Recommendations for asset owners:
Define and enforce a high security level for your engineering stations, ESPECIALLY the mobile ones.
Do not allow staff to use these stations for private purposes (surfing on the Internet, using media player etc.).
Start securing these systems with whitelisting solutions.
Define and enforce a high security level for contractors that have network access to your systems either locally or remote.
Start removing shared folders.
Remove critical systems from the network if the network connection is used only for convenience.
Review your security policies for accessing systems with VNC and similar RDP products.
Develop a zoning concept for your network and implement it.
Use PLC version control systems.
Do not assume an attack could never originate from a PLC.
Enforce security policy even during commissioning.
Recommendations for vendors:
Test and certify whitelisting solutions for your products.
Make your products configurable so that they do not require file shares.
Arrange your next SCADA product version in a way that it is not scrambled over a myriad of DLLs.
Start developing product versions that support different channels for programming and SCADA.
Start developing product versions that support digital signatures for ladder logic and PLC firmware.
Recommendations for security companies:
Release whitelisting product versions for obsolete OS versions.
Release standalone versions of your whitelisting products that do not require a central administration server.