Stuxnet Changed Threat Landscape

Tuesday, May 3, 2011 @ 01:05 PM gHale

By Gregory Hale
Everything in the industrial control environment changed last July.

“Stuxnet changed the threat landscape,” said Marty Edwards, director of the control systems security program at the U.S. Department of Homeland Security (DHS) during his keynote address today at the ICSJWG 2011 Spring Conference in Dallas. “In the old days in the pursuit of finding problems, we would take systems and break them. We took the hypothetical attacks and they became real.”

The ICSJWG conference is the Industrial Control System Joint Working Group, a joint effort that brings control system users and vendors together with government and academia to get a working relationship going in an effort to work on the cyber security challenge.

Part of what Edwards addressed during his keynote was the movement toward having industry and government work together, especially during events like when the Stuxnet worm hit the industry.

“We analyzed Stuxnet as a community,” Edwards said. “We determined it was fairly sophisticated. I am not saying we did a perfect job, but (the bad guys) keep evolving; we keep evolving. We need to come together to see what the community needs. We have to work together.”

In the past, Edwards said, security was a bit easier with pneumatics and proprietary systems.

“Security with a pneumatic loop or controller was all about physical security,” he said. “As long as you had physical control over the asset, you had security.”

With proprietary systems, there was built in security since all systems were custom made for the individual manufacturer. But, Edwards said, “proprietary is a synonym for expensive. You would have to pay $100,000 for a console.”

With today’s open systems, “we have a lot of options now.”

Today’s technologies allow for specialized devices to help keep systems up and running while keeping intruders out. In terms of technology, “We are evolving and we continue to evolve,” Edwards said.

Technology, though, is not the only answer, as humans need to gain a stronger understanding of the need for a strong security posture.

“The human part is also evolving,” Edwards said. “Security is not all about technology. People want the magic security box to plug in and all the problems go away.” Edwards said that is just not going to happen.

The catch is, however, companies have to realize security is important and it is a full time job, depending on the size of the company, for at least one person.

“If it is going to be a sideline it is not going to get done,” Edwards said. “I was talking to someone earlier and he said there are people at his company devoted to security right now, saying ‘I think we are starting to get it.’”

Leave a Reply

You must be logged in to post a comment.