07 June 2012 by Andrew Wadsworth

Stuxnet Continues to Make Security Headlines

Stuxnet heralded a seismic shift in the security tectonic plates when it was discovered in 2010, once and for all dispelling any doubts about the possibility of building and delivering a highly targeted malicious program to cause physical damage to production plants.

It was clear that a lot of very skilled people, coupled with very accurate information about the plant, was needed to build Stuxnet and that this was most likely to be available only to an organisation, or organisations, acting on behalf of one or more nation states.  But who?  For all sorts of reasons, the weight of speculation pointed to the US and Israel acting in concert together.

For the most part, attempting to attribute the origin of malware is a pretty fruitless exercise but David Sanger of the New York Times has published an article and a book, "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power", in which he builds the strongest case yet, albeit on circumstantial evidence, that suggests the US and Israel were behind Stuxnet.  If true, expect to feel the tectonic plates moving again.

As Eric Byers succinctly puts it in his latest blog entry "Stuxnet Warfare – The Gloves are Off" then bad actors can be expected to potentially step up attacks on US infrastructure and interests.

As an Energy sector operator, should you be concerned?  Yes.  Because even if you're not the immediate target you could suffer collateral damage.  Your business depends on safe reliable production operations controlled by these systems and if they are compromised, you are at risk.  If you're not already doing so, you should be taking action now to assess your control systems security posture, identify weaknesses and address them to improve your security.

Should you put your tin foil hat on?  No.  Although Stuxnet, DuQu and Flame have all been in the wild for a long time before being discovered and we don't know what else
may be out there, it's important to respond in a measured, structured way.

Tags: Process Security Technology Strategy