The third age of cybercrime

I never developed software directly for Siemens PLCs, although on one occasion I had to interface with them and communicate within their data block framework, and for another industrial application I considered using them but eventually chose a different sort of motion controller which was better suited to the job. I did write software on various other PLCs though, and the level of security on these devices was always either very cursory or non existent. Lack of security on such devices shouldn't come as any great shock though, because at least in the application domains I dealt with industrial control systems were only very rarely connected to SCADA systems or the general administrative IT system of a factory. In some cases security meant using a key to turn a dial to a particular number, so you would need physical access to the factory, control room and control cabinet or machinery together with quite specialised knowledge about what to do with the particular electronics. Factory level security - gates and security guards at entrances - was always highly variable, ranging from ultra strict to just being able to walk directly into a factory without being questioned by anyone, but security on control rooms and cabinets was usually adequate.

So if Stuxnet was specifically targeting Siemens PLCs this probably narrows down the possible culprits to control systems engineers. Those devices are fairly complex and expensive. It takes a non-trivial amount of time to learn how they operate (it's nothing like web or database programming on a Windows PC or a mobile phone), and it's not really the sort of thing which even an ardent technophile such as myself would hack on in their spare time outside of a work environment.

The Guardian article, which is a bit more in depth than others I've read on this topic, downplays the possibility of a financial motive, but a proposition such as "pay us $X, or else we shut your factory down" could be quite lucrative for organised crime groups, who might also have the finances to be able to recruit and train a specialist control systems engineer. Nationalistic/tribalist malevolence is also a possibility too, and nation states would certainly have the means and motive to generate this sort of malware.

Probably the moral of the tale is don't run mission critical applications, such as SCADA systems, on Windows, although I realise that currently the alternatives may be few and far between (maybe a gap in the market). Windows was designed primarily for home computer users, and wasn't created from the outset to be a secure networked system. Also in a factory environment it's probably a good idea to have some policy with regard to use of USB pen drives, and maybe it's wise to disable any unused USB ports in the BIOS on computers running critical applications.