How to Restrict a LAN Stuxnet Hit
Monday, November 8, 2010 @ 04:11 PM gHale
As investigations into Stuxnet continue throughout the industry, one of the three pathways the worm uses to infect other computers is via the Local Area Network (LAN) communications inside the control system.
The other two paths come via infected USB drives and via infected Siemens project files.
Eric Byres, chief technology officer at Byres Security, found a way to restrict network-driven infections.
First, Byres said, you need to divide up control systems into security zones. If you are not familiar with the security zones concept, here is a brief overview.
A security zone is a group of assets that share common security requirements based on factors such as control function, operational requirements and criticality. A simple solution is to implement core zones such as:
• Safety Integrated System (SIS) zone,
• Basic Control/PLC zone,
• Supervisory/HMI zone,
• Process Information/Data Historian zone
• IT Networking zone
For additional security and reliability, you can also divide each of these primary zones into sub-zones, based on operational function. Increasing the number of zones progressively restricts the spread of a worm like Stuxnet to fewer computers, reducing risk and clean-up costs if an infection were to occur.
If you feel dividing up your network into zones of assets with similar security requirements based on factors such as control function, operational considerations and criticality is the way to go, and you have done the planning work to map out what the zones are, then you need to install an industrial firewall between the zones and implement rules that block the protocols that Stuxnet uses for infection.
Using the firewall to limit network traffic between zones to only what is needed for the system to operate, begins with deploying security appliances as the conduits between zones.
You can customize each of the security appliances with Loadable Software Modules (LSMs).
Once you load each LSM, each appliance is ready to prevent the protocols that Stuxnet uses from passing between zones. In particular three protocols need managing: Web (HTTP) traffic, Remote Procedure Call (RPC) traffic and, in Siemens systems, MSSQL traffic.
Byres went on to say: Note that I said “managed” and not just “blocked” the three protocols. Unfortunately, Stuxnet uses many of the same protocols as valid system applications, so just blocking these protocols will prevent proper operation of the control system.
Byres prepared an Application Note “Using Tofino to Control the Spread of Stuxnet Malware.” He said he uses the Tofino Industrial Security Solution as the example product for mitigation. “Tofino is our own product, so you know where my bias is. However, no matter what technology is deployed, the concepts I talk about are the same,” he said.
After configuring any security device and firewall it is very important to test to make sure that firewall rules do not disrupt industrial processes.
Preventing the spread of Stuxnet over control networks is key to maintaining safe, reliable and secure industrial systems.