The Stuxnet worm that infiltrated Iran's nuclear facilities poses a threat to critical industries worldwide such as water, power and chemical plants, cybersecurity experts warned on Wednesday.
Sean McGurk, the acting director of the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC), described Stuxnet in testimony before a U.S. Senate committee as a "game-changer."
Stuxnet, which was detected in July, has "significantly changed the landscape of targeted cyberattacks," McGurk told the Senate Committee on Homeland Security and Governmental Affairs.
"For us, to use a very overused term, it's a game-changer," he said.
Stuxnet targets computer control systems made by German industrial giant Siemens commonly used to manage water supplies, oil rigs, power plants and other critical infrastructure.
Most Stuxnet infections have been discovered in Iran, giving rise to speculation it was intended to sabotage nuclear facilities there, especially the Russian-built atomic power plant in the southern city of Bushehr.
Computer security firm Symantec said last week that Stuxnet may have been specifically designed to disrupt the motors that power gas centrifuges used to enrich uranium.
Dean Turner, director of Symantec's Global Intelligence Network, told the Senate panel that while 60 percent of the Stuxnet infections detected were in Iran it should be seen as "a wake-up call to critical infrastructure systems around the world."
"This is the first publicly known threat to target industrial control systems and grants hackers vital control of critical infrastructures such as power plants, dams and chemical facilities," Turner said.
Stuxnet was so complex that only a "select few attackers" could develop a similar threat but it highlights that "direct-attacks to control critical infrastructure are possible and not necessarily spy novel fictions," he said.
"The real-world implications of Stuxnet are beyond any threat we have seen in the past," Turner warned.
The New York Times reported in September that Stuxnet code includes a reference to the Book of Esther, the Old Testament story in which the Jews pre-empt a Persian plot to destroy them, and is a possible clue of Israeli involvement.
McGurk, the U.S. cybersecurity official, declined to speculate about Stuxnet's origins or objectives but said US analysis "indicates that a specific process was likely targeted."
"While we do not know which process was the intended target, it is important to note that the combination of Windows operating software and Siemens hardware can be used in control systems across critical infrastructure sectors -- from automobile assembly lines to mixing baby formula to processing chemicals," he said.
"The concern for the future of Stuxnet is that the underlying code could be adapted to target a broader range of control systems in any number of critical infrastructure sectors," McGurk said.
"These systems are used to operate physical processes that produce the goods and services that we rely upon, such as electricity, drinking water, and manufacturing," he said.
"Although each of the critical infrastructure industries, from energy though water treatment, is vastly different, they all have one thing in common: they are dependent on control systems to monitor, control, and safeguard their processes," the U.S. cybersecurity official said.
McGurk warned that "a successful cyberattack on a control system could potentially result in physical damage, loss of life, and cascading effects that could disrupt services."
He explained that with Stuxnet, "I don't have to break into the front door and actually steal the formula or the intellectual property of what you're manufacturing.
"I can actually go the devices themselves, read the settings and reverse engineer the formula for whatever the process is that's being manufactured," McGurk said. "In addition, I can make modifications to the physical environment so that you would be unaware of those changes being made.
"In other words, this code can automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product, and indicate to the operator and your anti-virus software that everything is functioning as expected," he said.