Post Stuxnet: Risk Containment of Malware

Monday, March 21, 2011 @ 05:03 PM gHale

Following its discovery last June, Stuxnet caused a worldwide firestorm. It is the first publicly known rootkit attack targeted at industrial plants.

The worm has infected tens of thousands of PCs, and abused and manipulated automation software running on Windows operating systems. Its ultimate purpose: To bring malicious code into the controllers of specific real-world industrial installations and bring them down.

Experts have long warned that malware and insufficient IT security pose a threat to automation networks, but Stuxnet offers concrete proof these threats can no longer be ignored. The actual hazard, however, no longer originates from Stuxnet itself, but rather comes from mutations that copycats can now create with the same basic techniques.

While Stuxnet focused on products from the Siemens SIMATIC family and on STEP 7 PLC projects with very specific properties, such mutations could affect components from other vendors as well, ultimately turning out malware a lot less selective in its damaging impact.

Apart from the fact industrial PCs are often not (and cannot be) equipped with antivirus software, Stuxnet has also made clear that conventional virus scanners do not provide protection against this caliber of attacks.

Analysis of Stuxnet has shown the worm was in the wild and unnoticed for at least 12 months before its discovery. Because Stuxnet did not use any of the known malware signatures, existing antivirus programs did not detect it during that time.

To plan protective measures against future Stuxnet-like attacks, a basic understanding of the worm’s activities is essential.

For more details on those protective measures, click here for a white paper on Stuxnet.

Leave a Reply

You must be logged in to post a comment.