Shadows of Stuxnet: recommendations for U.S. policy on critical infrastructure cyber defense derived from the Stuxnet attack

Loading...
Thumbnail Image
Authors
Lendvay, Ronald L.
Subjects
Cyber Emergency Response Team (CERT)
critical infrastructure (CI)
cyber security
distributed control systems (DCS)
distributed denial of service (DDoS)
executive order (EO)
industrial control systems (ICS)
information technology (IT)
National Institute of Standards and Technology (NIST)
presidential decision directive (PDD)
Programmable Logic Controller (PLC)
Supervisory Control and Data Acquisition (SCADA)
Advisors
Kiernan, Kathleen
Rollins, John
Date of Issue
2016-03
Date
Mar-16
Publisher
Monterey, California: Naval Postgraduate School
Language
Abstract
In June 2012, the worldwide cyber security landscape changed when the presence of a new and sophisticated malware, later dubbed Stuxnet, was discovered in the computers of an Iranian nuclear facility. The malware was a cyber weapon, programmed to destroy the industrial machinery utilized for uranium enrichment. Stuxnet was soon dissected and diagnosed as a pioneering and politically motivated cyber attack that successfully infiltrated a high-security, government-run critical infrastructure and destroyed its physical property with computer code. The potential consequences of a similar attack on vulnerable U.S. critical infrastructures could be devastating. This thesis begins with a review of the evolution of U.S. policy related to the cyber defense of critical infrastructures. It then examines the critical infrastructure sectors within the United States, its dependency on computer technology, and the potential consequences of cyber attacks. A detailed case study of the Stuxnet attack follows, along with an analysis of the lessons learned from Stuxnet. The thesis concludes with specific policy improvement recommendations for the United States under three major themes: enhancing national unity of effort, expansion of cyber security coordination between the private and government sectors, and incentivizing private-sector compliance with best practices in cyber security.
Type
Thesis
Description
Series/Report No
Department
National Security Affairs
National Security Affairs
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Distribution Statement
Approved for public release; distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
Collections