In early March the Security Incidents Organization (SIO), Sellersville, Pa., released its annual report on industrial control system (ICS) malware incidents. "This report shows the details of the continuing threats to manufacturing and infrastructure security around the world. As the Stuxnet malware showed in 2010, the threat continues and has become even more complicated and mature," says SIO executive director John Cusimano.
The emergence of the Stuxnet worm, which apparently targeted Siemens control systems at an Iranian nuclear-enrichment facility, certainly exposed serious knowledge gaps in how cyber security is implemented and maintained by process companies.
A new white paper, "How Stuxnet Spreads -- A Study of Infection Paths in Best Practice Systems," aims to help bridge those gaps. Published in late Feburary, it's co-authored by a trio of cyber-security experts: Eric Byres, chief technology officer, Byers Security, Lantzville, BC; Andrew Ginter, chief technology officer, Abterra Technologies, Calgary, AB; and Joel Langill, chief security officer, SCADAhacker.com, Lantana, TX.
The authors describe a hypothetical industrial site that follows the high security architecture and best practices defined in vendor documents. They then show the ways the Stuxnet worm could make its way through the site's defenses to take control of the process and cause physical damage.
While speculation continues as to the creators of Stuxnet, the worm underscores that ICSs now are the target of sophisticated attacks, note the authors, who add that owners and operators must adjust their security programs accordingly. In particular, stress Byers, Ginter and Langill, security programs must:
• Consider all possible infection pathways and have strategies for mitigating those pathways rather than focusing on a single pathway such as USB keys;
• Recognize that no protective security posture is perfect and take steps to aggressively segment control networks to limit the consequences of an incursion;
• Install ICS-appropriate intrusion detection technologies to spot attacks and raise an alarm when equipment is compromised or at risk of compromise;
• Deploy, operate and maintain at maximum effectiveness ICS-appropriate security technologies and practices. These include firewalls, antivirus technology, patching systems and whitelisting designed for supervisory control and data acquisition (SCADA) and ICS, to make attacks by sophisticated malware much more difficult;
• Look beyond traditional network-layer firewalls to firewalls capable of deep packet inspection of key SCADA and ICS protocols;
• Focus on securing last-line-of-defense critical systems, particularly safety integrated systems (SISs);
• Include security assessments and testing as part of the system-development and periodic maintenance processes followed by correction of identified potential vulnerabilities, thereby decreasing the likelihood of a successful attack, and;
• Work to improve the culture of industrial security among management and technical teams.
"These changes to improve defense-in-depth postures for industrial control systems are needed urgently. Waiting for the next worm may be too late," they say.
Byers highlights two requirements in particular as being essential. The first is culture: "On the macro level you need upper management to really develop a security culture: enthusiastic engineers are not enough."