After Stuxnet: ICS segmentation is no longer optional
How to ground industrial control system security in real assets, contractors, maintenance windows, and a minimum isolation baseline.
Stuxnet became publicly known in 2010. Since then it has become a standard reference point in security circles and the subject of countless articles about cyberwarfare. But in most companies that operate industrial control systems, no practical conclusions have been drawn from it.
I am not going to retell the story of Iranian centrifuges. What interests me is something else: what from Stuxnet applies to an ordinary enterprise that has no weapons program, but does have SCADA, PLCs, and process equipment connected to a network.
Why ICS needs to be separate from the corporate network
For a long time industrial control systems lived in isolation by default - simply because there was no technical reason to connect them. Equipment operated autonomously. Protocols were proprietary. Interfaces were specialised.
Over the past decade that changed. Companies started connecting ICS to corporate networks for remote monitoring, ERP integration, and remote maintenance by vendors. This brought real operational advantages. It also opened a class of vulnerabilities that previously did not exist.
ICS differs from a corporate IT environment in several important ways. Equipment runs for years without reboots - patches are not applied or applied rarely. Availability matters more than confidentiality: stopping a production process costs money. Updating firmware or replacing a component requires a maintenance window scheduled weeks in advance. Much of the equipment runs on operating systems the manufacturer no longer supports.
Where the threat actually comes from
Stuxnet used several vectors. For a typical enterprise, two are most relevant.
Contractors and service engineers. Equipment vendors connect to ICS regularly for diagnostics and maintenance. They come with their own laptops and USB drives. The security standards for their machines are often lower than yours. This is a ready-made vector for delivering malicious code into an isolated segment.
The corporate network as a bridge. If ICS is connected to the corporate network without clear segmentation, compromising any corporate machine potentially opens a path to process equipment. A phishing email to an accountant seems far removed from pump control - but only if there is a real boundary between them.
What a minimum isolation baseline looks like
Complete ICS isolation ("air gap") is often operationally unrealistic. But there is a minimum set of measures that already meaningfully reduces risk.
Network segmentation. ICS must sit in a separate network segment with explicitly defined traffic rules. No direct access from the corporate network. Any required integration goes through a demilitarised zone with explicit controls.
Control of external access. Vendor and contractor connections only through a controlled gateway, with authorisation, logging, and time-limited access. No autonomous connections - no plugging a personal laptop directly into company equipment.
Asset inventory. You cannot protect what you do not know about. A list of all devices on the process network, their firmware and operating system versions, and their support status - this is the baseline without which everything else operates blind.
Maintenance windows for updates. Patches are applied slowly - that is reality. But having a plan at minimum - which equipment gets updated when, and by whom - is already better than "we'll update it eventually."
What to check right now
I suggest starting not with a security audit, but with a few concrete questions to your team:
- Do you have a complete list of devices on your process network - with firmware versions and manufacturer support status?
- Exactly how do contractors connect to your equipment - and who controls that?
- Is there a physical or logical boundary between the corporate network and the ICS - and who can cross it?
- What happens to your production process if a key PLC fails for twenty-four hours?
The last question is not about security. It is about understanding the real value of the assets that need to be protected. Without that understanding, security becomes an abstract exercise rather than a management decision.
Stuxnet was a state-level attack on a specific target. But it demonstrated a class of vulnerabilities that exists across most industrial enterprises. Ignoring it means waiting for someone far less sophisticated to use the same vectors for far more mundane goals.