Stuxnet Changes Nothing

Updated: September 23, 2010

It is an unfortunate truth that good security is not applied until after the appearance of a threat. Even more regrettable is that particular organizations will not recognize a threat until it has done damage to them. No amount of flag waving by internal security people will get management to take the necessary precautions until a major breach occurs. This is human nature. We do not think to install dead bolts, or security lighting to protect our homes until after the burglary.

The discovery and subsequent revelations about Stuxnet should indeed cause a revolution in the security practices of every manufacturer and operator of industrial controls systems in the world. Sadly, that will not happen.

First a recap of Stuxnet. This worm spreads via USB thumb drive and, once inside, via file shares and even by infecting SQL databases. It uses the .lnk vulnerability in Windows (patch available) which was a zero day vulnerability at the time as well as three other zero day vulnerabilities to escalate privileges on infected machines. Stuxnet then proceeds to look for Windows PCs running software from Siemens used for managing industrial control systems. It infects those machines and if it finds a particular type of machine controller attached to it Stuxnet then attacks that controller and changes its programming. To what end is still unknown.

Nicolas Falliere has posted to Symantec's blog a detailed analysis of how Stuxnet installs a root kit on the infected PC and what it does do the industrial controllers. To date this is the most sophisticated, targeted, and malevolent worm ever dissected to this extent.

If your organization is one of the few that can look into the future and foresee the implications you will start now to defend yourself against this type of attack. It is going to be expensive. But probably not as much as one day's lost productivity from your plant or operations.

There are three major issues to be addressed before industrial controls will start to mature from a security perspective. First vendors such as Siemens, Rockwell, and others should move away from Windows. The perceived benefits of using platforms that have all the bells and whistles do not justify the patching, re-booting, and licensing requirements for always-on critical systems. Second, the vendors of controls have to build in authentication mechanisms using digital certificates and out of band authorization to make changes. They also have some work to do to harden their systems which in most environments still listen to the network for simple but potentially devastating instructions like a broadcast "reset."

Lastly, plant operators have to segment their networks. Firewalls, IPS, even air-gaps, should be in place to prevent the spread of malware.

Featured Research