Fully Operational Stuxnet 15 Years Later & the Evolution of Cyber Threats to Critical Infrastructure

Cybersecurity and Infrastructure Protection

2025-07-22

Loading video...

Source: Congress.gov

Summary

No summary available.

Participants

Transcript

Committee on Homeland Security Subcommittee on Cybersecurity Infrastructure Protection will come to order.  Without objection, the chair may declare the committee in recess at any point.  The purpose of this hearing is to examine the evolution of cybersecurity threats to U.S.  critical infrastructure following discovery of the Sucnet malware 15 years ago.  We will highlight the importance of securing operational technology, or OT, to bolster critical infrastructure resilience.  I now recognize myself for an opening statement.   Fifteen years ago, the world learned of Stuxnet, a computer worm that forever altered the cyber threat landscape.  Regarded as the world's first digital weapon, it was designed to target industrial control systems.  It was used against Iran's nuclear program, reportedly destroying a thousand centrifuges at the Natanz Enrichment Plant.  Malware or malicious software has existed since at least the 1970s, however Stuxnet was different from its predecessor.   The discovery of it demonstrated both the physical impact of malware and raised important questions about cybersecurity defense and offense.  These are issues we continue to face today.  It revealed the significant impact that offensive cyber tools can have on critical infrastructure.  It also demonstrated importance of securing operational technology by exploiting key vulnerabilities in industrial control systems.  It proved that cybersecurity is not only an IT issue.   Cybersecurity threats can affect critical infrastructure we depend on daily, from water treatment to energy facilities.  The cybersecurity threat landscape continues to expand, and we need to make sure our cyber professionals are prepared to defend both IT and OT.  Doing so will strengthen the public and private sector's ability to rapidly respond to threats.  Since discovering Stuxnet 15 years ago, cybersecurity threats to critical infrastructure have drastically evolved and spread beyond just malware.   We now see various cyber capabilities being used to hack critical infrastructure, including phishing, social engineering, denial of service attacks, and more.
While cyber attack vectors have grown and matured, malware is still of great concern.  Malware comes in many forms, such as key loggers, spyware, viruses, and ransomware, with ransomware comprising one-third of all cyber attacks in 2024.   The interconnected nature of our networks, devices, and infrastructure means that critical infrastructure owners and operators now experience far more attacks than when SucSnap was unleashed, and zero-day vulnerabilities are far from being eliminated.  Strengthening domestic cybersecurity resilience remains a key priority for this committee.  Considering the sophisticated cybersecurity threats we now face, we are once again reminded of the importance of reauthorizing two key authorities ahead of their expiration this year.   the Cybersecurity Information Sharing Act, and the State and Local Cybersecurity Grant Program.  Reauthorizing CISA 2015 will ensure we keep encouraging rapid and trusted information sharing among public and private sector entities.  And extending the State and Local Cybersecurity Grant Program will make sure that states and localities have reliable funding to strengthen their cybersecurity posture.  It is also worth examining that state of the Iranian cyber threat and potential impact Stuxnet had on Iran's cybersecurity posture.   According to Nozomi Network's labs, cyberattacks from Iranian threat actors surged by 133 percent in May and June of 2025.  An active Department of Homeland Security National Terrorism Advisory System notice also emphasizes the need to remain on high alert to Iranian cybersecurity threats to U.S.  critical infrastructure.  Iran has embraced the targeting of critical infrastructure   The Islamic Revolutionary Guards Corps affiliated actors have recently targeted OT, such as U.S.  industrial control systems, in key sectors such as water and healthcare.  I look forward to examining the current threats facing U.S.  critical infrastructure and enduring significance of Stuxnet with our panel of expert witnesses today.   Today's witnesses represent a range of perspectives, and I thank you all for contributing to our discussion about this pivotal moment in history of cybersecurity.
I'm confident that your testimony will help us form a better understanding of today's digital weapons and the state of U.S.  critical infrastructure resilience.  I now recognize the ranking member, the gentleman from California, Mr. Swalwell, for his opening statement.
Mr. Thank you, Chairman.  And, Chairman, that was an eloquent, impactful,   artful statement, but you buried the lead.  Our chairman of the subcommittee has been selected by his colleagues to be the chairman of the full committee with the resignation of Chairman Green, effective earlier this week.  So congratulations.  I'm excited for what that means for the full committee.  You and I have worked quite well over the last three years on this committee, especially to take on our cyber challenges.   and to have somebody at the full committee with your cyber knowledge and expertise as our cyber threats are only escalating and AI has made that even more challenging and the threat of quantum computing and what that means for cryptology, you're the right person to help lead the committee to do that.  So looking forward to working with you.

Sign up for free to see the full transcript

Accounts help us prevent bots from abusing our site. Accounts are free and will allow you to access the full transcript.

Sign up