As the Internet says
Security is as strong as it’s weakest link.
While researchers are busy with analyzing stuxnet and duqu, there exists a wide range of ICS on the internet with relatively less or almost no security at all. Current research covers just the high critical targets while low-medium critical targets or almost ignored. I wouldn’t say that the strategy of researchers are wrong, they are right, it is the right choice to protect a oil refinery from a intruder rather than protect a water treatment plant of a golf course. It must be the responsibility of the vendors to protect against such attacks; actually it doesn’t requires that much of a path breaking research to protect these (low-medium critical) devices, the right architecture and right configuration is what all it needs to secure these devices.
I don’t know how many would believe if i say i’ve saw this thing many times before the news even broke out. It was just hanging around in Shodan. The default password was 100 or 101 i believe, if my memory cells are still intact. One does not need a high probability NIDS to protect the infrastructure of these devices, since they are hardly being targeted by industrial/political espionage or terror attacks. People who hijack these devices are simple script kiddies or psychopaths.
I’m not saying that the security of low-medium critical systems should be taken lightly, but instead of leaving it alone just like that without any protective measures, with the time being i think few very basic solutions by the vendors or Infrastructure Admin might keep those script kiddies away.
By basic solutions i mean,
* Make VPN support available out of the box
* Banner display to show last logged in time, IP and host names.
* Strong Passwords
* Clean or deceptive banners, after all that is how Shodan identifies you.
* Strip out legacy services like FTP, SNMP.
* A sticker which says “Do not connect this thing to internet without a basic VPN” 🙂