Stuxnet was a watershed moment in the history of cybersecurity and helps to serve as a precedent for attacks that are happening now in 2022.
In a keynote session at the Black Hat USA 2022 security conference, investigative journalist Kim Zetter discussed in sobering detail how little security has changed over the last decade, and the enduring lessons learned from Stuxnet. In fact, according to Zetter, while some things have changed, the way cyber-criminal organizations work today isn't all that different from a decade ago.
"There's nothing substantially different today about how hackers run their criminal enterprises," Zetter said.
Looking specifically at Stuxnet, which was an attack originally designed to incapacitate Iran's nuclear ambitions, Zetter noted that when it was discovered, it shined a light on vulnerabilities in critical infrastructure. Prior to Stuxnet, much of IT security was focused on IT networks and didn't have a particular focus on operational networks used in industrial facilities.
"Stuxnet provided stark evidence that physical destruction of critical infrastructure, using nothing more than code was possible," she said.
Zetter made the case that there are few things that ever truly blindside the security industry and if you look hard enough there are often warning signals or precedents. In her view, organizations have a habit of reacting to threats after they occur, rather than preparing for them.
Aside from Stuxnet raising awareness of the risks to industrial infrastructure and cyber warfare, it has also had an impact on cybersecurity. The first impact is a 'trickle down' effect of tools from nation states into the criminal underground. Stuxnet also helped to launch a cyber arms race among nations as it demonstrated the viability of resolving geopolitical conflicts through cyber-attacks. In Zetter's view, Stuxnet ended up politicizing security research and defence. It was third party researchers, not the victims, that initially deciphered what Stuxnet was all about. Of course, Stuxnet also heightened interest and awareness into vulnerabilities in critical infrastructure and industrial control systems.
In the aftermath of Stuxnet, Zetter said there were questions about why more industrial systems weren't immediately targeted.
"The fact that there weren't more attacks against critical infrastructures is not because the systems are secure, it's mostly because attackers haven't been interested in disrupting or destroying them," she said. "This has changed in recent years, and we have begun to see greater interest in disruptive and destructive attacks against critical infrastructure. "
She pointed to recent attacks by Russia against Ukraine, including the Industroyer2 malware, as evidence of mounting interest in destructive attacks against industrial control systems.
"Civilian infrastructure is very much on the agenda of attackers and will only become a greater target going forward," Zetter said.