Last Friday, I saw a tweet from ControlGlobal.com’s Nancy Bartels on an updated Industrial Defender whitepaper on the Stuxnet virus (registration required.) The whitepaper was very comprehensive and opens:
…Stuxnet worm is described by Symantec’s reverse-engineering experts as the most sophisticated piece of malware they have ever seen.
The worm contained four “zero day” vulnerabilities which the report defined:
…one for which no fix is available, and no anti-virus signatures are available. Malware which uses zero-day vulnerabilities to propagate can often do so undetected through even well-defended sites. The Stuxnet worm is unprecedented in that it used four zero-day vulnerabilities to propagate.
It went on to describe how these vulnerabilities were exploited to propagate the worm broadly to seek out a very specific application speculated to be in Uranium enrichment.
The report notes that the sophistication required meant this worm was not done by a casual band of hackers. It noted:
Given the cost of software development and the requisite supporting hardware, software and other infrastructure, this suggests the worm cost a minimum of one million dollars to create.
Discussions have been quite active over the past several months, as the automation community has learned more about this virus.
I caught up with Emerson’s Randy Pratt, an advanced services specialist on the SureService team. We discussed the world we live in today where the leading automation and SCADA systems are based on commercial, off-the-shelf (COTS) operating systems and network technologies. Even for older systems designed in the pre-COTS era, a million dollar concerted effect would likely expose and exploit any vulnerabilities.
If your system is pre-COTS, defense in depth is still important. Every connection out of the system to the outside should be scrutinized and eliminated if possible. I heard a good analogy that you should think of your system like a prison. In a prison, there are few entry/exit points, and the ones they do have are heavily fortified with multiple layers of security and are closely guarded.
If your system is COTS-based, but the manufacturer of the operating system no longer supports security patch updates, then you’re not only vulnerable to zero-day exploits, but also known ones that have already been fixed. Randy notes that even if your system isn’t the intended target, it might become compromised. And the further behind your systems are on security fixes, the more vulnerable they will be. As part of an overall security assessment, it will be likely time to modernize the system.
It’s important to recognize that anti-virus and patch management does not secure your system from zero-day exploits. However, closing the window to these vulnerabilities when patches are created is critical. For COTS-based systems on supported operating systems and software versions, many suppliers have rigorous patch management services to make sure the patches on the COTS-related elements do not impact the process control software. Also, look for recommended defense in depth and antivirus best practices.
As the report highlights, a strong security program and culture of security is important. It noted:
A strong security program only stays strong if it is managed well. Security policies must be reviewed periodically to determine if they still identify current threats and protection priorities. Security procedures and practices must be audited to ensure that the site’s security policies are followed, and to ensure that security practices are effective. Software and hardware security controls must be evaluated to ensure they still protect the site as required by policies and practices.
In an earlier post, Like Plant Safety, Build a Culture of Security, I shared thoughts on the importance of this security culture. In this post-Stuxnet world in which we now find ourselves, the imperative is greater than ever.
Update: ControlGlobal.com came out with a great article on how the Stuxnet worm takes over a controller. Make sure to check out the article, How to Hijack a Controller.
Update 2: With tongue firmly implanted in cheek, I agree with the ControlGlobal tweet, that we both scooped the New York Times on this story. Here’s the NY Times version.