Safety Instrumented Systems / Stuxnet

Summer and Stuxnet

Talking Plant Cybersecurity in the Light of Stuxnet. With No Certifications for Control System Cybersecurity, Anyone Can Be an Expert. Who Does an End User Believe?

[Editor's note: It's the middle of what's shaping up to be a long, hot summer, and in most of the country, people are trying to keep their brains from melting in the heat. Maybe that's why we're a bit light on feedback from readers this month. Once one has staked out a spot in the shade for the hammock, he or she hardly can be blamed for not summoning the energy to slave over a hot computer and send brickbats, compliments, questions or suggestions to us. However, not all the comment action is in the doldrums.

Over on the "Unfettered" blog on, (, security issues are still generating a fair amount of heat of their own. Most of the interest, not surprisingly, revolves around plant cybersecurity in the light of Stuxnet.] 

On June 22, Joe Weiss, Unfettered's chief blogger, cybersecurity expert and principal at Applied Control Solutions (  wrote: "Last year when Stuxnet was first disclosed, the initial guidance given would have done great harm to the Siemens PLC. The appropriate guidance for the PLC still hasn't made its way to the appropriate end users. When you look at all of the articles on Stuxnet, it is very apparent that those with adequate understanding are still few and far between. Yesterday, an integrator in Brazil made a call for help on SCADASec [the security listserv] because his client's plant has been infected by the Conficker worm. The responses from SCADASec readers were all over the map, with much of the guidance at odds. Because there are no certifications for control system cybersecurity, anyone can be an "expert." Who does [an end user] believe?"

German cybersecurity expert Ralph Langner ( responded on June 25: "I don't think that the right guidance should be hard to find, given that there are not very much more than 10 dedicated ICS security contractors on the planet, including ACS. Certainly those 10 will not provide guidance for free, which is what many still seem to expect." 

In another exchange that started on July 12, Jeremy Pollard, columnist for our sister publication, Control Design (, suggested: "I think too that Stuxnet was a test, kind of like that Nigerian guy flying from New York to L.A. on someone else's boarding pass, and had 10 fake ones in his bag. Just a test. Let's see what we can get away with."

This speculation brought about the following response from Brad Hegrat, senior principal security consultant for Rockwell Automation ( "Is it just me, or did we lose sight that this malcode took out multiple Iranian nuclear installations? It's already been established that this malcode required a formal design methodology to include a multi-faceted, multiple-disciplined approach via a means (funding, access, etc.) most likely available only to a nation, nation-state or well-funded paramilitary (terrorist) organization. With that in mind, I would firmly classify this as asymmetric, digital warfare, and I would submit that one does not engage in warfare, asymmetrical, digital or otherwise "as a test."

Stuxnet was not a "test," but rather a prototype, a one-of-a-kind, disconnected framework based, semi-autonomous prototype preprogrammed to seek and destroy a single set of targets. It is the digital equivalent of the well-known, kinetic weapons system—the cruise missile."

Question of the Month

Is there really a lack of information about control system cybersecurity? Would you be willing to pay for outside help to address your cybersecurity issues? Would some sort of certification mechanism make you more willing hire this kind of expertise?

Tell us what you think at The best answers will be published in next month's Feedback.