I have some good news and some bad news on yesterday’s Senate’s hearing about securing critical infrastructure in the age of Stuxnet. Good news first: The US Senate has grasped the magnitude of the Stuxnet problem. That’s very promising, and there is no irony here. If I had reason to assume that our published research results on Stuxnet contributed only ten percent to the awareness that initiated the hearing, I would say it was worth the effort. More good news: Michael Assante was up to snuff. His best line: We’re running out of time. Good job, Mike.
The bad news: They let Sean McGurk get away with saying nothing. It’s not that I had a problem with Sean, it’s solely about the message on Stuxnet he keeps repeating over and over again. He is telling about DHS’ EFFORTS in dealing with Stuxnet, but he can’t show RESULTS. Zero. Nada. Niente. Nothing. All these tremendous efforts, and no results to share. Why does nobody recognize this? Why do we have to listen to all this talk about his flyaway teams over and over again, without a single bit of hardcore information on Stuxnet that he can come up with? Actually this is amazing because Sean also tells that ICS-CERT has been able to analyze Stuxnet’s capabilities on real equipment, including PLCs. I was waiting for Senator Lieberman to ask Sean: Well, Mr. McGurk, so please tell us what Stuxnet’s capabilities ARE. Show us what you have discovered. Unfortunately, it didn’t happen.
Senator Lieberman is invited to contact me by phone or email. We can talk about our flyaway team (see picture), or we can talk terms about the impact of Stuxnet on critical infrastructure protection.