Paranoia Means Better Security

Thursday, May 5, 2011 @ 08:05 AM gHale

By Gregory Hale
“You need to be paranoid. You need to assume your system is under attack,” said Andrew Ginter, director of industrial security at Waterfall Security Solutions.

That is part of what a user must think about when they are a victim of an advanced persistent threat (APT) like Stuxnet, Ginter said during his talk Tuesday with Joel Langill, chief technology officer at SCADAHacker, entitled “How Stuxnet Spread: A Study of Infection paths in Best Practice Systems” at the ICSJWG 2011 Spring Conference in Dallas.

“An advanced persistent threat works on a single target,” Ginter said. “Stuxnet was one example.” Usually an APT comes from organized crime or from nation states, he said. This worm targeted the Siemens control systems that and went after the Iranian nuclear enrichment program. “The objective was to sabotage the nuclear program,” he said.

This approach to the attack was not new and in fact there may be more to come down the road.

“Two dozen nations announced they are funding cyber warfare initiatives,” Ginter said. “Some friendly, some not. In addition, one dozen more nations have not announced it, but it is known they are funding cyber warfare initiatives. Again, some friendly, some not.”

Ginter remains impressed with the mighty worm. “This had four zero days and the worm circulated 3 to 4 months before anyone was alerted to it. That meant it was free to go around a system and learn. This was also the first time a worm used a PLC rootkit, which allowed the worm to reprogram the PLC without the users knowing it was happening.”

If anyone thinks this worm was purely attacking a vulnerability in the Siemens system, think again, Langill said.

“There is a lot to the worm that can apply to any system from any vendor,” he said.

Another interesting aspect is the worm could attack from different vectors. Langill said the one most people focus on is the USB stick, but there were others like the local area network communications.

On top of the attack vectors, the worm also had the ability to adapt to its environment.

“This provided the bad guys a well controlled playbook to get into any system,” Langill said.

Stuxnet brought the idea of policy and procedures to the forefront of users’ attention. “Why spend $500,000 on a security system if you allow a USB stick to plug into your engineering workstation,” Langill said.

He then asked, “Are we still vulnerable? Yes.”

One Response to “Paranoia Means Better Security”

Leave a Reply

You must be logged in to post a comment.