Wednesday, August 4, 2010

Stuxnet, a big deal, but not a big surprise...

The recent story on Stuxnet is big. An broad attack on power systems using both a Windows and a Control system vulnerability, and as ThreatPost points out here, probably launched by a nationstate or other politically motivated actor.

So, why is this no surprise?

  1. It's simple: Control systems used to depend on total isolation as the key to their security. The systems were NOT connected, were physically secured, and therefore safe.
  2. Over the last 10 years, systems have lost that isolation, becoming connected to the intranet, which of course is connected to the internet
  3. New implementations even have "Secure" connections direct to the internet
  4. Overall, with a few exceptions, the strategy of the energy industry is to cover up, not talk about security risks and threats
So, what we have is a flaw in the basic design of a key Siemens infrastructure exploited via a flaw in connected windows systems? Surprised???? You shouldn't be.

What to do about it?

1) We need stronger regulation AND action to push real controls and regulations with teeth. We have more regulatory control over credit card numbers than our electrical grid.

2) We need greater focus and cooperation between IT Sec and Control systems professionals

3) We need more discussion and openness on the risks to our critical infrastructure and what to do about them

4) We need the mainstream media to take the time to understand and report on this threat, and push both industry and regulators to action (fat chance:)


No comments:

Post a Comment