First parts of Stuxnet’s attack technology have found their way into exploit tools, a.k.a. penetration testing frameworks. Core impact has added some of the exploits, Immunity’s canvas even more. So far, no tool seems to offer Stuxnet’s PLC exploits. People who attended WeissCon 2009 or one of our control system security training seminars will remember our fully-functional proof of concept software that manipulates controllers without any insider knowledge. If we wanted to, we could implement a configurable controller exploit framework that includes Stuxnet’s more nasty attack technology within four weeks. We won’t do it. But others probably will. They may need longer, but we don’t know if they haven’t started already.