Stuxnet has shown up in CSO magazine with a fingers-scratching-on-chalkboard title:
If Stuxnet was cyberwar, is U.S. ready for a response?
Interesting question. Why should we consider Stuxnet cyberwar? No analysis provided in the article. In the same vein we might as well ask if Stuxnet was water soluble, is the US ready to drink it? If Stuxnet was mixed into oatmeal, is the US ready to taste it?
Then comes the CSO article teaser:
The complex Stuxnet worm proved attacks on SCADA and other industrial control systems were possible. Are we ready if one comes our way?
First, I would not call Stuxnet complex, as I have written and presented many times. The attack was arguably complex, but Stuxnet not so much. I suppose we also could debate the meaning of the word complex but even Langner (who first discovered it) says Stuxnet was a simple and not well-written exploit.
Stuxnet attack very basic. DLL on Windows was renamed and replaced with new DLL to get on embedded real-time systems (controller). It was not necessary to write good code because of the element of surprise — only had to work pretty well
Second, it did not prove attacks on SCADA and other control systems are possible. It was well-known in the late 90s, as demonstrated by US Executive Order 13231 of October 16, 2001 “Critical Infrastructure Protection in the Information Age”, as well as Executive Order 13284 on January 23, 2003. In my BSidesSF presentation I explained the controversy Mudge started in 1999 when he told the press he could shut down 30 grids. So, from the “sophisticated” Maroochy Shire attack in 2000 to the “sophisticated” Aurora attack in 2007…there have been many proofs before Stuxnet.
Third, we know of reliability issues and failures already in control systems. I pointed out in my BSidesSF presentation three shutdowns of major nuclear stations in the US Northeast in early 2011. The question “are we ready” can be answered in the present tense for threats instead of a hypothetical. We know, for example, why more than 50 power plants were knocked offline in Texas recently. They were unprepared for threat conditions to their availability, despite forecasts. Moreover, the Governor of that state showed exceptionally poor judgment and a lack of situational awareness in his response.
Speaking of “ifs”, I am reminded of a Will Rogers quote:
If stupidity got us into this mess, then why can’t it get us out?
The CSO article would be far better if it tried to explain why, after more than ten years of warnings, critical infrastructure in America is still so susceptible to failure. Proverbs about chickens come to mind. Why is Stuxnet being phrased with terms of (sky-is-falling) cyberwar? Is that the most appropriate way to get a response from management?
Here is how I would have put the question: if we called Stuxnet the same kind of threat that we have been tracking and known about for years, albeit executed more carefully, would US critical infrastructure be any better prepared than they have been for lesser threats that seem to knock them offline?