Experts told senators that attackers can use information made public about the so-called Stuxnet virus to develop variations targeting other industries, and that the worm's consequences go "beyond any threat we have seen."
The code has attacked industrial sites in Iran and several other countries, and infected several employees' laptops at the Bushehr nuclear plans. Iran has said it believes Stuxnet is part of a Western plot to sabotage its nuclear program, but experts see few signs of major damage at Iranian facilities.
Specific industrial control systems using Windows software are vulnerable to the code. These are used in many critical sectors, from automobile assembly to mixing products such as chemicals and baby formula, Sean McGurk, acting director of Homeland Security's national cybersecurity operations center, told the Senate Homeland Security and Governmental Affairs Committee.
"This code can automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product and indicate to the operator and your antivirus software that everything is functioning as expected," McGurk testified at a cybersecurity hearing.
Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the panel that the worm showed that such attacks were possible. The "real-world implications of Stuxnet are beyond any threat we have seen in the past," he said.
But Turner added that the code's highly sophisticated structure and techniques also could mean that it is a one-in-a-decade occurrence. The virus is so complex and costly to develop "that a select few attackers would be capable of producing a similar threat," he said. "We would not expect masses of threats of similar sophistication to suddenly appear."
Experts said governments and industries can do much more to protect critical systems.
Michael Assante, who heads the newly created, not-for-profit National Board of Information Security Examiners, told lawmakers that control systems need to be walled off from other networks to make it harder for hackers to access them.
"We can no longer ignore known system weaknesses and simply accept current system limitations," he said. "We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts to address" cybersecurity challenges.
Assante said leaders must understand that the most dangerous attacks won't disable a system, but instead will take control of it and manipulate it to trigger accidents or unintended action.