Stuxnet is a severe threat – that’s something we know for sure. But if we look at it, what do we really know? What can we learn?
Let’s start from the beginning. As soon as Stuxnet hit the news, it was interesting to see, what was happening. There was a ton of speculation out there about the source and the target of the worm, especially since it hit mass-media. It is obvious that this is a story that is interesting for a broad audience – however, we security professionals need different sources.
If you look at this interview at CNN, they are giving background information but in the meantime are pushing for the story.
Stuxnet: Malware more complex, targeted and dangerous than ever
Unfortunately, even professional seems to build their defense on what is heard somewhere because someone said… This is not the right source of information.
So, a lot of speculation on different channels, social media as well as mass media. What do we learn from that?
Rely on trusted sources only if you want to run your incident response.
I think, this is not the first time I am promoting this approach :-)
If you want real information on Stuxnet, there you go:
- MMPC Encyclopedia
- Microsoft Malware Protection Center blog posts since July this year to give you insight into the problem
This is one side of the problem. What about the critical infrastructure? It seems to be common knowledge that Stuxnet is leveraging a vulnerability in the Siemens PLC code to manipulate parameters in control systems. This leads us to an interesting question, which is how to protect embedded systems?
So far, I am convinced that within the industry we know fairly well how to protect classical IT systems like servers and PCs. If we extend this to embedded systems, the problem becomes much bigger. I once worked on this problem for medical devices. I was talking to the hospitals and they were telling me that they are not allowed by regulation to touch any technology on a medical device (even though they are connected to their internal network to exchange patient data). If you talk to the regulator, they tell you that they are satisfied with a risk management process by the vendor (nobody really checks the risks in the process as the regulation does not address this) and if you talk to the vendor they do not want to take the cost of maintaining the software on these devices – a classical example of passing the hot potato from one player to the other. This is a latent risk, which might be above the acceptable risk threshold for a society.
What can we do to approach this? On a tactical level, this means reducing the risk by shielding such systems. Do not attach them directly to the network but indirectly behind a reverse proxy. On a strategic level, we have to look at it from a maintenance perspective like any other IT-system. E.g. FDA realizes that not patching a system might create higher risks than patching systems. This by itself is a remarkable statement. This does not – by no means – allow you to just deploy without testing but probably without re-validating.
When it comes to SCADA systems, one of my readers, Shoaib Yousuf, wrote a really good article published in Computerworld and CIO in Australia called Smart grid security: Critical success factors showing the different approaches to secure such systems.
What do we learn from that?
Realize that systems with embedded IT have to be maintained and protected like any other IT device, taking into consideration the special safety needs.
And then finally, who are the players behind Stuxnet? A lot of people in the press and the blogosphere talk about an “act of war”. This is hard to tell based on public sources as there is too much speculation and misinformation. Fact is that nations are ramping up their cyber capabilities and/or are partnering with high-skilled groups in that area. But does this already mean that we have seen a nation state attacking another one with Stuxnet?
Do not rely your judgment on sources, where speed is more important than accuracy (something I often see on Twitter).
Scot Charney recently decomposed the threats in his paper called Rethinking Cyber Threats and Strategies (or – if you really want the pdf version). He separates four categories of attacks:
- Conventional Cybercrime
- Military Espionage
- Economic Espionage
- Cyber warfare
What did we see with Stuxnet? We do not know and just jumping on the bandwagon of the mass-media because it is “cool” would be a little bit too easy. Fact is that the industry came together to fight this beast – which is the right thing to do – and I hope that the governments come together to find the criminals behind the worm and take appropriate actions.
What do we learn from that?
Do not draw conclusions on who is behind an attack just because of the media (be it social media or mass media).
Finally, this just leads me to my final plea, as fairly often, when I blog on such things: Without good collaboration within the industry, between the industry and the governments and between governments, it will be very, very hard to fight such attacks.
And the “really finally”, as security professionals, we have to make sure that at least we keep an eye on the facts and to not help to spread fuzz.
Roger