Trying a new, blunt method of communication because numerous blog entries, presentations and papers just aren’t getting through. Please read and reread the following paragraph:
If you have network access to almost any PLC, RTU or other type of field device, then you can take complete control of that field device and the underlying process. This has always been true. There is no “vulnerability” required in the product because there is no authentication required to upload new firmware, ladder logic, send process change/write commands or whatever you want to do.
All you need to do is a bit of protocol analysis to understand how the Engineering Work Station communicates with the PLC, and then an attacker can completely control the PLC and underlying process.
This is very old news, despite all the excitement caused by the Beresford incident. INL dubbed it the Boreas Vulnerability around 2008.
Digital Bond presented a paper at S4 2009 showing how we loaded rogue firmware into a Rockwell Automation ControlLogix and a Koyo ECOM-400. What we loaded was orders of magnitude less sophisticated in how it affected a process as compared Stuxnet, but it only took a couple of weeks. Here is the paper.
To date neither these vendors, nor Siemens, nor any other vendor has addressed this underlying problem of lack of any authentication or security controls to prevent someone with logical access from modifying whatever they want however they want. If you want to buy a brand new, full featured PLC/PAC/RTU you can’t get even simple source and data authentication. We have been waiting to herald the first vendor that offers this.