The danger of conflating cyber war and critical infrastructure protection

Nov. 2, 2011
Cyber threats are a two-edged sword.  They can be exploited producing an offensive weapon such as Stuxnet. They also need to be identified and mitigated to protect critical infrastructures from the cyber threat. 
Cyber threats are a two-edged sword.  They can be exploited producing an offensive weapon such as Stuxnet. They also need to be identified and mitigated to protect critical infrastructures from the cyber threat. 
Stuxnet is a case study of the two-edged sword.  It appears the basis for Stuxnet inadvertently came out of a critical infrastructure protection program (see INL, Siemens presentation: ID 2481 “Control System Security Assessments” presented at the 2008 Siemens International User Group meeting in Chicago). Slide 59 is Target of Evaluation 6-Unuathroized Configuration Database Access. The goal was to modify the configuration from the PCS7 Engineering Station.  The objectives were to infiltrate the PCS 7 Engineering Station and modify the configuration without being detected and to compromise controller configurations in the control systems and safety integrated system. These are either critical vulnerabilities for protection or major attack vectors for a weapon. When identified in 2008, neither Siemens nor industry understood the true implications of the threat.  Moreover, it was not understood that the vulnerabilities were inherent in the design of the PLC and not patchable. Unfortunately, ICS CERT did not, and still has not, disclosed the vulnerability or provided recommendations for addressing this critical vulnerability. In fact, DHS stated at the 2011 ACS Conference September 22nd that if it were a design flaw and not patchable, it is not a vulnerability.  This raises real questions about the credibility of the ICS CERT.
For national security it is important that a credible cyber weapons program exist as well as a credible critical infrastructure protection program. However, conflating these programs has put our critical infrastructures at considerable risk.  
Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...