Implications of recent Stuxnet disclosures

June 12, 2012
I believe the recent disclosures by the New York Times about Stuxnet can be very harmful for the following reasons:
- It removes any ambiguity about the origin of Stuxnet pointing a finger directly at the US for initiating cyber attacks against another nation's critical infrastructure.
- The recent Iranian paper about Stuxnet and Anti-virus published in Control On-Line demonstrates Iranian expertise in control system cyber security and knowledge of the latest Anti-Virus products.

I believe the recent disclosures by the New York Times about Stuxnet can be very harmful for the following reasons:
- It removes any ambiguity about the origin of Stuxnet pointing a finger directly at the US for initiating cyber attacks against another nation's critical infrastructure.
- The recent Iranian paper about Stuxnet and Anti-virus published in Control On-Line demonstrates Iranian expertise in control system cyber security and knowledge of the latest Anti-Virus products.
- US critical infrastructure, particularly electric, are unprepared for a sophisticated cyber attack. The NERC Critical Infrastructure Protection (CIP) cyber security standards exclude the unique issues exploited by Stuxnet and Aurora; allow utilities to exclude most of their assets from any cyber assessment; and provide a roadmap to an attacker in terms of what is excluded, what is included, and when those assets included will be addressed. The just completed NERC Cyber Attack Task Force report excluded Stuxnet and Aurora. Without being flippant, if piles of paper are not adequate to prevent a cyber attack, the electric industry including nuclear, has little to no protection.

The impact of a sophisticated cyber attack against the critical infrastructures can be devastating. There isn't adequate control system cyber forensics to detect such attacks or identify the attacker. The utilities have demonstrated they will not address security only compliance. What does Congress intend to do?

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.