Stuxnet Changes Nothing

Updated: September 23, 2010

It is an unfortunate truth that good security is not applied until after the appearance of a threat. Even more regrettable is that particular organizations will not recognize a threat until it has done damage to them. No amount of flag waving by internal security people will get management to take the necessary precautions until a major breach occurs. This is human nature. We do not think to install dead bolts, or security lighting to protect our homes until after the burglary.

The discovery and subsequent revelations about Stuxnet should indeed cause a revolution in the security practices of every manufacturer and operator of industrial controls systems in the world. Sadly, that will not happen.

First a recap of Stuxnet. This worm spreads via USB thumb drive and, once inside, via file shares and even by infecting SQL databases. It uses the .lnk vulnerability in Windows (patch available) which was a zero day vulnerability at the time as well as three other zero day vulnerabilities to escalate privileges on infected machines. Stuxnet then proceeds to look for Windows PCs running software from Siemens used for managing industrial control systems. It infects those machines and if it finds a particular type of machine controller attached to it Stuxnet then attacks that controller and changes its programming. To what end is still unknown.

Nicolas Falliere has posted to Symantec's blog a detailed analysis of how Stuxnet installs a root kit on the infected PC and what it does do the industrial controllers. To date this is the most sophisticated, targeted, and malevolent worm ever dissected to this extent.

If your organization is one of the few that can look into the future and foresee the implications you will start now to defend yourself against this type of attack. It is going to be expensive. But probably not as much as one day's lost productivity from your plant or operations.

There are three major issues to be addressed before industrial controls will start to mature from a security perspective. First vendors such as Siemens, Rockwell, and others should move away from Windows. The perceived benefits of using platforms that have all the bells and whistles do not justify the patching, re-booting, and licensing requirements for always-on critical systems. Second, the vendors of controls have to build in authentication mechanisms using digital certificates and out of band authorization to make changes. They also have some work to do to harden their systems which in most environments still listen to the network for simple but potentially devastating instructions like a broadcast "reset."

Lastly, plant operators have to segment their networks. Firewalls, IPS, even air-gaps, should be in place to prevent the spread of malware.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more