A question was asked at the July 22, 2025, U.S. House Committee on Homeland Security hearing, “Fully Operational Stuxnet 15 Years Later & the Evolution of Cyber Threats to Critical Infrastructure”, about what was learned from the Stuxnet attack. The opposite question was not asked – what still hasn’t been learned?
Stuxnet was not an attack on the networks. Rather, Stuxnet was a stealth attack that damaged physical infrastructures (centrifuges) by manipulating physics. Stuxnet used networks as a conduit to get the “warhead” to the controllers to change control system logic and provide spoofed process signals to damage the centrifuges. Yet the hearing in the U.S. House focused on network security, information sharing of network security issues, and network cybersecurity policies. I found it surprising that Ralph Langner’s detailed analysis of Stuxnet, “To Kill a Centrifuge”, was not mentioned.
Get your subscription to Control's tri-weekly newsletter.
Stuxnet demonstrated that:
- IT, engineering and physical security can work together, as it took all three to make the Stuxnet attacks successful. Yet this coordination has rarely happened in defending critical infrastructures.
- Sophisticated cyberattacks could look like equipment malfunctions. Thus, control system incidents may not be identified as cyber-related. Often this precludes cyber defenders from being involved in the response and investigation as the incidents weren’t identified as being cyber-related.
- You don’t need zero days or advanced persistent threats to damage control systems or physical processes.
- Equipment design features can be just as dangerous as cyber vulnerabilities. The design features that made Stuxnet successful still exist 15 years later.
- The Stuxnet attack scenario can be used to compromise any of the control system suppliers. This was not a Siemens problem, nor was it unique to centrifuges.
- There were two distinct Stuxnet attacks. One of the attacks changed the centrifuge rotation speeds to damage the centrifuge rotors. The other attack used compromised process sensor input to compromise the controllers to over-pressure the centrifuge tubes. Yet process sensor cybersecurity continues to be ignored by cyber defenders. A man-in-the-middle attack to replay data to mislead the operators was used in both attack scenarios, Monitoring process sensors at the physics layer would have detected the compromised sensor data being provided to the controllers and the operator displays. However, monitoring network sensors would not have provided information about the attack or the status of the equipment.
- Stuxnet compromised cyber weaknesses in control system field devices (process sensors and actuators). Yet the witnesses focused only on network-related issues and technologies including network sensors (not process sensors) and multi-factor authentication, even though control system field devices don’t have the capabilities to incorporate these cybersecurity technologies. Moreover, CISA/DHS/DOE still have not issued guidance or alerts on the lack of cybersecurity of control system field devices.
Summary
Critical infrastructures continue to be susceptible to Stuxnet-type attacks, yet the witnesses at the recent U.S. House hearing only addressed network-security issues. In fact, it can be said that we have regressed over the past 15 years by making control system (OT) cybersecurity just about the networks.
