As I write this, I'm prepared to be dismissed as naive, underinformed. I'm equally ready to be told of eager agreement. Network security, or cybersecurity, elicits the same bipolar sorts and levels of extreme reactions that Y2K produced in Y2K-1.
Right now, it's about the damage Stuxnet did to Iran's nuclear program, and how it could spread to bring us to our technological knees.
It's an elegantly crafted virus. It cost a bundle to build. It took the undivided attention of many highly skilled, sophisticated bit-bangers.
Machine builders will pay some attention to this because, unlike the usual PC-eating viruses, it targeted specific PLC types in specific configurations. We're told it targeted only the type and configuration found in Iran's enrichment centrifuge program.
So it appears somebody did to Iran's nuclear program what the Israeli Air Force did to Iraq's nuclear program in 1981.
We're told it could be redeveloped to go after other architectures.
Good reads on how the bug works include computer security consultant Ralph Langer's piece in Control (www.ControlGlobal.com/hijack and a New York Times article (www.ControlDesign.com/stuxnet) that features Langer.
It apparently got into the PLCs when some knucklehead found a thumb drive outside the nuclear program building and did what every clear-thinking employee would do: He went inside and plugged it into his networked computer's USB port to see what was in it.
This all points to a geopolitical thing. Stuxnet is a weapon. It's a government-developed weapon, the purpose of which isn't aimed at your business. There's just no evidence this virus or its progeny will be indiscriminately dispersed.
Utilities, water and waste water treatment companies, and/or a few ultra-big, highly visible companies that draw global public ire would and probably should have some nervous thoughts about this, and we're likely to hear of its emergence again somewhere. But for typical manufacturing companies and their suppliers, this isn't an impending breach of the castle by fanatical hackers.
Besides, factory and plant managers deal with threats of various magnitudes and types all the time. When they do their homework and make certain that prevention and precaution are firmly in place, you don't hear anything about them. That's because nothing bad happens.
Maintain the assets and protect everyone from unsafe and bad employees, disgruntled ex-employees, and two-bit hackers, and life can be simpler. You can't or shouldn't hide from this, because network breaches certainly are a concern, and we will continue to report about them if events that could affect you unfold. For instance, as I read the lead story in this month's Industrial Networking about these issues, parts of the story made me imagine company managers being shocked--shocked, I tell you--that, just because they left all the doors and windows open, they'd been tampered with or robbed.
You and your customers should have discussions about this. And if you want help in these areas, you'll have to decide for yourselves who the experts/consultants are who place your interests above promoting a booming "you'd damn well better be scared and do what I tell you" cottage industry.
I remember thinking in December 1999 that maybe, just maybe, it would be a good idea to store some drinking water in the basement, in case the utility went down for a few days or civilization as we knew it collapsed around us. I decided not to.
Find all your doors and windows, real and virtual. Don't nail them shut, just secure them. Do that first.
