Feed Back From "Unfettered" and "The Great Kanduski" Blogs

Oct. 28, 2010
Thoughts on Stuxnet and Automation Week 2010

[Editor's note: The following are posts and comments taken from our "Unfettered" and "The Great Kanduski" blogs at www.controlglobal.com.]

Thoughts on Stuxnet

On his "Unfettered” blog, Joe Weiss posted "Stuxnet and the Smart Grid,” which stated:
"Stuxnet has at least two major implications for Smart Grid. The first is Smart Grid uses key management. Stuxnet is one of the first cyberattacks to use compromised digital keys. Since then, at least three other cyber vulnerabilities have used  compromised digital keys. There should be a reassessment of the key management process for Smart Grid. The second is the more insidious aspect of Stuxnet that attacks control system logic. Programmable logic controllers (PLCs) and other controllers with Windows front ends are used throughout the Smart Grid for controlling renewable resources, and for modern automated substations and other grid systems. These systems can be vulnerable to Stuxnet-type attacks. Control system policies and procedures need to be developed and implemented immediately to at least minimize these types of attacks."

Blog reader ab3a commented:
"This [first] problem isn't as new as many might think. This article from the Feb. 21, 2005, edition of eweek.com (http://tinyurl.com/5xcm6s) is about the lack of security in a digitally signed key. Digital signatures are the foundation to trusted computing. However, the more keys one has to trust, the more likely it is that something will sneak in through a compromised key. Few give any thought to that aspect of trusted computing. Now that Stuxnet is well-known, perhaps this attitude will change."

Later, ab3a added:
"Stuxnet attacked the STEP 7 development environment and inserted some new library routines. Then, when the developers or integrators downloaded a new version of the software, the rogue code was inserted in the PLC program.

"Back to reality. There are many integrated development environment (IDE) packages for many platforms. Authenticating the code in the foundation libraries is something that I have heard of only among the most paranoid installations. Almost nobody does it.

People authenticate entire installation programs, but I've never heard of anyone authenticating a working IDE or an HMI. This measure is possible, but is it practical? How far should our paranoia about protecting our infrastructure go?"

Automation Week 2010

Ian Verhappen, "The Great Kanduski," gave a positive review of the new ISA Automation Week (AW) 2010, and asked for suggestions for improving it next year.

Jon DiPietro had a list:
"1. Free wireless will make it easier for people to attend—they can stay in touch— and promote AW through social media and sharing. I hope we really promote that as I think it's a big deal for attendees.

2. We should think about ways to increase the interaction between exhibitors and attendees. I'm not sure why the exhibits were closed during the sessions—there were two occasions when I wanted to see exhibits and couldn't.

3. The contingent of journalists present was pretty thin. Maybe there are accommodations we can make in order to get more of them there to cover our event. 

4. I would like to see one of the tracks run as an "unconference." We could create a website/page where conference attendees submit abstracts and then publicly vote on the subjects that interest them.  The top three vote getters end up getting a speaking slot.

5. We could borrow Emerson's idea and set up a social media help booth. Emerson employees signed up hundreds of people and showed them how to use Twitter. This created a small army of people promoting the Emerson event."