Security researchers discovered Stuxnet in 2010, and it has since become one of the most well-known malware campaigns in history. The attack was developed to damage programmable logic controllers (PLCs) and supervisory control and data acquisition (SCADA) systems using four zero-day vulnerabilities in Microsoft Windows. What has the cybersecurity community learned from this incident?

SCADA Security Lessons From Stuxnet

Nowadays, not even the most secure plants are isolated from threats. In the case of Stuxnet, the gap between the isolated plant and open infrastructure was bridged by a USB key.

But what does Windows have to do with SCADA? SCADA systems are no longer isolated boxes running on proprietary protocols. Today, they can be accessed by a human/machine interface (HMI), either integrated with the rest of the IT environment or simply using classic IT. Therefore, defending SCADA is about protecting everything that surrounds the system.

Protecting OT to Secure IT

SCADA systems are an important but severely limited part of the IT arsenal required to provide a service. In the case of a nuclear plant, many devices belong to the operational technology (OT) environment, in addition to those that correspond to IT. In fact, cybercriminals often reach IT assets through holes in OT systems. This enables them to easily discover vulnerabilities without the technical know-how or pricey equipment required to make an exploit out of the box.

OT consists of classic IT, SCADA, and many sensors and other devices. For this reason, OT is often included in discussions about the Internet of Things (IoT). The difference is that OT is always managed by someone who is responsible for security. In the case of IoT, there is very little accountability because devices such as smart refrigerators and cameras are often designed and operated by parties that have no stake in security whatsoever.

Learning From History

It is critical to protect your OT to keep cybercriminals from poking through, but don’t forget to protect your IT as well. It’s equally important to secure all IoT devices throughout the design phase. If IT professionals can learn from history, they can prevent a catastrophic incident like Stuxnet from befalling their organizations.

Read the IBM X-Force research report: Security Attacks on Industrial Control Systems

More from Energy & Utility

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT asset owners and operators, all of whom understand the need to keep critical infrastructures running safely, need to be aware…

One Year After the Colonial Pipeline Attack, Regulation Is Still a Problem

The Colonial Pipeline cyberattack is still causing ripples. Some of these federal mandates may mark major changes for operational technology (OT) cybersecurity. The privately held Colonial Pipeline company, which provides nearly half of the fuel used by the East Coast — gasoline, heating oil, jet fuel and fuel for the military totaling around 100 million gallons a day — was hit by a double-extortion ransomware attack by a DarkSide group in May of 2021.  In reaction, the company shut down…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

A New Cybersecurity Executive Order Puts the Heat on Critical Infrastructure Suppliers

Ransomware. Five years ago, the cybersecurity community knew that term well, although among others it was far from dinner table conversation. Times have changed. Since early 2020, ransomware has hit a slew of headlines. People inside and outside of the security industry are talking about it, and many have experienced the ransomware pain firsthand. The IBM Security 2021 Cost of a Data Breach report notes that ransomware attacks cost on average $4.62 million, excluding the cost of paying the ransom.…