http://www.bbc.co.uk/news/technology-13192359
There is a parallel with our industry, which I will get to eventually. Some of you may be aware that the Playstation network, which is Sony’s answer to Xbox Live in that it is a free multiplayer gaming service and media provider (unlike Xbox Live online play requires a subscription). So given that Sony are not paid to support the service, and upgrade/development costs are funded by Sony themselves. Until the incident occurred what incentive did they have to ensure the security of the system and the data that it held.
This is the same issue facing control system users and vendors. Control system users will nearly always prioritise features over security. Also the vendor will not directly be impacted by any breach of a control system(our networks just fine thankyouverymuch). So where is the vendors incentive, and where is the users incentive. Apart from Stuxnet there is little real hard and fast incident metrics that can be used to determine any ROI on security. And you can even argue that Stuxnet was a targeted attack that did not impact a large majority of the control systems in the world.
So what’s the next step, vendors to keep providing "security for free" For the vendors to make a concerted effort to shore up their software, or for the customers to realise that control system security is an issue that we all share?
