I believe the recent disclosures by the New York Times about Stuxnet can be very harmful for the following reasons:
- It removes any ambiguity about the origin of Stuxnet pointing a finger directly at the US for initiating cyber attacks against another nation's critical infrastructure.
- The recent Iranian paper about Stuxnet and Anti-virus published in Control On-Line demonstrates Iranian expertise in control system cyber security and knowledge of the latest Anti-Virus products.
- US critical infrastructure, particularly electric, are unprepared for a sophisticated cyber attack. The NERC Critical Infrastructure Protection (CIP) cyber security standards exclude the unique issues exploited by Stuxnet and Aurora; allow utilities to exclude most of their assets from any cyber assessment; and provide a roadmap to an attacker in terms of what is excluded, what is included, and when those assets included will be addressed. The just completed NERC Cyber Attack Task Force report excluded Stuxnet and Aurora. Without being flippant, if piles of paper are not adequate to prevent a cyber attack, the electric industry including nuclear, has little to no protection.
The impact of a sophisticated cyber attack against the critical infrastructures can be devastating. There isn't adequate control system cyber forensics to detect such attacks or identify the attacker. The utilities have demonstrated they will not address security only compliance. What does Congress intend to do?