Recently, I have been getting requests for interviews on Stuxnet and “son of Stuxnet”. I believe Stuxnet has provided too much focus on PLCs and Siemens. The real ICS issues are:
- It is possible to use cyber as a weapon to destroy equipment or kill people. Cyber attacks are more than just creating a denial-of-service or shutting down a network.
- It is not necessary to be a nation-state to hack control system field devises. Stuxnet was complex because it was a targeted surgical attack against a specific process and was not meant to be found. The Maroochy wastewater hack in 2000 targeted field devices (not Siemens and not nation-state) and was not readily identifiable as cyber. DePaul University IT students with no control system background demonstrated they could compromise a Rockwell controller network.
- Most, if not all, ICS vendors have cyber vulnerabilities. ICS vendors other than just Siemens use hard-coded default passwords that cannot be changed. Additionally, there appears to be a stream of new SCADA vulnerabilities being identified.
- ICS field devices, not just PLCs, are at risk. An IT device tester who knew nothing about control systems was able to take control of a VxWorks-based RTU (not a PLC and not Siemens) in less than a day. The Maroochy hack targeted sewage discharge valves.
This is an industry problem with no easy fix that needs focused efforts. There will discussions on all of these topics at the September ACS Conference Cyber Security Conference.