Citizen Portal
Sign In

Lawmakers, experts tell House subcommittee Stuxnet’s legacy shows U.S. operational technology remains vulnerable

5457720 · July 24, 2025

Get AI-powered insights, summaries, and transcripts

Subscribe
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Witnesses at a House Homeland Security Subcommittee hearing said 15 years after Stuxnet was discovered, operational technology (OT) that runs water, energy and transport systems remains a prime target and that U.S. defenses lag behind evolving threats.

The House Homeland Security Subcommittee on Cybersecurity Infrastructure Protection heard testimony that the 15-year-old Stuxnet attack fundamentally changed the cyber threat picture by showing malware could cause physical destruction — and that U.S. operational technology remains at risk.

Kim Zetter, a cybersecurity journalist and adjunct professor at Georgetown University, told the committee Stuxnet “was a first of its kind attack, the first known case of malicious code designed to leap from the digital world to the physical realm to cause disruption and destruction.” Zetter warned the same techniques could be used against U.S. critical infrastructure, from power and water systems to trains and hospitals.

Why it matters: OT systems control the physical processes of critical services; compromises can produce physical damage, service outages and, in extreme cases, loss of life. Zetter and other witnesses told members that defects discovered after Stuxnet revealed architectural and software problems that often cannot be fixed by a simple patch.

Experts said the threat has broadened beyond precision tools like Stuxnet to include ransomware, denial-of-service, phishing and supply-chain compromises. “We are not prepared for a major attack on our critical infrastructure,” Robert M. Lee, chief executive officer of Dragos and a lieutenant colonel in the Army National Guard, told the subcommittee. Lee said defenders track more than 25 state and nonstate actors that target OT and warned that homogeneity of industrial systems increases risk.

Members and witnesses pointed to concrete examples to underscore the danger. Zetter cited a CISA security alert this month about a decade-old flaw in train braking protocols that could allow an attacker in proximity to impersonate braking devices; a replacement protocol is not expected until 2027. Witnesses also described discoveries of surveillance cameras and other devices on OT networks that beaconed to overseas servers and could provide backdoors into control systems.

Wider context: Witnesses emphasized that many critical infrastructure owners — especially smaller utilities, local governments and cooperatives — lack funding, staff and technical expertise to inventory OT assets and implement basic defenses such as segmentation and multifactor authentication. That shortfall, they said, widens the attack surface for nation-state and criminal actors.

The subcommittee heard recurring recommendations: treat OT security as distinct from IT security, increase targeted public–private partnerships, prioritize supply-chain assurance and improve federal response coordination. Several members urged prompt congressional action on reauthorizations and funding programs discussed elsewhere in the hearing.

The hearing record will remain open for additional questions and written testimony, the chairman said.