The danger of conflating cyber war and critical infrastructure protection

Cyber threats are a two-edged sword.  They can be exploited producing an offensive weapon such as Stuxnet. They also need to be identified and mitigated to protect critical infrastructures from the cyber threat. 

Stuxnet is a case study of the two-edged sword.  It appears the basis for Stuxnet inadvertently came out of a critical infrastructure protection program (see INL, Siemens presentation: ID 2481 “Control System Security Assessments” presented at the 2008 Siemens International User Group meeting in Chicago). Slide 59 is Target of Evaluation 6-Unuathroized Configuration Database Access. The goal was to modify the configuration from the PCS7 Engineering Station.  The objectives were to infiltrate the PCS 7 Engineering Station and modify the configuration without being detected and to compromise controller configurations in the control systems and safety integrated system. These are either critical vulnerabilities for protection or major attack vectors for a weapon. When identified in 2008, neither Siemens nor industry understood the true implications of the threat.  Moreover, it was not understood that the vulnerabilities were inherent in the design of the PLC and not patchable. Unfortunately, ICS CERT did not, and still has not, disclosed the vulnerability or provided recommendations for addressing this critical vulnerability. In fact, DHS stated at the 2011 ACS Conference September 22nd that if it were a design flaw and not patchable, it is not a vulnerability.  This raises real questions about the credibility of the ICS CERT.

For national security it is important that a credible cyber weapons program exist as well as a credible critical infrastructure protection program. However, conflating these programs has put our critical infrastructures at considerable risk.  

Joe Weiss