[Extra link and commentary added 26th September 2011; extra link added 27th September]
I notice there's a flurry of articles around the "Stuxnet anniversary" and "After Stuxnet" themes. Some of them are even interesting, if not always for the right reasons...
I'll be back to this, though probably not today. Watch this space.
- After Stuxnet, waiting on Pandora’s box, by Jason Ukman
- Stuxnet Reality Check: Are You Prepared for a Similar Attack?
- Industrial Control Systems Security One Year After Stuxnet: Got Vulnerabilities? Deal with it, by Eric Knapp
- Nuclear warheads could be next Stuxnet target: Check Point, by Hamish Barwick
- From the man who discovered Stuxnet, dire warnings one year later, by Mark Clayton
- http://www.csmonitor.com/USA/2011/0926/A-year-of-Stuxnet-Why-is-the-new-cyberweapon-s-warning-being-ignored (also by Mark Clayton)
In fact, the interview with Langner is, if a little deferential, not way off-beam. I was asked about Stuxnet, oddly enough - well, maybe not that oddly - in an interview over the weekend, and while I won't "spoil" the interview by repeating what I said (briefly) there, it wasn't too different to Langner's position. The problem isn't going to be identikit Stuxnet code, but the fact that most of the assumptions about the air gap between critical systems and the world of Internet attacks are unsafe.
And not directly connected, but not irrelevant either: I was unable to attend Joe Weiss's recent ACS conference, but this gives some of the flavour of what I (and probably you) missed.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
