“Last year, after Stuxnet was identified as a weapon, we recommended to every asset owner in America – owners of power plants, chemical plants, refineries and others – to make it a top priority to protect their systems… That wakeup call lasted only about a week. Thereafter, everybody fell back into coma,” Langner told The Christian Science Monitor in a recent interview.
Ralphy, Ralphy, Ralphy... Could it be that your company needs more attention? You personally perhaps?
This crying “stuxpocalypse” thing is getting a little out of hand and seems rather low rent, well, wait a minute... Looking at that swank faux leopard pillow you have there, maybe this is your style... Ok, back on topic..
Where was I? Oh yes..
Ralph, sure, there are many systems out there running PLC’s and yes, they are likely vulnerable to any number of attacks.
However, can you please look back and see how long it actually took persons unknown *cough* USA/UK/Israel *cough* to create the Stuxnet attack and breathe a little before you go crying to the likes of the Monitor?
I’m sorry, but you are just making yourself look really.. Well.. Needy.
Lets look at the facts shall we?
"Funny thing is, all these control systems, if compromised, could lead to mass casualties, but we still don’t have any significant level of cybersecurity for them,” Langner said.
FACT CHECK: ALL the control systems? Really Ralph, that is not going to happen… You smell the hype here folks? MASS CASUALTIES! FUD FUD FUD I’m sorry, no Ralph, sure, if the system were taken down (say power) there would be, the old and infirm would be the first to go, but a wholesale “fire sale” is not going to happen.
It’s really the stuff of movies.. Say, you been watching Die Hard recently?
"The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks…. With every day [that] cyber weapon technology proliferates, the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares,” Langer stated.
FACT CHECK: Say Ralph, I seem to remember there being a whole cyber security initiative by the Obama admin that seems to me, covers this area. Though, yeah I would love to see an expedited process, people are looking at this AND knew about these types of attacks WAY before Stuxnet showed up!
I mean, how do you think they got the idea in the first place to create such a vector of attack huh? I might also suggest that all of the people who you might be asking about this may not want to talk to you in the first place. It would be like me walking into your house as a stranger and asking “So, what’s your wife’s favourite position in bed?”
“Most engineers are aware of the problem, it’s just that they don’t get the budget to fix the problem. The risk is just discounted. As long as management doesn’t see an immediate threat, there is a tendency to ignore it because it costs money to fix,” Langner explained.
FACT CHECK: Uh yeah.. No.. After what happened in Iran, we are not likely to just avoid the issue altogether... Once again, I point to the previous statement (wife –> sex –> positions).
Rare are the vendors or the end users that are going to divulge the problems they have because they are afraid of compromise, no matter how hard it may be to carry out.
“I couldn’t stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened.”
FACT CHECK: Well more of a comment really //BEGIN SNARK/SAVE US RALPH! SAVE US!//END SNARK/ people listened... Though, not necessarily to you... Trust me.
“I’m afraid cyber-arms control won’t be possible… It will be costly to fix the vulnerabilities in industrial-control systems. But it will be definitely more costly if we wait until organized crime, terrorists, or nation states make their move first.”
FACT CHECK: Gee Ralph, how about you forget the SCADA systems out there that now have attention and think about everything else out there online. Like, say, every frikkin Windows XP instance still out on the Internet and within private networks that are not patched? How about the fact that said systems are connected to the internet on a regular basis and SCADA aren’t (crosses fingers).
Well, they aren’t “supposed” to be. Or did you miss that salient fact that it took a concerted effort to get the Stuxnet into the Iranian facility in the first place because they were NOT connected to the internet as readily as other places?
Ya know... It’s called HUMINT. We needed someone to plant that USB or place it physically in a box on site. See Ralph, its not just some magic incantation and suddenly you’re infected.
Need I also remind you of the four zerodays used? Yeah..
So please Ralph, get off the Stuxnet nipple.. We know about it.. We just aren’t talking to YOU about re-mediations.
Cross-posted from Krypt3ia