The US House Homeland Security Committee’s subcommittee on Cybersecurity and Infrastructure Protection is holding a hearing today entitled Fully Operational: Stuxnet 15 Years Later and the Evolution of Cyber Threats To Critical Infrastructure. Two of the four panelists, Rob Lee and Kim Zetter, are very well known to the OT security community. While I would like to see Ralph Langner on this panel as well, if the Representatives ask even mediocre questions this will be a good hearing.
We know, are certain about, only a few things 15 years later.
- The US Government, with an assist from Israel, was the first government to launch a major cyber attack intended to cause physical damage. Someone was bound to open this box, but it was the US that did it and began / accelerated the “evolution”. The irony of this hearing, and likely bemoaning of the threat in the hearing, is massive.
- Everyone’s predictions on the number and impact of cyber attacks on critical infrastructure that would occur after Stuxnet was discovered were wrong. Wildly wrong on the high side. The number and impact of actual incidents is less than 10% of what was predicted by everyone. (My first draft had the safer almost everyone, but I can’t remember a single person downplaying the number and impact in the first five years after Stuxnet.)
- The OT attacking tools developed at a much slower rate and still seem primitive as compared to what was predicted by almost everyone post Stuxnet. Primitive compared to Stuxnet. INCONTROLLER / PipeDream was something that many people in the S4x12 audience envisioned as a first step and could have written in 2012. Same with FrostyGoop.
- The average OT system is better protected than it was 15 years ago. Not all OT systems, but the average now has a decent security perimeter, endpoint protection, and more secure remote access. The top 10% has an impressive OT security program and good handle on OT cyber risk. This is why we see most of the reported cyber incidents in large companies with OT saying that the attacker did not reach or compromise OT.
- OT Detection products and services took a majority percentage of the OT security vendor spend in the last 10 years.
I added and deleted a number of other items while writing this. They are important things that I believe to be true, and yet couldn’t be stated with evidence based certainty. And maybe I’m a bit shy to put them out there as fact after seeing everything we got wrong or didn’t predict in the last 15 years.
This doesn’t mean there aren’t active threats to OT systems and the processes they monitor and control. It doesn’t mean the security programs for our OT systems are adequate. It may mean the threat is vastly overrated, or maybe the threat was correct and the timeline was wrong.
What we shouldn’t do is jump past the data vs. predictions / expectations over the last 15 years.
What would you add to this list?