15 Years After Stuxnet: When Code Became a Weapon

Stuxnet proved that malware could destroy physical infrastructure worth millions. The policies we shape now will decide who has the advantage.

Today, Robert M. Lee, SANS Institute Fellow, CEO of Dragos, Inc., Army National Guard officer, and industrial cybersecurity expert testified before Congress on the 15th anniversary of Stuxnet to discuss threats to the industrial networks that underpin our national security and economy.

Fifteen years ago, malware in Iran's nuclear program manipulated centrifuge motors so they self-destructed while operators saw normal readings.

The worm infected over 200,000 computers and caused 1,000 machines to physically degrade, destroying almost one-fifth of Iran's nuclear centrifuges.

That code proved that a cyberattack could destroy physical assets worth millions.

Until Stuxnet, cyber attacks stayed in the digital realm. They targeted data theft and network disruption. Stuxnet proved that malware could destroy physical infrastructure worth millions.

Critical Infrastructure Was Not Built for This

Stuxnet changed cybersecurity from an IT problem to a business continuity and national security issue. Today's industrial control systems - our power plants, water treatment facilities, manufacturing lines - are woefully unprepared for cyber threats.

Stuxnet required incredible sophistication because Iran's systems were air-gapped, not connected to the internet. Many of those same vulnerable systems still run critical operations today, often bridged to business networks with little more protection than a shared password.

The Robs at RSA: Rob T. Lee, SANS Institute and Robert M. Lee, Dragos, Inc.

AI Has Expanded the Attack Surface

Stuxnet taught nation-states that cyber operations could achieve military objectives without conventional weapons. Criminal groups and hostile governments have since adopted these tactics.

Artificial intelligence is amplifying the risk, allowing automated tools to map networks, escalate privileges, and launch facility-wide attacks in seconds.

As Congress examines the Stuxnet anniversary, the fundamental question remains: Has your cybersecurity strategy evolved as quickly as the threats have?

Boards and executives must ensure their cyber strategies include the physical systems that run their operations and supply chains.

Stuxnet marked a turning point. AI is accelerating what is now possible. The policies we shape now will decide who has the advantage.

Rob T. Lee

Chief of Research and Chief AI Officer SANS Institute