Five years ago, I wrote about the lessons yet to be learned from Stuxnet[1] and have read a recent article by an industry opinion leader on the same theme. The author states several lessons which I think are worth discussing and ends the article by asking the reader what they would add to the list[2]. There is still much to be learned about the aftermath of the Stuxnet operation that has yet to be learned and will explain further below.
First would like to address the assertion that “The OT attacking tools developed at a much slower rate and still seem primitive as compared to what was predicted”[3]. I admit that I am not an engineer, but I have worked in industrial cybersecurity and closely followed the incidents that came after Stuxnet. I ask on what basis do we know what attacking tools have been developed since Stuxnet? Which government(s) provide details about their capabilities to conduct offensive cyber operations, not to mention their successes and/or failures? Should we not admit to ourselves that our judgement is limited to what can be deduced from the few incidents that have been reported in the press and those even fewer incidents that have received some form of forensic analysis by security companies?
Stuxnet demonstrated a great deal of sophistication as was discussed by many researchers, especially by Ralph Langer[4]. One can argue that it was a model for the other attacks on critical infrastructure that followed. Four years later the German Government reported about a sophisticated cyber attack on a steel mill which resulted in damage[5]. In this case it is hard to evaluate whether the attack tools were primitive since no forensic analysis of the attack was included in the report. However, like Stuxnet the attacker succeeded in taking away the view and control of a physical process resulting in physical damage to the target.
Three years after Stuxnet we witnessed the revelations of Edward Snowden. The tools described were wide ranging especially in the areas of surveillance but also extended to planting devices in hardware[6]. One can debate weather these activities were primitive or sophisticated, but the lesson missed or not accented is that governments were increasingly engaged in developing their capacities to engage in malicious cyber activity.
In 2016 and 2017 attempts were made that seem to have been also inspired by Stuxnet, namely the neutralization of safety systems. In the December 2016 cyber attack on part of Kyiv’s power grid attempts were made to compromise protection devices[7] and in 2017 similar attempts were made to compromise the SIS at a petrochemical plant in the Middle East[8]. Another lesson (some said wake-up-call) that appears to have been missed is that sophisticated state-backed attackers were trying to compromise safety systems used as the last line of defence in controlling processes governed by the laws of physics and chemistry found in ICS/ACS/OT.
Probably the most misleading and dangerous assertion to make is that even if there were some incdents, the affects were “minimal” https://dale-peterson.com/2025/09/02/we-won-we-lost-part-1/?mc_cid=7f03c3af26&mc_eid=6d66d59513. This view is only possible to hold if one has a poor memory and wishes to stick to a rosy narrative. How else can one explain making such an assertion after the cyber caused shutdown of a 8000 km long fuel pipeline pumping 100 million gallons of fuel a day down the US East Coast in 2021?https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/ Even though the attack focused on IT systems leaving the ICS unaffected, the attack on the IT was sufficient enough for managment to order a shutdown. The implications and lessons learned do not seem to inform our thinking. Especially the thinking of industry opinion leaders and policy makers. One is that a simple ransomware attack on an IT system of an operator of critical infrastructure can shutdown the whole physical part of operations. The effects are far from minimal and can affect more people (millions) and be just as costly as a kinetic attack. Certainly far more costly than the 4.4 million USD the victim supposedly paid for the ransom (really is that all the cost to the region affected, rising gas prices, shortages, lines of automobiles waiting for gas, the cost of restarting a pipeline, etc.).https://www.bbc.com/news/business-57112371 This lesson was missed by many who wish to stick to a sunny narrative about efforts to secure our critical infrastructure from cyber incidents but am sure those planning future attacks on C.I. have learned a great deal.
