It’s been three years since the Stuxnet computer worm affected Iran’s nuclear enrichment facilities. Whether or not you believe the US and Israel were behind this cyber attack – in order to prevent Iran progressing with its nuclear programme – the case just goes to demonstrate how vulnerable process control systems are vulnerable to cyber attack.
But post Stuxnet, have we learnt any lessons that will prevent us from falling victim, the same way the Iranians did? The absence of cases in the media would suggest we may have taken note, or could it be that the cases that have occurred have not been publicised?
In reality, I think the jury is out. Since 2010 a whole host of work has taken place to develop a range of standards that organisations in the energy utility industry can employ to protect their process control systems. There’s ISO/IEC TR 27019 that gives guidance on implementing an ISMS for organisations that use these types of systems, as well as IEC 62443 which gives very specific guidance on cyber security for process control systems in this sector.
In all, given the Iranian case, as long as we employ the relevant best practices we should be a lot better prepared should an attack occur. But it all depends on getting started!