The man-in-the-middle attack on the 417 has some very important aspects that cannot be overemphasized:
1. The attack combines denial-of-control and denial-of-view.
The legitimate program on the controller is no longer in control, WITHOUT RECOGNIZING. Same for operators looking at HMI screens. Alarms, bells, whistles don’t go off while rogue code on the controllers manipulates output at will.
2. The MITM attack as such is generic and can be packaged into exploit tools.
The man-in-the-middle is not associated with any application specific code, process, or machinery. It can be used to attack any process. Technically it can be packaged into an exploit tool that lets attackers assemble an attack by point-and-click. It cannot be ruled out that the developers of Stuxnet actually carried their effort to this point, making it very easy to re-use the weapon against other targets. If they didn’t, others who follow them might invest the effort.
3. Copying the attack does not require insider knowledge.
You may have heard that Stuxnet-inspired malware is very unlikely because it would require an extreme amount of insider knowledge about the attacked installation. This is simply not true. With an exploit tool as described above in his hands, any idiot can attack an automated process. All that needs to be done is to blind the legitimate program along with operators by re-playing normal input signals and manipulate outputs randomly. You won’t be able to destroy a steam turbine by doing this, but you will be able to cause a LOT of trouble, no matter if the attacked target is an automotive factory, a chemical plant, a traffic light system, or an HVAC for a hospital.