14 DAY TRIAL // The U.S. Department of Homeland Security fears that attackers might use public knowledge about Stuxnet to create modified versions of the industrial sabotage malware to target critical infrastructure in the country.
According to Wired, these concerns were expressed yesterday by Bobbie Stempfley, acting assistant secretary for the DHS Office of Cybersecurity and Communications, in a testimony to the House Subcommittee on Oversight and Investigations.
"The Department is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems," the assistant secretary said.
"Copies of the Stuxnet code, in various different iterations, have been publicly available for some time now," he added.
Security researchers who analyzed Stuxnet previously stated that whoever looks at the worm's code can learn how to attack programmable logic controllers (PLCs), the building blocks of industrial installations.
However, most of the security holes and attack vectors used by Stuxnet have already been addressed. While analyzing the worm could theoretically help someone build a functional piece of malware that uses Stuxnet techniques and even borrows bits of its code, the end result would probably be so different that it wouldn't qualify as a variant.
It's true that the worm, widely regarded as the most sophisticated malware threat ever created, can be an inspiration for future SCADA attacks and security experts have acknowledged this from the start.
Ironically, the most commonly accepted theory about Stuxnet's origin is that it was created by the US and Israeli governments in order to set back Iran's nuclear program. The malware is believed to have destroyed thousands of centrifuges at the Natanz nuclear fuel enrichment plant.
"ICS-CERT [Industrial Control Systems Cyber Emergency Response Team] will continue to work with the industrial control systems community to investigate these and other threats through malicious code and digital media analysis, onsite incident response activities, and information sharing and partnerships," acting assistant secretary Stempfley concluded.