Slashdot Mirror
Stuxnet Virus Now Biggest Threat To Industry
digitaldc writes "A malicious computer attack that appears to target Iran's nuclear plants can be modified to wreak havoc on industrial control systems around the world, and represents the most dire cyberthreat known to industry, government officials and experts said Wednesday. They warned that industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."
This is a wake-up call to a new vulnerability. There are a helluva lot worse ways to have found out about it than this relatively innocuous version. It also exposes stupid weaknesses like the fact that all Siemens PLC's (programmable logic controllers) have a hard-coded password that was never meant to be changed, and that all the obscure proprietary software in the world on PLC's doesn't mean jack for security--because they all still have to take their orders from a machine running it software on regular old Windows.
We could have realized these vulnerabilities only after a bunch of stuff started exploding.
SJW: Someone who has run out of real oppression, and has to fake it.
They should run Mac software on PLCs. Macs don't get viruses!
</satire>
Don't use Windows for important industrial systems.
There's no reason why these machines should be connected to the internet. Maybe some of the top-level communication computers to coordinate between plants, but certainly not the local-area computers/machines.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Do you really want the idiots in D.C. telling you how your computer must work? Ask anyone doing IT related stuff under the DoD -- their own security policies cause more outages and problems than anything else. Those policies are from people who supposedly know what's what. Now put clueless politicians in charge.
You DON'T want this, no matter how much you like government control of your lives.
I would think that the risk of prolonged downtime in a factory that plows through millions of dollars a day would be enough of an incentive for any manager to tighten their security.
So first the goverment makes the most malicious worm possible to do their bidding in wiping out the enemy, and then the goverment figure they can use this worm as an argument for imposing more restrictions and expanding their power.
Next up: the police starts killing people so they can use the higher homicide rates to motivate expansion.
"The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."
The mystery of the who and the why of stuxnet is now over.
As sophisticated as Stuxnet is, it still relies on people doing Very Stupid Things. The solution isn't government intervention to control how everyone designs their networks (They'd be perpetually ten years behind current technology anyway), but to just weather the current panic, learn from it, and remember CHANGE THE DEFAULT PASSWORDS and USE A FIREWALL! The only reason this has been such a problem is that industrial control networks are designed by people with insufficient training in IT security, so often even the most common-sense measures are neglected.
Don't exaggerate the issue. The exploitation of PLC's by Stuxnet is akin to a device on your car vehicles CAN bus issueing commands across the network. Does your cars radio require authentication? Newp. How about your speedometer? Newp.
What StuxNet *does* emphasize is why it's a very, VERY dumb idea to have a network with PLCs connected to an external network of any kind.
"OMFG, I can't believe my cancer test came up negative because some hax0r compromised it. What kind of suck software was RUNNING on that device?"
OOOOOOoorrrrrrr..
"OMFG, you idiots, WTF would you connect a device which is going to tell me if I'm *DYING* to the MTF internet?!?!"
-- I'm the root of all that's evil, but you can call me cookie..
Ain't it a biatch.
Set your phasers on "funky"!
There are lots of choices. Just avoid using Seimens controllers. Problem solved!
* Carthago Delenda Est *
A fair number of people have labeled me a socialist, and even I can see that this is nothing more than a blatent attempt at a power grab by the federal government, and profiteering by Symantec.
Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the Senate Homeland Security and Governmental Affairs Committee that the "real-world implications of Stuxnet are beyond any threat we have seen in the past."
So we're having people who stand to gain more power over their country men making a decision about taking that power, receiving testimony about the threat from the company that stands to profit the most by their decision to take the power. Yeah, that's not a recipe for a horrendous outcome.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
"Think of the children!"
Its probably American dollars that paid for stuxnet in the first place (by way of "Aid" to certain countries)
just deserts come to mind
Obviously, this virus showed that nuclear security is much harder problem then anyone realised before. Nuclear plants are using on unsecure closed-source programs. It is unlikely that anyone competent reviewd sources of these programs. It should be remebered that all arguments on how "new reactors" are now safe, as opose to Chernobil, are invalid, all of a sudden and there is little Nuclear Lobby can do in short term to restore safety argument.
839*929
Yes, because my Congressman is without a doubt the best qualified to draft intelligent, thoughtful cyber-laws to deal with cyber-threats! :)
I now await his first press conference talking about his "Superior Cyber Technology"...
and if macOS were ever to become popular enough that malware writers decide to target it? Just because something is too obscure to be targeted does not mean it's totally secure. The virus was written for windows because that's what the system runs. If it ran Linux it would have been a Linux virus.
