It can happen here?
While it seems that Siemens’ efforts to deal with the Trojan problem have been effective, the situation should remind us that such events must not be thought of as something that happen somewhere else.
The folks from GarrettCom were reminding me of an article that we did last January, where we surveyed readers on their understanding of cyber security issues. Here’s the paragraph that they recalled particularly:
“The first surprise was that 24% indicated they do not believe there are any threats and risks associated with their information control system that could affect their business operations. This seems very puzzling since most organizations operate with the understanding that there is no such thing as 100% security. In an environment where industrial control systems are becoming more dependent upon increased connectivity, including the Internet and remote control capabilities, we expected nearly a 100% response acknowledging the presence of such risks. The most prevalent cyber security concerns expressed by nearly 20% of respondents acknowledging the presence of disconcerting risks were viruses and malicious software.”
GarrettCom’s president, Frank Madren, pointed out that the Stuxnet worm, that targeted Siemens SCADA management systems in Iran, India, and Indonesia, is spreading. This is probably not the first time that industrial control systems have been threatened, but it is a dramatic example of the truism that no business or industry is safe from the threat of cyber attacks. “This is not the time to stick your head in the sand and say ‘it can’t happen here’,” he says. “Cyber attacks on industrial control systems are happening now and will probably increase. At GarrettCom we have been developing and improving upon hardware and software security systems for more than a decade. We use a combination of industry standards with proprietary technology and best practices recommendations to fill in holes. The NERC CIP regulations for power utility substation protection are some of the most comprehensive security specifications available in the U.S. today, and much of what we have learned and implemented is applicable to other industrial environments as well. However, no system is completely immune from creative new incursions. Constant vigilance is required.”
Constant vigilance indeed.