Stuxnet Mitigation Matrix

Our goal with this blog is to provide you with practical information to help you avoid network incidents that disrupt operations.

With this in mind, today we are releasing a Stuxnet Mitigation Matrix that presents easy-to-follow actions to take against Stuxnet.

PDF Stuxnet Mitigation Matrix by Tofino Security is a printable version of the mitigation matrix that includes dynamic links to detailed information on each of the patches and mitigations.

Revisions:

  • updated Oct 25, 2010 to version 1.1. This version addresses the need to test and confirm all mitigations and some improvements and corrections on Microsot patches.
  • updated Feb 10, 2011 to version 1.2. This version references the new Microsoft patch released as MS10-092.

 

Stuxnet Mitigation Methods provides an online version of our matrix on ISSSource.com. Thanks to our friends at ISSSource for publishing this.

 

More Stuxnet information

Analysis of the Siemens WinCC/PCS7 'Stuxnet' Malware for Industrial Control System Professionals” is the White Paper behind the Stuxnet Mitigation Matrix and it should be consulted for more details.
Stuxnet Central is a new page on this website that provides a hub for the information that Tofino Security has created regarding Stuxnet, along with links to key industry Stuxnet material.

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

6

The mitigation matrix is a great document. I want to personally thank you guys for putting something together like that. A very handy document.

First of all, the Matrix does not cover diffrent types of so called Operator Stations regarding Siemens WinCC or PCS 7. The recomended messures would only make sense in combination with a "plant related security concept", where it needs to be dicided, which messure can be applied on which "Computer".

So I would strictly recommend for WinCC and PCS 7 users to have a look at the previously published so called "Security Concept for PCS 7 WinCC" on the Siemens website before (for example) disabling RPC protocols on any local firewall except the front firewall of a running plant.

I also recommend that a second Matrix Version should be created which would also have the types of devices like external Firewall, OPC Server, Operator Station Server, Operator Station Client and others in mind.
Regards
Jan Kaestner

Jan brings up an excellent point that we should have made clear on this matrix. It is essential to confirm with the system vendor and test any mitigation before deploying in a live control system, including the patches or AV signatures.

During the Slammer outbreak in 2003, I had a close call with a major DCS when deploying the SQL Server patches. It turned out the patches on this one system could have done more damage that the worm. So please DO NOT assume that a mitigation on the matrix is safe for your control system unless you have checked it out with the system vendor.

So for Siemens users, I recommend reading the "Security concept PCS 7 and WinCC" documents that Jan suggests. These can can be found at http://support.automation.siemens.com/WW/view/en/28580051

Testing and/or confirming mitigations is doubly important for something like firewalling the Remote Procedure Call (RPC) protocol. This is the basis for many services like File Sharing, Print Sharing, Terminal Server Licensing, OPC Classic, etc. etc. So we will be providing more information on this particular mitigation and making several updates to the Matrix over the next week.

Regards,
Eric

Thanks to many great suggestions, including Jan's suggestions to confirm the impact of ALL mitigations before deploying them, we have updated the Stuxnet Mitigation Matrix today (October 25, 2010) to version 1.1. We also want to thank Armin Boschmann of Manitoba Hydro for his help on sorting out the EoP vulnerabilities.

If anyone has any other suggestions, please let us know.

Eric

I agree with the statement that the mitigation isn't safe for your control system in every situation. Damen Mäntel

Hey, thanks for providing the printable version of the mitigation matrix. The dynamic links to detailed information on each of the patches and mitigations are totally useful for novice users like me. Appreciate your efforts on releasing the Stuxnet Mitigation Matrix. Regards.

Add new comment