And what if I pay some random employee of nuclear plant $1 million to run .exe from USB key? Then I possibly can create another Chernobyl. In case of Nuclear plants only solution is to stay with pure electrical control systems and not moving it towards electronical programmable (computer) control systems. If there is no SW, there is no possibility of infection.
839*929
Yeah, but then how would they check facebook?
Seriously, who TF came to the idea that all WANs are to be extinguished and only the Internet can be used for site-to-site networks? Maybe I'm showing my age, but I don't care: when I was working in IT (before returning to academia), private WANs were the norm, and nobody even dreamt of connecting any part of a company network, no matter how unimportant, to the Internet. Somehow, common sense wasn't snuffed entirely. Oh, and we did have e-mail, shockingly enough, which was nicely routed to the Interent (if the e-mail address was an Internet e-mail address).
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
So the US government launches a cyber attack aimed at Iran's nuclear production and now the government wants to protect us from cyberthreats?
Where have I heard that before? Oh, yeah! We woulds hate to see bad tings happen to yas.
Besides taking naked pictures of you at the airport, now the government will be infiltrating your office network to protect you. Boy, I feel so much safer now.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
There, corrected for you.
And before you Microsoft Astroturfers obey your master and mod me into oblivion, thats how it is. Windows is the attack vector used when gaining access to the various SCADA systems its after. Even with a Secure SCADA system, as long as its managed on a Windows computer its vulnerable to attacks. Take Windows out of the picture and the threat lowers significantly.
HTTP/1.1 400
The virus was written for windows because that's what the system runs. If it ran Linux it would have been a Linux virus.
Meanwhile, back in the real world, much of the most important Internet infrastructure runs on Linux and yet it seems remarkably lacking in virus infections.
http://hotinfo10.wordpress.com/ Wow, didnt know that such a treat exist. Well, during the Millenium there was a news regarding a virus that posed great threat to the US government.. hopefully the world can pull through this time like we did in 2000
Stop running your robots with a computer running windows 98 (or winxp that auto-logs-in to admin on bootup). Stop putting those same computers on the Internet because Jim the Operator needed to read his email. Buy a dedicated computer for that, and remove/disable the NIC on the controller computer.
Mac users shouldn't get too cocky about it.
Well if governments can pass legislation to make us safe, then unless it violates some other law (constitution) they should do it. And while they are at it pass a law to make cars all safe, the air safe, children safe, and all the other stuff safe. I don't think it is so easy and business has an obligation to protect themselves. When you take a research network and later try to legislate rules into to it you are missing the boat. (I am getting tired of "someone" saying congress can fix "it" with a law, take some responsibility. Even if you are BP, a power company, a consumer, a person driving a car, a parent, an airline passenger, a record company, etc.) Sigh
Why does it always follow the outline:
[INSERT REAL OR IMAGINED DANGER HERE], so the only solution is for [INSERT GOV'T BRANCH HERE] to [INSERT DESIRED ACTION HERE].
"The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."
Watch the Teaser Trailer for "The Lightning Thief" Her
This is a wake-up call. It is one that has been missing for a long time. Thankfully, it is not damaging to ANYTHING. The ONLY downfall is that if you are running the German designed centrifuges, then it will only mix Uranium with a tolerance that is acceptable for Nuke Plants. Basically, it does not have high enough tolerance for bombs. The problem for Iran is that they obviously have ZERO intentions of doing this work for nuke plants like they claim. It is all for bombs.
I prefer the "u" in honour as it seems to be missing these days.
The only reason we survived the cylons was by not having our computers networked for "increased efficiency". We are doomed.
I wish that I had not replied on this article. I would have modded you down. Obviously you are neither a cracker, a virus writer, or logical.
Ppl target Windows not do to number of systems, but number of openings. If a system had 99% penetration of desktop markets, but had ZERO opening, or even limited openings, then the crackers/virus writers/etc would then target the 1%. Why? BECAUSE IT IS EFFECTIVE.
Hell, just look at 7-11 vs. banks. Once upon a time, banks were the favorite targets. Then along came 7-11. Much smaller amounts, but banks had acquired security, while 7-11 had none. When 7-11 moved to having decent security, then robbers went back to mostly banks. There are more banks robbed from in Colorado than 7-11s. WHy? Because 7-11 has effective security.