Another assertion made by some is that these critical systems are better protected then they were 15 years ago[9]. While I do not feel competent to argue against that assertion at the system design and engineering levels, I strongly contest it at the policy making level. One of the most important influences on decisions made by operators, manufacturers, suppliers and procurement departments in sectors of critical infrastructure are government guidance and regulations. The lessons from Stuxnet, and other incidents of the past 15 years do not seem evident in policy documents. The United State’s Cyber Security Strategy is just one example (read my 2023 article[10]). The mentioning of the need to protect “baby monitors” and “personal fitness devices” demonstrates that the level of awareness and understanding of what needs to be protected and from what threats is dangerously limited. To be fair I previously pointed out that this policy gap is also present in Europe[11]. In the end if policy makers do not fully understand what needs to be protected and from what threats, then one has reason to be skeptical of judgements about the state of protection.
Standards organizations can be helpful in guiding the implementation of protection measures. The International Society of Automation has good guidance available for protecting our critical infrastructure. For example, there is the ISA 62443 Industrial Automation and Control System security standard which represents decades long accumulated engineering knowledge that can make significant improvements to CIP. However, the organization is currently mired in intellectual property issues which has raised concerns among the base of volunteers that provide the content[12]. It also seems to avoid being present as a guiding voice in the public policy space in favor of developing material internally and then quietly publishing its product at a price.
The 22 July 2025 congressional hearings on Stuxnet revealed an additional failure to recognize another lesson[13]. It was clear from the testimony of the participants that the threat posed by states to the safety and reliability of critical infrastructure is clearly recognized. Even the list of usual suspects was clearly established. However, the focus was on state executed cyber attacks on the homeland. It never came to anyone that other countries were equally under threat by these attacks and that cooperation with other nations is not only possible but can be mutually beneficial. I have worked for many years in support of the position that international cooperation is vital to defending against threats from cyberspace common to all nations[14]. The idea that the effectiveness of deterrence could be increased by cooperating with other nations was not recognized. There were also no proposals discussed about initiatives to develop instruments at the international level where states could work together to address these threats posed by states. One can conclude from the transcripts that addressing the attacks by states on US critical infrastructure was an American problem to be solved by Americans alone through better coordination and cooperation among US government agencies and US industry. This isolationist “we can handle this ourselves, thank you, mentality will make the job of protecting the nation from the malicious cyber activities of states needlessly more difficult.
Finally in response to the request for lessons learned from Stuxnet that have been missed. Here is my list.
- We have no full picture of what is going on in cyberspace below the “iceberg” or “cyberg[15].” Everyone seems to know that governments are active in this area, especially with the creation of cyber commands but no one seems to be worried or willing to consider where this is going. Reminds me of the faith Germany and France had in their war plans, Von Schliefen and Plan 17 respectively, at the start of World War I in August 1914[16]. Both ended in great failure, tragedy and disillusionment.
- Efforts to establish and agree on international norms that put pressure on states to refrain from directing their malicious cyber activities at the critical infrastructure of other states have gone nowhere.
- Governments have demonstrated the capability and will to attack another country’s critical infrastructure regardless of the target’s potential cost in terms of human life, property and environment. As we saw with the NotPetya[17] and Viasat terminal[18] attacks they also do not seem to be concerned about collateral damage extending to other critical infrastructure outside the target area. Engaging in is this activity that can threaten international security is just a matter of the authority giving the order to do so. We do not know whether such orders were issued to the cyber unit for execution or for how many times.
- Governments continue to see this activity as a relatively cheap, effective and deniable alternative to diplomacy.
Lastly, we have failed recognize that we live in a Post Stuxnet World[19] characterized by dependence on technology for supporting economic activity, national security and well being of society. This technology is vulnerable to both intentional malicious attacks by unfriendly nations as well as from unintentional non-malicious acts by those trying to keep increasingly connected, complex, vulnerable and, consequently, cyber fragile[20] systems running. The lack of recognition puts a drag on all the efforts being made to improve CIP from these threats. In continuing this way, we put ourselves in a position to experience the consequences of ignoring the warnings as described by the term “cyberg” mentioned earlier. The term’s definition that I prefer is stated this way:
“a cyber-related condition whereby a threat, or warning of a possible threat, results in either the misinterpretation or misunderstanding of a given situation, resulting in a decision in which no corrective action is taken”[21].
