google and the Cyberspace Solarium Commission, where she helped shepherd a broad slate of cybersecurity legislation through Congress.

Zetter’s book is widely considered the most comprehensive and definitive look at how U.S. and Israeli officials built and then covertly deployed the malware in an effort to damage and slow down Iran’s nuclear program.

Lee, a former NSA and Air Force cyber official, now leads one of the most well-known cybersecurity firms, specifically geared toward operational technology and critical infrastructure.