Jan 16 (Reuters) - A computer virus attacked a turbine control system at a U.S. power company last fall when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a U.S. government website. The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident.
It was introduced by an employee of a third-party contractor that does business with the utility, according to the agency.
This is not an exceptionally helpful story as far as communicating the real security problems associated with ICS. Tying together this incident - untargeted and not specific to the platform – and Stuxnet – targeted and designed for the exact equipment in-place - makes for titillating copy, but its comparing oranges and tangerines. Lumping all incidents associated with critical infrastructure systems together is equally misleading: like saying the solution to pick-pocketing and murder are one in the same. Getting on a random box in a power plant and shutting off the lights are two wildly different things. Both need to be addressed, but awareness and insight will get us to effective solutions faster. We have a hard enough problem getting the general population to care about these issues when it impacts them directly and daily; "'1337 h@x0r$ sending us to the dark ages" isn't going to get us anywhere.