RSS Alerts

Share

More services

Roger Halbheer

Job title:
Chief security advisor, Microsoft

Areas of expertise:
Policy, architecture, law enforcement, cybersecurity, processes

Biography:
Roger Halbheer joined Microsoft as Chief Security Advisor of Microsoft Switzerland in 2001 and was promoted to the role of Chief Security Advisor for Microsoft Europe, the Middle East and Africa (EMEA) in February 2007. Roger leads a team of national Chief Security Advisors across EMEA who work with organizations in the commercial and public sectors - including national governments, law enforcement and intelligence agencies - on information technology issues and strategies. He is a trusted advisor to C-level executives, governments and law enforcement agencies and has established relationships with security communities and government agencies across the region. Roger is a regular speaker at industry events and has worked with national and international print and broadcast media both to represent Microsoft and to provide expert comment on broader security issues. A Swiss national, Roger holds a Master of Computer Science degree from the Federal Institute of Technology in Zurich and is a Certified Information System Security Professional (CISSP). Before joining Microsoft, he was responsible for e-Business Risk Management at PricewaterhouseCoopers in Switzerland. He lives in Zurich and is married with two sons.

Tag Cloud

David HarleyhackingComplianceWiFicloudcloud securitySecurityMalware

Bloggers

Blog

Stuxnet talks – do we listen?

Stuxnet is a severe threat – that’s something we know for sure. But if we look at it,  what do we really know? What can we learn?

Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out there about the source and the target of the worm, especially since it hit mass-media. It is obvious that this is a story that is interesting for a broad audience – however, we security professionals need different sources.

If you look at this interview at CNN, they are giving background information but in the meantime are pushing for the story.

Stuxnet: Malware more complex, targeted and dangerous than ever

Unfortunately, even professional seems to build their defense on what is heard somewhere because someone said… This is not the right source of information.

So, a lot of speculation on different channels, social media as well as mass media. What do we learn from that?

Rely on trusted sources only if you want to run your incident response.

I think, this is not the first time I am promoting this approach :-)

If you want real information on Stuxnet, there you go:

This is one side of the problem. What about the critical infrastructure? It seems to be common knowledge that Stuxnet is leveraging a vulnerability in the Siemens PLC code to manipulate parameters in control systems. This leads us to an interesting question, which is how to protect embedded systems?

So far, I am convinced that within the industry we know fairly well how to protect classical IT systems like servers and PCs. If we extend this to embedded systems, the problem becomes much bigger. I once worked on this problem for medical devices. I was talking to the hospitals and they were telling me that they are not allowed by regulation to touch any technology on a medical device (even though they are connected to their internal network to exchange patient data). If you talk to the regulator, they tell you that they are satisfied with a risk management process by the vendor (nobody really checks the risks in the process as the regulation does not address this) and if you talk to the vendor they do not want to take the cost of maintaining the software on these devices – a classical example of passing the hot potato from one player to the other. This is a latent risk, which might be above the acceptable risk threshold for a society.

What can we do to approach this? On a tactical level, this means reducing the risk by shielding such systems. Do not attach them directly to the network but indirectly behind a reverse proxy. On a strategic level, we have to look at it from a maintenance perspective like any other IT-system. E.g. FDA realizes that not patching a system might create higher risks than patching systems. This by itself is a remarkable statement. This does not – by no means – allow you to just deploy without testing but probably without re-validating.

When it comes to SCADA systems, one of my readers, Shoaib Yousuf, wrote a really good article published in Computerworld and CIO in Australia called Smart grid security: Critical success factors showing the different approaches to secure such systems.

What do we learn from that?

Realize that systems with embedded IT have to be maintained and protected like any other IT device, taking into consideration the special safety needs.

And then finally, who are the players behind Stuxnet? A lot of people in the press and the blogosphere talk about an “act of war”. This is hard to tell based on public sources as there is too much speculation and misinformation. Fact is that nations are ramping up their cyber capabilities and/or are partnering with high-skilled groups in that area. But does this already mean that we have seen a nation state attacking another one with Stuxnet?

Do not rely your judgment on sources, where speed is more important than accuracy (something I often see on Twitter).

Scot Charney recently decomposed the threats in his paper called Rethinking Cyber Threats and Strategies (or – if you really want the pdf version). He separates four categories of attacks:

  1. Conventional Cybercrime
  2. Military Espionage
  3. Economic Espionage
  4. Cyber warfare

What did we see with Stuxnet? We do not know and just jumping on the bandwagon of the mass-media because it is “cool” would be a little bit too easy. Fact is that the industry came together to fight this beast – which is the right thing to do – and I hope that the governments come together to find the criminals behind the worm and take appropriate actions.

What do we learn from that?

Do not draw conclusions on who is behind an attack just because of the media (be it social media or mass media).

Finally, this just leads me to my final plea, as fairly often, when I blog on such things: Without good collaboration within the industry, between the industry and the governments and between governments, it will be very, very hard to fight such attacks.

And the “really finally”, as security professionals, we have to make sure that at least we keep an eye on the facts and to not help to spread fuzz.

Roger

Posted 12/10/2010 by Roger Halbheer

Tagged under:Critical Infrastructure,Incidents,Incident Response,Malware,Stuxnet

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012