Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stuxnet Virus Now Biggest Threat To Industry

Posted by CmdrTaco on from the or-just-don't-click-attachments dept.

digitaldc writes "A malicious computer attack that appears to target Iran's nuclear plants can be modified to wreak havoc on industrial control systems around the world, and represents the most dire cyberthreat known to industry, government officials and experts said Wednesday. They warned that industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."

5 of 254 comments (clear)

  1. We should thank Israel, or whoever by elrous0 · · Score: 4, Insightful

    This is a wake-up call to a new vulnerability. There are a helluva lot worse ways to have found out about it than this relatively innocuous version. It also exposes stupid weaknesses like the fact that all Siemens PLC's (programmable logic controllers) have a hard-coded password that was never meant to be changed, and that all the obscure proprietary software in the world on PLC's doesn't mean jack for security--because they all still have to take their orders from a machine running it software on regular old Windows.

    We could have realized these vulnerabilities only after a bunch of stuff started exploding.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:We should thank Israel, or whoever by mevets · · Score: 5, Insightful

      We also could have foreseen these vulnerabilities.

      I used to work in industrial automation - in its pre-windows era, and people did put effort into isolation, access control and validation.

      After having made the bad decision to deploy on Windows, when years of evidence that it had a horrendous lack of access control, how did Siemens just continue on? What were they thinking?

  2. The solution by Lord+Lode · · Score: 5, Insightful

    Don't use Windows for important industrial systems.

  3. Legislation? by TD-Linux · · Score: 4, Insightful

    I would think that the risk of prolonged downtime in a factory that plows through millions of dollars a day would be enough of an incentive for any manager to tighten their security.

    1. Re:Legislation? by Tom · · Score: 4, Insightful

      No, it isn't. Humans in general and managers in particular are famously bad at correctly estimating the factors of low-probability/high-impact risks. Not always in the same direction - we vastly overestimate the risk of some stuff, and vastly underestimate others. But we're almost always off, and by several orders of magnitude.

      And don't forget the human factor - the risk for the manager is not millions of dollars of company assets, that is an abstract figure at best. The risk to him is the loss of his job, which is lower in both value and likelihood than the event itself. However, spending money on security is a 100% loss of profit which will impact the bottom line, profit, quarterly report, etc. with a very high probability of negative impact on his bonus or raise.

      Unfortunately, almost everything you learn about management or governance acts as if "the company" would make decisions, and not humans. And ignores that humans have a more personal context that also influences their decisions, and routinely overrides even those cases where the optimal decision can be clearly demonstrated.

      --
      Assorted stuff I do sometimes: Lemuria.org