I prefer the "u" in honour as it seems to be missing these days.
If foo works on one system, and foo is adaptable, then foo + bar might work on another system.
We can make jokes about the Windows OS and giving vital machines an active presence on the Internet all day long (and it seems we have), but that would be missing the point. What we have here is a virus which has been proven to work, and which like many viruses, can be altered to infect other systems. People who say these organizations should run OSX or Linux, who's to say this virus can't be recoded to work on those systems (yes, I realize time required). People who say steer clear of the Internet, direct contact is always a potential vector for infection.
At the risk of having to put on my tin foil hat, I'd say the whole Iran infection is a proof of concept. The virus works, and it's possible to get into proper positioning to release it. All this talk about government regulation isn't going to change that fact either, if anything, the bureaucracy might cripple response times. It falls on security professionals to figure out how to head this virus off. Identify it, reverse engineer it, kill it, and figure out a way to detect new variations before they can cause too much damage. But if all of us are too busy shooting for +5 Funny/Insightful by bashing Microsoft, well, we're certainly not getting anything done, are we?
You've obviously never owned a Linux server on the web. Gosh!! Updates came nearly weekly (and had to be manually installed) and even then my box was completely cracked and used to try to break into Stanford U graphics department one weekend. Ran up an $800 bill for me. Thanks Linux.
While your statement about Linux being used on much of the web is correct, try working for a shared hosting company that has thousands of Linux boxes on them, and they will tell you it is a 24x7 job trying to keep them patched and clean and updated. Nothing out there is plug-n-play-n-forget.
jsut athnoer menagiensls ltitle psrhae for you to dcoede. Why do we wtsae our tmie dnoig tihs?
and in other news this virus had an industrial target. It wasn't simply looking to disrupt internet traffic. Once a malware writer decides they want to disrupt internet traffic in general I'm sure we'll see things written to affect those linux machines. Don't get me wrong i prefer linux and run it at home but blaming the target doesn't solve the problem. If you are putting forth the idea that no viruses/malware/exploits exist for linux then you sir are either woefully unaware or a complete idiot.
"The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."
Uh NO... it makes it imperative that security folks get better training! Why does this government think they can fix everything by expanding government controls???
So what's your solution to salespeople who have to use Windows and need the ability to install printers on the road? You can't do that in Windows without admin rights.
Or what about the people who rely on UPS software? Also requires admin rights.
But I'm sure you have it all down pat, in your little limited environment, and none of the Windows viruses / worms affect your company at all. Right. Because it's gotten to the point that a simple Google search can get you infected if you run IE -- even IE 8 and 9. Or maybe your company doesn't use any of the other Microsoft products (SharePoint for one) which require IE?
The point is the other OS's -- Linux, UNIX, OSX -- all ship with more security and fewer holes. When's the last time you saw someone infected with a virus / worm on Linux? On UNIX? On OSX? Think hard. Now when was the last time that happened for Windows users?
You realize Patch Tuesday is there for a reason, right? And that the Windows anti-malware and antivirus industries make a ton of money, selling products people need to keep their machines working until the next threat comes out and the arms race begins again.
Defective by design -- that's Windows. Doesn't require an idiot to launch a trojan to get infected. Just connect it to a network or the Internet and let the fun begin.
For the love of god! You cannot create another Chernobyl, it had ZERO core containment. US reactors have 12 feet thick concrete surrounding the core! It *may* melt down, but then it's entombed in tons of concrete, so there isn't much to worry about! Equating a meltdown to Chernobyl is naive.
As an AC this post will never see the light of day, but I really wish people would stop being so afraid of nuclear power, it's really our only hope to get off fossil fuels any time soon.
Popularity is one reason MS is targeted, but the way Windows is designed is the primary factor in its proliferation of malware.
An example: making a program executable by changing the extension, and then hiding that extension by default. That JPG file can be an executable in Windows, but not in Mac or Linux.
Another example: software repositories. It's as easy to install a Linux program from a repository as it is to install a Windows program in Windows, but probably too hard for Joe Sixpack to install a program not in the repository. In windows, clicking any install file and answering all the questions with "yes" installs a program.
They are getting better about it, but they're nowhere near the security of Mac or Linux.
Free Martian Whores!
No. Stuxnet targeted Windows because the _specific plant that Stuxnet was designed to sabotage_ used Siemens WinCC, which is a Windows-only application.
