George V. Hulme has an excellent writeup regarding recent moves to shore up network security in the nation's critical infrastructure systems.
Hulme writes that the International Society of Automation has announced the formation of a task group to conduct a gap analysis on the ANSI standards governing Supervisory Control and Data Acquisition systems (SCADA) security.
The ISA99 standard offers guidance to SCADA systems operators on how to mitigate risks from threats and vulnerabilities, and the gap analysis will evaluate how well organizations following the standard would have responded to a Stuxnet-type attack.
Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks.
"Over the next few years, these standards will become core international standards for protecting critical industrial infrastructures that directly impact human safety, health, and the environment; and, likely will be extended to other areas of application, even broader than those generically labeled SCADA. Based on this, it is essential that industrial companies following IEC 62443 standards know they will be able to stop the next Stuxnet," according to an ISA statement.
Threats like Stuxnet may be new, but the system weaknesses they exploit are not.
"Stuxnet really didn't change anything. The vulnerabilities have all been there for awhile. Most SCADA networks are pretty wide open and are susceptible to attacks. Stuxnet did, however, open our eyes to what is possible now," Hulme quotes Richard Stiennon, author of the book Surviving Cyberwar, as saying.
Stiennon also points out that SCADA systems are equally vulnerable to less sophisticated attacks that require remedial mitigation efforts.