Shadows of Stuxnet: Recommendations for U.S. Policy on Critical Infrastructure Cyber Defense Derived from the Stuxnet Attack
Abstract
In June 2012, the worldwide cyber security landscape changed when the presence of a new and sophisticated malware, later dubbed Stuxnet, was discovered in the computers of an Iranian nuclear facility. The malware was a cyber weapon, programmed to destroy the industrial machinery utilized for uranium enrichment. Stuxnet was soon dissected and diagnosed as a pioneering and politically motivated cyber attack that successfully infiltrated a high-security, government-run critical infrastructure and destroyed its physical property with computer code. The potential consequences of a similar attack on vulnerable U.S. critical infrastructures could be devastating. This thesis begins with a review of the evolution of U.S. policy related to the cyber defense of critical infrastructures. It then examines the critical infrastructure sectors within the United States, its dependency on computer technology, and the potential consequences of cyber attacks. A detailed case study of the Stuxnet attack follows, along with an analysis of the lessons learned from Stuxnet. The thesis concludes with specific policy improvement recommendations for the United States under three major themes: enhancing national unity of effort, expansion of cyber security coordination between the private and government sectors, and incentivizing private-sector compliance with best practices in cyber security.
Document Details
- Document Type
- Technical Report
- Publication Date
- Mar 01, 2016
- Accession Number
- AD1027468
Entities
People
- Ronald L. Lendvay
Organizations
- Naval Postgraduate School