Some comments and an invitation re: stuxnet

After my FAZ piece came out, I got some messages and comments from people in the industry, telling me that nuclear power stations are generally run by better protected variants of S7, that fulfill a higher security level known as SIL-4.

That may very well be the case, but it does not say anything about the standards used in Iran. As far as I know (please correct me if I am wrong) at least some SIL-4 graded components are subject to even tighter export controls, are sold by fewer vendors and are much more expensive – all adding to the already bad procurement problem. If you run a nuclear program on a budget, you take what you can get to do the job, which in Irans case seem to be second-hand and older systems they just could find on the worlds markets, which most probably would be S7 300-series components.

As for the security of german nuclear power plants and industrial systems, I would find it very reassuring if the operators would explain in detail why they think their systems are secure. Claiming “this could never happen here” is the inscription on many security systems tombstones… So here is the invitation: please submit your technical detailed talk to the Chaos Communication Congress and explain to the hacker community why the industrial control systems here are immune against a stuxnet-grade attack. We would all sleep better if you can convince us.