Fifteen years after the discovery of Stuxnet revealed the destructive potential of cyberattacks on industrial control systems, the U.S. is still woefully unprepared for a concerted cyberattack on its critical infrastructure. OT (operational technology) networks, which include those that run power grids, water treatment plants, and other critical infrastructure, are still insufficiently protected, cybersecurity experts said at a congressional hearing this week. And yet, even as the threats from state-backed hackers and sophisticated malware mount, federal policy and funding have lagged. Congress recognized the urgency of action, but hearings suggested that the nation is not ready for a large-scale, OT-targeted attack.
Kim Zetter, one of the witnesses at Tuesday’s hearing by the House Committee on Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, observed that one of the most significant impacts of Stuxnet was the awareness it brought to vulnerabilities in critical infrastructure that few had noticed before. The security community, largely focused before Stuxnet on IT networks, the systems used to run the business side of a company or industrial operations, had its eyes opened to a vast sector it had previously ignored: industrial control systems and the OT (operational technology) networks where they are deployed.
“Control systems consist not only of programmable logic controllers, but also SCADA systems and remote terminal units — devices that often sit in the field to operate and monitor equipment and processes that are distributed across large geographical distances, like electric substations,” Zetter identified in her written testimony. “Stuxnet provided stark evidence that physical destruction of critical infrastructure – using nothing other than code – was not only possible but also likely. And once security researchers turned their sights on these systems, they found not only software security holes but also whole architecture problems that couldn’t be fixed with a patch. With so many of the systems directly connected to the internet, cybersecurity suddenly became inextricably linked to national security.”
After Stuxnet was discovered, experts expected to see a lot of copycat attacks against critical infrastructure.
Highlighting that this surprisingly didn’t occur, Zetter said that “it wasn’t until 2015 and 2016 that we saw the first Stuxnet-level attacks against critical infrastructure. These targeted Ukraine’s electric grid to cause blackouts for a few hours at the height of winter. The attackers were able to take 60 substations offline in 2015, leaving about a quarter of a million customers without electricity. The attack was limited in scope — presumably it was simply done to send a message to Ukraine about who was in control of its grid, not cause permanent disruption — but could have been much broader if the attackers had intended this.”
Adding that the subsequent attack next year showed the potential for this, Zetter added that the malware used in that attack, known as Industroyer and Crash Override, caused only a brief outage in parts of Kyiv. “But the code was more advanced than the code used in 2015 because it had the potential to be automated so that once on a system, it could execute commands on its own, such as opening circuit breakers, overwriting software or adapting to whatever environment it found itself on, without the need for direct control by the attackers.”
She also highlighted that small critical infrastructure organizations are more vulnerable to attack due to the fact that they tend to have insufficient funding to hire security staff and replace outdated, insecure systems. “By contrast, large, well-resourced facilities tend to have redundant systems that make them more resilient to attack, so they can prevent disruption and downtime or limit their impact. But this is not always the case.”
Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition (OTCC), observed that since Stuxnet, the cyber landscape has undergone significant transformation. “The nature of the threats we face has evolved. While Stuxnet utilized physical USB drives, today’s cyber actors increasingly employ phishing, social engineering, and credential theft as primary vectors of attack. Furthermore, they are progressively striking more significant entities, as evidenced by the Volt Typhoon attack, which should prompt serious reflection on the priority given to and methods used for securing critical infrastructure. They stay on networks longer, sometimes going unnoticed for several years, putting our most sensitive networks at risk.”
She noted that adversaries have expanded their cyber operations. Iranian actors specifically have targeted critical infrastructure entities, focused on water and energy sectors, performed defacements, data exfiltration, and ransomware attacks. They have also developed strong relationships with cyber criminal groups and increased their use of information operations. Other actors are targeting critical infrastructure to establish persistent access and pre-positioning capabilities for use during future geopolitical contingencies.
“Concurrently, the spectrum of threat actors has become increasingly sophisticated, now encompassing organized criminal enterprises, cyber mercenary groups, ransom for hire organizations, terrorist organizations, and state-sponsored proxies,” Bolton said. “Regrettably, the U.S. government has encountered considerable challenges in effectively keeping pace with this accelerating evolution of the cyber threat landscape.
Identifying that these challenges are not ‘insurmountable,’ Bolton said that to prevent adversaries from infiltrating critical infrastructure and to protect national defense, the OT Cybersecurity Coalition made a couple of recommendations.
The U.S. government must prioritize operational technology cybersecurity and ensure that critical infrastructure operators are aware of the risks they face. While federal officials have acknowledged the threat, their response has not matched the scale or urgency required. Attacks like Volt Typhoon and Salt Typhoon show that it’s not just IT at stake, but it is the systems that power hospitals, water facilities, and transportation networks. If compromised, these OT systems could shut down essential services. Congress must engage directly to help resolve this oversight.
The coalition has called on Congress to reauthorize the Cybersecurity Information Sharing Act before it expires on September 30. This law is vital to maintaining real-time threat intelligence across sectors. Without its legal protections, private-sector cybersecurity teams, especially those guarding infrastructure frequently targeted by foreign adversaries, would lose access to the data they rely on to strengthen defenses.
A critical barrier remains the lack of funding for OT cybersecurity. Most owners and operators lack the resources to hire experts, replace outdated systems, or implement the necessary safeguards. Programs like the State and Local Cybersecurity Grant Program must be renewed and expanded to support efforts such as replacing obsolete hardware, building secure architectures, and introducing basic controls like multifactor authentication, remote access protections, and network segmentation.
