July 22, 2025 the US House Committee on Homeland Security held a hearing, “Fully Operational Stuxnet 15 Years Later & the Evolution of Cyber Threats to Critical Infrastructure”. Stuxnet was not an attack on the networks. Rather, Stuxnet was a stealth attack that damaged physical infrastructures by manipulating physics. Stuxnet used networks as a conduit to get the “warhead” to the controllers to change control system logic and provide spoofed process signals to damage the centrifuges. Yet the House hearing witnesses and questions focused on network security, information sharing of network security issues, and network cybersecurity policies. The control system issues were not addressed. As a result, critical infrastructures continue to be susceptible to Stuxnet-type attacks. This becomes even more problematic as Iran has cyberattacked at least 29 US critical infrastructure entities in power, water, food, healthcare, and ports. It is unclear if they have compromised the control system logic in those controllers. We have regressed over the past 15 years by making OT cybersecurity just about the networks.
Thu, Jul 24
What are the unlearned lessons from Stuxnet
2