The complex Stuxnet worm proved attacks on SCADA and other industrial control systems were possible. Are we ready if one comes our way? With Stuxnet setting back Iran’s disputed nuclear program, that country has vowed to take “pre-emptive” strikes against the powers it believes launched the attack, a recent news story in the Tehran Times reported. “An electronic war has been launched against Iran,” an official was quoted as saying. Accurate or not, most reports and expert conjecture peg the responsibility for the creation of Stuxnet with the United States and Israel. If Iran retaliates and attacks industrial controls or the Supervisory Control and Data Acquisition (SCADA) systems, are our systems prepared and secure enough to withstand an advanced and targeted attack? The short answer is no. Also see “Exiled Iranian programmer: My life was in danger” “The biggest challenge we face isn’t that we’re not ready for a Stuxnet. The biggest problem we face is that we’re not really ready for anything. If you were to do a pen test — and there’s plenty of research out there to support this — most utility companies are extremely vulnerable,” says Eric Knapp, director of critical infrastructure markets at NitroSecurity. That begs the question: How far away are utilities and other critical infrastructures from where they need to be? “Some [utilities] are way, far away from where they need to be,” says one security assessor who has recently completed a number of assessments on utility companies and requested not to be quoted by name. “They’re making many poor assumptions about their risk,” he says. “They believe that because their communications between devices are encrypted, or because they have some type of access control that they’re secure. In many ways they’re acting like software companies did about a decade or so ago. They just don’t want to see the reality of things.” Knapp says, while lackadaisical in many areas, it’s not consistently bad. “We work with a lot of utilities and a lot of industrial manufacturing facilities, and for every comment like that I hear, there are other utilities that take it very seriously,” says Knapp. [ Also see “Telecom infrastructure faces daunting risks, TATA CSO says” ] Mike Sconzo, principal security consultant, NetWitness, believes that industries in the critical infrastructures, such as utilities and manufacturing are starting to take the steps necessary to become more resilient. “Critical infrastructures are going through the same kind of growing pains as the IT industry did over the years,” Sconzo says. “For instance, the first version of NERC’s CIP (North American Electric Reliability Corporation’s Critical Infrastructure Protection) standard consisted of primarily of security box checking. Meaning if you do X, Y, and Y you are supposedly secure. I’m hearing more interest now, however, in moving toward more risk-based assessments. A lot of people are realizing that risk-based security management is not such a horrific idea,” he says. “The key is getting everyone up and down the stack to realize that security is a continuous process, and just as software developers learned basic best practices a decade ago and built from there, so must utilities and other critical infrastructures,” says Sconzo. Sure enough, but with many experts believing it’s only a matter of time before a Stuxnet-like worm is targeted toward U.S. interests, one has to wonder if there’s enough time. George Hulme writes about security and technology from his home in Minneapolis. After spending more time researching critical infrastructure security, he’s been often spotted pricing gas and solar-powered backup generators. He can be found on Twitter as @georgevhulme. Related content news Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance Despite money pouring into programs around the world, training organizations have not managed to ensure employment for professionals, while entry-level professionals are finding it hard to land a job By Samira Sarraf Oct 02, 2023 6 mins CSO and CISO CSO and CISO CSO and CISO news Royal family’s website suffers Russia-linked cyberattack Pro-Russian hacker group KillNet took responsibility for the attack days after King Charles condemned the invasion of Ukraine. By Michael Hill Oct 02, 2023 2 mins DDoS Cyberattacks feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Security news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe