Will Stuxnet be a Learning Opportunity?

Here's a guest post from my IBM colleague Brooks La Gree, with whom I attended the big Distributech conference in sunny San Diego last week. He and I have been talking about Stuxnet and its potential impact on the energy sector since it first surfaced, or rather, first surfaced on this blog, back in July 2010. Here's Brooks:

During congressional testimony on the Stuxnet worm in November 2010, it was recommended that Stuxnet should be leveraged as a learning opportunity to better prepare the industry for things to come. So bearing this in mind, I attended my first Distributech with the question "how many utilities and energy industry players are aware of Stuxnet?"

Granted, the implications of Stuxnet are subject to interpretation, but the fact remains this virus penetrated and reprogrammed parts of the critical infrastructure. Since this is such a watershed event, I’d sort of pictured alarm bells and flashing lights going off in utilities everywhere. So during Distributech I conducted a non-scientific poll to see how many utility employees had heard of Stuxnet. Here's what I found:

• Of at least 75 people I spoke to directly, approximately ten knew of Stuxnet, with three or four aware of its potential implications to critical infrastructure
•  The audience of the "SCADA and Network Infrastructure" panel session was asked by a panelist as to who was familiar with Stuxnet, and of approximately 200 participants, around 30 or so raised their hands 

While I know from experience there are dedicated groups of very smart people working across the industry and government to address the issues surfaced by Stuxnet, the answer to my question in general appears to be "not that many".  However, I remain optimistic that as the security conversation continues to gain traction at events and conferences, awareness and knowledge will reach the necessary critical mass. Never before has the saying "knowledge is power" been so apropos.