stuxnet

Nowadays Stuxnet has become a household term the second anyone talks about cyber security for industrial control systems (ICS). This sophisticated piece of malware first identified in 2010, showed just how powerful an ICS compromise could be in terms of both the impact to manufacturing operations and the possibility of mechanical damage. Was this an isolated attack, unlikely to occur again, or the beginning of a new era in ICS security issues?

As mentioned in a blog article we wrote earlier this week, an Italian “Security Researcher” named Luigi Auriemma published thirty-four SCADA product vulnerabilities against four SCADA products (the complete list of vulnerabilities and companies is provided in the earlier article).

There has been a lot of media coverage and discussion of the Stuxnet malware, and its impact on industrial control system (ICS) and SCADA security. We are one of the groups guilty of creating a Stuxnet publishing industry.

Last week the International Society of Automation (ISA) announced that a new committee, ISA99 WG5 TG2, has been struck to conduct a gap analysis of the current ANSI/ISA-99 standards with respect to Stuxnet. The goal is to determine if companies following the standards would have been protected from advanced persistent threats (APTs) such as Stuxnet. If not, then the committee will identify what changes are needed.

I have been asked to Chair the committee and I am writing today to let you know about its work, to explain why it is important, and to ask for your participation.

Over the past four months, Joel Langill, Andrew Ginter and I have been working on a really cool research project. We have been investigating how Stuxnet would infect an industrial site protected by a “high security architecture.”

Last week I had the chance to attend a very interesting seminar at the Stanford Research Institute called the DHS/SRI Infosec Technology Transition Council Meeting (ITTC). It wasn’t focused on SCADA or ICS or even Stuxnet, yet some of the talks had a lot of applicability to the control systems world.

Recently a partner of ours, Invensys Operations Management, won the prestigious Breakthrough Product of the Year Award for 2010 from Processing Magazine. They won it for a product that we helped engineer, the Triconex Tofino OPC Firewall.

We think this is a big deal for two reasons. Obviously one reason is that a product we help create won a major award – pretty cool.

Over the past month, there has been no shortage of reports on how Stuxnet is attacking the Iranian Nuclear Program. Unfortunately, good advice on what exactly Industrial Control System (ICS) owner/operators can do to protect themselves against Stuxnet (and its future offspring) is in short supply. In fact much of what passes as technical guidance is either too IT-focused or simply wrong.

In the post-Stuxnet cyber security world, many vendors are actively thinking about protective measures that could prevent a similar attack on industrial systems.

Such measures could be implemented at the PC-level, the PLC-level, or even the Profibus or device-level. They could include methods such as antivirus-scanners, firewalls, patch management, password policies, USB usage policies, code integrity checkers, etc. However, all of these measures are ones that are implemented at the highest levels of an industrial system.

In reviewing material about Industrial Control Systems (ICS) there is one element that, in my opinion, is the most important factor to consider - especially in light of the recent hubbub about Stuxnet and ICS Security. That element is human centered design.

Every aspect of the control system life cycle, whether it is Concept, Design, Construction, Operation, Maintenance, Safety or Security, includes the human element. It is nothing new, but we all see time and time again where human factors, rather than technical factors play a major role in security and or safety issues.

Thanks to all the publicity around Stuxnet, there has also been growing interest regarding the reported Denial of Service (DoS) attacks against the industry mail list that I sponsor, SCADAPerspective. I want to take this opportunity to set the record straight on what actually happened back in July 2010 and to let you know why it signifies increased risk for all industrial control systems.

The Stuxnet story is getting stranger by the minute. First Iran’s President, Mahmoud Ahmadinejad, gave a press conference earlier today where he admitted that Stuxnet had hit Iran’s uranium enrichment centrifuges.

Over the past two weeks, there has been considerable progress in determining exactly what industrial process Stuxnet’s creators were trying to destroy. This news is not good for the industrial control system and SCADA communities.

First the Symantec team announced that one of Stuxnet’s payloads was designed to change the output frequencies of specific Variable Frequency Drives (VFDs) and thus the speed of the motors connected to them, essentially sabotaging the industrial process.

It is easy for me to forget that just because I have taught a concept at one or two conferences, not everyone in the world has heard it. This was driven home with amazing clarity at the Hirschmann Critical Network Design Conference back in September when a participant asked me:

We use computers with two network cards as security between the control system and the business system. Is that a good idea?

One of the three pathways Stuxnet uses to infect other computers is via the Local Area Network communications inside the control system (the other two are via infected USB drives and via infected Siemens project files).

This blog post addresses how to restrict network-driven infections using the Tofino Industrial Security Solution as the example product for mitigation. Tofino is our own product, so you know where my bias is.  However, no matter what technology is deployed, the concepts I will talk about are the same.

In last week’s post, I mentioned that Eric Cornelius gave a very interesting talk at last week’s ICSJWG meetings. Cornelius works for INL (Idaho National Labs) and they are doing Stuxnet research for the US Government.

I want to highlight some of Cornelius’ comments, as well as other themes that came up that are important for the average SCADA / ICS system engineer or manager.

The Industrial Control Systems Joint Working Group (ICSWJG) Fall 2010 Conference just wrapped up today. For the first time, I was glad I attended. It was three days well spent.

If you haven’t heard of ICSJWG, you are not alone. It is a US-Department of Homeland Security initiative to give vendors, researchers and end-users a chance to network and explore the issues that make securing SCADA and industrial control systems difficult.

Just flying back from OpsManage '10, the Invensys Users Group meetings that have been going on all week in Florida. I missed a few days, so I can’t comment on some of the early presentations, but three things did catch my eye.

Our goal with this blog is to provide you with practical information to help you avoid network incidents that disrupt operations.

With this in mind, today we are releasing a Stuxnet Mitigation Matrix that presents easy-to-follow actions to take against Stuxnet.

 Stuxnet Mitigation Matrix by Tofino Security is a printable version of the mitigation matrix that includes dynamic links to detailed information on each of the patches and mitigations.