[1] http://scadamag.infracritical.com/index.php/2020/07/31/perhaps-we-are-missing-a-lesson-from-stuxnet/
[2] Dale Peterson, What We Know – Stuxnet 15 Years Later, 23 July 2025, https://dale-peterson.com/2025/07/23/what-we-know-stuxnet-15-years-later/?mc_cid=475f246d68&mc_eid=6d66d59513
[3] Ibid.
[4] https://dale-peterson.com/2016/06/20/s4-classic-video-langners-stuxnet-deep-dive/
[5] https://www.infoworld.com/article/2179244/snowden-the-nsa-planted-backdoors-in-cisco-products.html
[6] https://spyscape.com/article/15-top-nsa-spy-secrets-revealed-by-snowden
[7] Joe Slowik, CRASHOVERRIDE: Reassessing the 2016 Ukraine
Electric Power Event as a Protection-Focused Attack, Dragos, https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf Accessed 2025-08-27
[8] Julian Gutmanis, Triton – A Report From The Trenches, S4, 2019 https://www.youtube.com/watch?v=XwSJ8hloGvY
[9] Dale Peterson, What We Know – Stuxnet 15 Years Later, 23 July 2025, https://dale-peterson.com/2025/07/23/what-we-know-stuxnet-15-years-later/?mc_cid=475f246d68&mc_eid=6d66d59513
[10] Vytautas Butrimas, Impressions of the U.S. National Cybersecurity Strategy of 2023, SCADASEC, 15 March, 2023, http://scadamag.infracritical.com/index.php/2023/03/15/impressions-of-the-u-s-national-cybersecurity-strategy-of-2023/
[11] Vytautas Butrimas, The European Union moves to regulate its digital economy by proposing cybersecurity requirements – is the CRA a bridge too far? ,SCADASEC, 19 September 2023, http://scadamag.infracritical.com/index.php/2023/09/19/the-european-union-moves-to-regulate-its-digital-economy-by-proposing-cybersecurity-requirements-is-the-cra-a-bridge-too-far/
[12] Dale Peterson, ISA’s updated Intellectual Property Policy and AI Policy are getting pushback and statements of dropping out from members (at least in ISA99), CS Security: Friday News and Notes, Digital Bond, 2025 – Week 32, https://mailchi.mp/digitalbond/2025-32?mc_cid=e8b2aad226&mc_eid=6d66d59513 Accessed 2025-08-27
[13] https://homeland.house.gov/hearing/fully-operational-stuxnet-15-years-later-and-the-evolution-of-cyber-threats-to-criticalinfrastructure/?is=2044ff74b909e6d892d5a7a3041b389cd238353c8c3ac698bbfc16fbb7969543
[14] Vytautas Butrimas, Offshore Sailing Adventure – A professional’s memoir, UAB BALTOprint, pp. 205-2016. July 2025.
[15] See fourth definition of cyberg: http://cyberg.us/cyberg.php
[16] Vytautas Butrimas, In seeking international cyber norms for states, one should be careful about blowing smoke, sometimes it could start a fire, SCADASEC, 9 February 2017, http://scadamag.infracritical.com/index.php/2017/02/09/in-seeking-international-cyber-norms-for-states-one-should-be-careful-about-blowing-smoke-sometimes-it-could-start-a-fire/
[17] Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyberattack in History, Wired, 22 August 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
[18] Matt Burgess, A Mysterious Satellite Hack Has Victims Far Beyond Ukraine, Wired, 23 March 2022, https://www.wired.com/story/viasat-internet-hack-ukraine-russia/
[19] Vytautas Butrimas, National Security and International Policy Challenges in a Post Stuxnet World, Lithuanian Annual Strategic Review, December 2014, https://www.researchgate.net/publication/271726264_National_Security_and_International_Policy_Challenges_in_a_Post_Stuxnet_World .
[20] Ralph Langner, Robust Control System Networks – How to achieve reliable control after Stuxnet, Momentum Press, section 2.1, 2011.
[21] http://cyberg.us/cyberg.php
