According to Hahn, the good guys usually win, but not easily. The test networks are riddled with holes, none of which are known in advance to Blue Team members, and it's often a scramble to secure the systems before the Red Team maps out the network and disrupts the factory floor.
The control systems program one of the U.S. government's main weapons as it tries to beef up computer security in power plants, at chemical refineries and on factory floors. Companies that make the hardware and software for big industrial machines can come to INL for a hard-nosed security evaluation of their products. It's a good deal for vendors, as part of their testing costs are covered by taxpayers, and it's good for the lab, because its engineers get to learn about security problems that could flare up in the future.
Although INL has been doing this work quietly for close to a decade -- last year it assessed products from 75 vendors -- the publicity around Stuxnet has put it in the spotlight like never before.
The world dodged a bullet with Stuxnet. Although it spread across the globe, it left almost every system it infected operational. It was a cyber sniper-shot aimed at uranium-enriching centrifuges at Iran's Natanz nuclear reactor.
The possibility of a second industrial systems worm has many security experts worried, though. Stuxnet infected tens of thousands of systems, including many that contained Siemens programmable logic controllers. If it had been designed to mess up every Siemens system it infected, instead of damaging only the Natanz centrifuges, it could have caused widespread damage.
Now that Stuxnet has proved that these machines can be hit, another cyber attack on industrial systems is inevitable, according to Michael Assante, CEO of the National Board of Information Security Examiners, and a noted expert on industrial security issues. "It's a matter of time," he said.
But is the U.S. Department of Homeland Security's ICS-CERT (Industrial Control Systems) team, set up at INL to respond to this type of incident, ready for a serious problem? Critics say the DHS was slow to respond to the Stuxnet threat and parsimonious with the information it did share.
DHS officials at the training exercise defended their handling of Stuxnet, but the man in charge of ICS-CERT said there's room for improvement. "I think there's always going to be an evaluation of how much information do we release, when do we release it and how do we release it," said Marty Edwards, the ICS-CERT's director. "So as we continuously evaluate those, and Stuxnet was a very good case study of how we performed, we'll continue to fine-tune the processes to give industry the tools they need to defend these systems."
Sign up for Computerworld eNewsletters.