I’ve been closely following the investigation into Stuxnet and this video is a great introduction. I spent a big chunk of my career creating control systems followed by another chunk creating security products. I can assure you the control system industry, and hence it’s customers, are very poorly prepared to deal with any serious attack. Most users, even your average developer, think that addressing a security issue just means putting out a software patch. But those more heavily involved know that in many cases a true fix can require an architectural overhaul – sometimes on a massive scale. Vendors don’t undertake this kind of change without massive pressure from their customers and this is completely lacking in this industry. The only way I can see of forcing the needed changes (in implementation and in mentality of the industry) prior to a disaster would be government regulation along the lines of Sarbanes-Oxley. In other words forcing CxOs to sign off they instituted mandated changes and that their security statements are correct. Those who know me know I generally don’t favor creation of more regulation. However in this case I think it is the only solution short of letting a disaster occur.