Okay, so now the mainstream media in the person of the New York Times has reported the story that we broke here nearly a year ago-- that Stuxnet was written by the United States government with assistance from a branch of the Israeli government.
Nancy Bartels, Control's Managing Editor, wrote me a little while ago. "Twitter is crawling with this story today," she reported. "A mix of the "OMIGOD, I'm SHOCKED" and "This is news?" Since we've been on this story from the beginning, we should probably mention something in the blog at least, but I'm not really sure what we should say. I for one don't want to get into the geo-political implications, and the only concern I would have from a process automation POV is that it will encourage people to put security on the back burner. You know, "well, since it's the good guys that did it and since we're talking about something so targeted, it can't possibly affect my facility." And this afternoon, at least, I'm thinking that if folks don't get that they need to secure their systems now, our telling them again isn't going to make much difference."
Well, I am going to take a shot at this. I don't want to get into geopolitics either. The consequences of this are all too obvious anyway.
In May, we published online an article by an Iranian Automation Engineer, Morteza Rezaei, that provided the Iranian view of Stuxnet. The article will be printed in the July edition of the print magazine. Rezaei was very careful to also skirt discussions of the geopolitical kind, but it is clear from his excellent understanding of Stuxnet that Iran is neither stupid nor inept-- as you can see from the fact that the Iranian CERT was the organization that first reported Flame earlier in the week.
So, I'm going to do what Mr. Rezaei did-- stick to the technical implications.
I'm going to stick my neck out here and make a statement. I don't care if you disagree with me, because I can pretty well prove I am right...and if we aren't very lucky, we are going to be shown that I am right.
The backbone of the economy of the world is the power grid, even moe so that the communications grid. Without power the communications grid drops dead. Without power, the economy drops dead. Without power there will be violence the kind of which we have only experienced during the race riots of the 1960s...our cities burning.
So, how easy is it for someone (a nation-state like, oh, for example, Iran) to disrupt the power grid in North America, and keep it down for several months?
Actually it is pretty easy. Fossil, geothermal, solar, wind, hydroelectric and nuclear power plants all use the same control systems. These control systems, whether made by Siemens or one of the other automation vendors, are exposed to the kinds of attack that "Operation Olympic Games" unleashed on the Iranian nuclear enrichment plant at Natanz. They are all, without exception vulnerable. Many parts of the grid are also vulnerable to physical penetration and attack.
Just how long do you think the lead time is for a turbine prop from a generator? How long does it take to get a hydroelectric generator rebuilt if it was destroyed by something like Stuxnet?
The answers are not measured in days, or even weeks. Some parts in generating plants carry lead times of several years.
NRC and NERC have not yet satisfactorily addressed this issue...NERC is still trying to ignore the evidence of the Aurora experiment, which, based on where it occurred (at Idaho National Laboratory) may well have been a proof of concept for Stuxnet. You CAN destroy a piece of rotating machinery by cyber means. We know that. The Iranians know that.
Sooner or later, somebody besides the US is going to decide to get into the game.
If we have not adequately secured our infrastructure by the time they do, we will be looking at a terrible catastrophe. So, Nancy may be right-- telling you all again to get your infrastructure secure right da_n now! may not do anything.
But I cannot be a good citizen or a good member of the automation profession without continuing to try.