Stuxnet Analysis
We normally don't write diaries about analysis published by others since most readers also use rss, Twitter, Facebook, and countless other alerting services. By the time we note an article it's already "old news." But I want to take exception to our internal policy and point out a very interesting analysis by Symantec of the Stuxnet malware. In particular, watch the demonstration they put together that shows how it works. While the demo is for Stuxnet, it brings home many of the techniques that have been perfected over the past two years to bypass firewalls, intrusion detection systems, and other classic defense mechanisms.
Why is this important? Well, we need to start rethinking how we are going to defend our networks in the coming years and decades. Layers of defense are, of course, important - but what should those layers be? I'm afraid that many organizations are still defending themselves as though it's 1998. Firewalls and other "blinking light" mechanisms are not enough. Neither is patching, changing passwords, shutting off unneeded services, or any of the primary best practices we've been preaching as as security professionals for many years. We need a new "layer" to add to our defensive strategies. But what is that layer? If you have ideas, please use the comment link below to add them to this diary.
Marcus H. Sachs
Director, SANS Internet Storm Center
Comments
Gather
Nov 15th 2010
1 decade ago
I have observed that many SCADA system operators do not trust IT. There are good reasons for this. Some of the stuff IT requires is not compatible with the very touchy SCADA software and hardware. Unplanned change is bad. Uptime is critical and patching systems creates downtime and change. A critical patch could very well disable the SCADA system or a critical piece of hardware. More downtime and change. SCADA system operators need IT's expertise in security and the trick is getting the two together establishing ground rules and trust.
KBR
Nov 15th 2010
1 decade ago
My current location has an building access system that is controlled by a PC. This system could also be attacked to grant access to unauthorized individuals. Granted, not much of a target, but ...
Other potential dedicated computer targets for specialized attacks could be the power grid, banks, etc. Just because this Stuxnet is targeting specific systems should only make this an eye-opener for everyone to look at other systems that they have that could also be attacked by a dedicated group.
Once you recognize a potential vector for an attack then you can do something about it. A much better attitude than hiding your head in the sand with "What me worry? I don't have any PLC controllers!"
wll
Nov 16th 2010
1 decade ago
Sean
Nov 17th 2010
1 decade ago
Cheers, Adrien
Adrien de Beaupre
Nov 17th 2010
1 decade ago
The malware would have to be aware of the specific scada interface ,the specific plc it was supervising /monitoring and the key control registers ,the attack vectors would have to be specifically designed for a particular type of network ,plc and scada topology ,the attackers would have to have inside knowledge and also target the infected programming terminal of the engineers responsible for plc code changes .
This is a wake up call for system managers and re-enforces the security by layer principles and standards.
John
Nov 17th 2010
1 decade ago
Shawn
Nov 17th 2010
1 decade ago