Re: Excellent
@boltar - "There is no reason a public utility or any industrial system needs to be linked to the outside world via the public internet."
Accounting doesn't need to know in an up to date and accurate manner from production how much was sold at what price (keeping in mind that demand and prices change continuously these days)? Accounting doesn't need e-mail? E-mail doesn't need to connect to the Internet? That's the sort of train of logic you're following. It's the indirect connections through a chain of systems which is where the problem is.
The way that Stuxnet is believed to have got in was through the contract software developer's workstations. The software developer has an internet connection at his office because he needs one to conduct business, as well as to do things such minor things as install (and validate the copy-protection keys for) the eye-wateringly expensive proprietary development software. So, infect the software developer's laptop via a simple phishing attack. The next time the developer goes on site to install updates or debug a SCADA server, the virus is transferred to the SCADA server, or data is transferred the other way (if the virus is already installed). When the software developer returns back to his office and connects to the Internet, the return connection to the virus author is made.
As for a SCADA server, it's just an MS Windows PC, with all the corresponding zero day exploits which go along with that, which can be bought off the black market for the right price. The SCADA server is networked to the actual control system (the PLC normally), and sends it what appear to be legitimate commands and reads back data to display and store in a database (it was an MS SQL Server vulnerability which Stuxnet exploited).
Let's follow the "air gap" logic to its conclusion. By this logic, software developers and system administrators much not ever, ever, at any time have access to the Internet from any system which they have access to at work. Allowing them any Internet access at all for any purpose potentially defeats the air gap. The same goes for accounting, engineering, etc. Internet access must be limited to the top executives and the sales team. Everyone else must work via telephone, interdepartmental mail, and postal mail (with CDs, tapes, and disks being confiscated and destroyed in the mail room). Cell phones are also verboten, and must be left at the door. Simple, right? I bet that someone could still find a hole in this though, like say via contractors or business partners (see above for an example).
What is needed is layered defences to slow down penetrations, plus monitoring. That's how bank vaults work. There is no bank vault in existence which is impenetrable. What there are is bank vaults which take time to penetrate, plus active monitoring which will detect penetration attempts before the vault can be penetrated.