Bolton stressed the importance of building asset inventories. Organizations cannot defend what they don’t know exists. OTCC is working with the Department of Defense and CISA to ensure agencies catalog their OT systems as a first step toward securing them.
Supply chain risk is another growing concern. Many critical infrastructure operators expose OT systems to the internet or rely on contractors and third-party software without proper vetting. This lack of visibility introduces major vulnerabilities. Like IT security, OT security demands expert assessments to identify and address weaknesses.
To help drive long-term resilience, OTCC is developing a maturity model for Sector Risk Management Agencies. This framework will allow the Office of the National Cyber Director to grade each sector annually, offering tailored direction and clear pathways to improvement. These measures, including segmentation, multifactor authentication, and secure-by-design practices, form a clear roadmap to protect the operational backbone of U.S. infrastructure and ensure national security.
Bolton recognized that “the threat posed by Iran and other adversaries to our operational technology and critical infrastructure is indeed real and growing. With the implementation of the right policies, allocation of sufficient resources, and cultivation of robust partnerships, we can collectively build a more resilient and secure nation.”
STUXNET was unique at its time in the demonstration that targeting ICS/OT with the expertise not just of software developers and cyber operators but also engineers and operators could lead to physical disruption and destruction of critical infrastructure, Robert Lee, CEO and co-founder of industrial cybersecurity firm Dragos, noted in his testimony. “There were people around the world who already knew this was possible, and other adversarial countries already developing their expertise in these areas. But it is fair to say that many who did not know it before now understood that the critical part of critical infrastructure is OT. Unfortunately, STUXNET did not remain unique for long in its destructive capabilities.”
“Over the last fifteen years, we have seen a significant rise in the number of state and non-state actors that target ICS/OT,” Lee said. “At Dragos, Inc., we currently track over 25 such groups who have focused their cyber operations on the targeting of OT. Some of those groups continue to focus their efforts on learning about the structure of, and vulnerabilities in, our critical infrastructure. Those groups pose no significant immediate threat but may be developing the capacity and the knowledge needed to threaten critical infrastructure in the future.”
He added that other threat groups have “caused multiple real-world electric power grid outages, disruptions to water systems, and the theft of intellectual property in our defense industrial base and manufacturing communities. To date, we know of nine unique families of ICS malware that have been developed with espionage or disruption in mind. The worst of these is PIPEDREAM, which was the first-ever capability to be re-usable against a wide variety of industries ranging from the servo-motors on unmanned aerial vehicles to water pumps to combined cycle gas turbine control systems.”
Lee highlighted that Stuxnet was extremely tailored and capable against only one specific target, whereas Pipedream was built to impact any environment the adversarial country that built it wanted to disrupt.
He identified several areas for investment but singled out a few as the most practical and impactful steps to address current threats and reduce risk to communities. These include recognizing the distinct differences between IT and OT systems, reinforcing cybersecurity fundamentals, building effective public-private partnerships, keeping federal guidance targeted and actions coordinated, allowing the private sector to lead on security technology, prioritizing supply chain security, and establishing a national OT/ICS incident response plan with clearly aligned authorities.
“In the 15 years that have passed since STUXNET shined a light on the threat facing OT/ICS, the threat has grown, but so has our ability to respond to it,” Lee said. “We have better technologies and trained personnel. We have an improved sense of what works, and what doesn’t work, in public-private threat information sharing, incident response, regulation, resourcing, and general cyber threat defense. We have a body of case studies to draw lessons from. We have real-world examples of the simple fact that defense is doable, even for smaller utilities and asset operators. That’s the good news.”
Looking at the bad news, Lee said that it is that major gaps remain in the implementation of OT/ICS cyber defenses, and despite improvements, federal guidance and regulations continue to be confusing, duplicative, or contradictory in many cases. “Federal OT/ICS incident response plans remain tangled. The determination and sophistication of our adversaries continues to grow, and the scale of adversary infiltration into critical infrastructure networks may be far greater than we realize.”
Stated plainly, Lee said that “at this moment, we are not prepared for a large-scale attack on critical operational technology.”
“Today, we are dealing with highly capable adversaries who bring a wide spectrum of capabilities to bear, including network operations, supply chain compromise, insider access, and close-access operations,” Nate Gleason, program leader for cyber and infrastructure resilience program at the Lawrence Livermore National Laboratory, wrote in his testimony. “The current threat picture demands that we take a multi-layer approach to ensure the resilience of the functions that depend on our infrastructure.”
Detection and mitigation are only one part of defending critical infrastructure from nation-state cyber threats, Gleason said. At Lawrence Livermore National Laboratory, the challenge is addressed through the ‘Immune Infrastructure Framework,’ which defines the parameters of infrastructure resilience and maps both strengths and capability gaps. The framework underpins the Department of Energy’s approach to securing the energy sector, including the Cyber Resilience R&D Capabilities Catalog issued by the DOE CIO.
Recognizing that not all compromises can be prevented, the framework organizes defense into four layers, designed to frustrate adversaries’ objectives and ensure critical infrastructure can continue operating even under attack.
“Our work has been critical in identifying potential risks posed by adversaries who, with advanced knowledge of our infrastructure and the interdependencies that exist between different components, could target assets in combination to cause damage that could not be realized in a single attack against one asset,” according to Gleason. “LLNL’s high-performance computing modeling and simulation capabilities and advanced optimization tools, codified in the Octopus and Teragrine toolsets, move beyond traditional natural hazard-focused planning processes, which often only consider failures of single system elements and are not designed to identify cascading consequences from multiple simultaneous disruptions.”
