By Gregory Hale
Some of the first thoughts that come to mind with the latest Stuxnet revelation is to react to the incredible complexity the worm exhibits. It has an incredible design and seems to focus on a particular target while not crushing collateral damage to unintended victims.
Admiring the code is one thing, but prevention and cutting down on the consequences once hit are something everyone has to look at.
Joel Langill, security consultant and staff engineer at ENGlobal Automation Group, shared some of his thoughts with ISSSource Editor and Founder Gregory Hale.
“Since Stuxnet exploits a zero-day vulnerability, there was little that could be done once the worm was deployed. However, there were a lot of things that could have been done to (a) prevent it from being deployed in the first place, and (b) minimizing the negative consequences that resulted once it was deployed. Everyone gets hung up on the payload, and how it wrapped itself around some key WinCC drivers. It is a brilliant piece of malicious code, but that is not the only thing that this malware has demonstrated. It has shown that the overall security posture of control systems still tends to be weak in addressing cyber threats. Even with the most advanced security appliances available, the overall level of security assurance is provided by not just the ‘products’ installed, the ‘people’ and ‘processes’ used to design, configure, and maintain these systems.
“In addressing the prevention issue, a security policy that eliminates the use of USB devices would have prevented deployment. We all know that these devices should not be allowed on control systems equipment, but they are used every day. What is most disturbing is that far too many people install firewalls that are focused on restricted access to the control system network from the ‘outside,’ but provide few rules relating to ‘inside’ traffic.
“To minimizing negative consequences issue, a secure firewall rule would have limited outbound access and eliminated the Stuxnet worm from contacting the C&C server rendering it useless.
“As a last defense, I am a believer that we need to consider installing intrusion monitoring sensors within the control systems environment. A lot of people say this is not possible because of the protocols used within a SCADA/DCS network, however, my approach is much different and focuses on watching ‘who accesses what.’ For instance, a SCADA server should never be accessing an outside web server on TCP/80 in a well-defined and secure architecture.
“When I talk to users about Stuxnet, I stress it shows the need to have an established security policy in place that is adhered to by everyone within an organization, and is reviewed on a periodic basis and updated accordingly. There are a lot of similarities between ‘industrial security’ and ‘functionality safety’ and I am glad to see that ISA is making progress in this area with their Working Group 7. Both are meant to prevent unforeseen events from impacting operation. I believe there is a lot to learn from progress made in the functional safety arena, particularly around the concept that a ‘safety’ system needs to meet a given level of safety integrity through the application of equipment that is tested and certified to a specific safety level.
“Furthermore, these ‘safety’ systems must be tested on a regular basis to provide assurance that the system will act in a correct manner when demanded to do so. A lot of progress has been made with Wurldtech and the ISA Security Compliance Institute in helping set a measureable standard by which devices can be tested and certified as to their overall security posture. However, I believe that our standards, including ISA99 and NERC CIP need to be modified to mandate some level of rigorous ‘security’ test, as well as requirements around some level of ongoing test/re-test to maintain the original level of inherent security. I recently performed an assessment on a leading vendor’s system and found a vulnerability that I do not believe they even know exists. I am in the process of performing a couple more tests before I notify the vendor in the form of a ‘responsible disclosure.’
“Of course, I am also a proponent of making sure that those people responsible for designing and installing control systems have credentials that confirm they are knowledgeable in the security aspects of control system deployment, and that the design and delivery of these systems places as much emphasis on security as on functionality.”
By Gregory Hale