If Stuxnet was a piece of general purpose malware written for economic or general purpose espionage reasons (like the Russian Business Network's systems or Ghostnet) then your argument would make sense. In the case of Stuxnet, which is one of the most specialized pieces of malware ever made, it targets *whatever platforms are necessary* to get at the 33+ Variable Speed Drives that it was specifically designed to sabotage. If that plant used a Linux-based control system, then Stuxnet would have been a Linux + PLC rootkit instead of a Windows + PLC rootkit.
and in other news this virus had an industrial target. It wasn't simply looking to disrupt internet traffic. Once a malware writer decides they want to disrupt internet traffic in general I'm sure we'll see things written to affect those linux machines.
You're right: owning a DNS server, or amazon.com, or google would be of no value whatsoever to a bad guy. That's obviously why they haven't hacked those servers, not because they're vastly more secure than Windows.
This whole 'no OS is any more secure than any other' nonsense is one of the reasons why we see these kind of problems.
Anyone involved in industrial control systems - especially nuclear fuel refinement, for Bob's sake - needs to look up "air gap" in a dictionary. It's not a guarantee of security, but it's a start.
No I'm not a cracker virus writer I am logical though. There are TONS of exploits for Linux jackass. They do exist and you not wanting ot admit it doesn't make it go away. Read gsgriffins response it sounds like he has some experience working with linux. Talking about theft banks are still a favorite of thieves and far more is still stolen from banks than from 7-11's. You're analogy still works a little though. The low end thugs with no talent( script kiddie sfo rour purposes ) hit 7-11's, crooks with more finesse (actual crackers) steal much larger amounts by defrauding banks. Both get robbed so obviously even with security there is risk. jackass.
All of those things have been hacked before.... so your point being.
Get the dropdown right on the first try. No submit button for you!
AJAX isn't necessarily a bad thing, but incompetent web developers replacing good interfaces with bad ones, sure is.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Many of the comments here seem to be unaware of what Stuxnet actually is or how it works. Symantec has a great whitepaper on it that is updated as they learn more. 50 pages of technical detail. Of course you can read the executive summary and at least avoid making the kinds of uniformed comments I'm seeing here.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Just a Few:
1. "People are so stupid to connect their industrial control system to the internet!"
Stuxnet does not require internet access. It delivers its payload in various ways, and in particular, if an infected USB stick is inserted into a susceptible machine, it will find a machine on that network with the Siemens PLC development environment and infect it in such a way to insert hidden malicious code into the PLC.
2. "Just don't run Windows"
There is some validity to this idea. But the payload was not delievered to a Windows machine, just via one. How many embedded controller development environments require a Windows machine? Try coding a Xilinx FPGA without a Windows box, or just about anything out there without one.
3. "We could have seen this coming"
Most people did see this coming. But they didn't think it was actually plausible to defend against. The Stuxnet worm required a huge amount of resources and detailed knowledge to pull off. Everything from the payload to the infection method. Someone really thought this through. It is a proof of concept of what people generally believed to be only possible in theory.
The fact that government is getting involved here is a bit worrisome. I hope they at least pay attention to the existing specifications already out there to help mitigate some of these threats. NIST 800-82 is a decent read that is free (final public draft) and there are other pay ones out there as well.
The reason why I am kindof annoyed about people's ignorance about Stuxnet is because the biggest lesson learned from it is largely being ignored. 1. That "air gap" protection you think you have is not as good as you think it is. 2. The "insider threat" is worth thinking about, even if you trust your insiders. They may not know they are a threat.
and if macOS were ever to become popular enough that malware writers decide to target it? Just because something is too obscure to be targeted does not mean it's totally secure. The virus was written for windows because that's what the system runs. If it ran Linux it would have been a Linux virus.
If OS X ever became popular enough that it had 40% of the market not only would it be much more resistant to malware than Windows is now, Windows would adapt and become much more resistant to malware. Here's the thing that people don't seem to get. Windows isn't built on an inherently insecure foundation that can never be fixed. It's not insecure because it is built by Microsoft. It's insecure because it has monopoly influence on the market so competitive forces that would normally drive real, functional security improvements, are just not there.
Now I'm not saying all OS's would be immune to malware if Windows was not a monopoly. What I'm saying is that they'd adapt to be resistant enough to satisfy the needs of their main customer base and some OS's would target the secure workstation segment. The weakness of Windows is that investing in security doesn't make Microsoft more money than dumping half that money into marketing about security or security theater features.
You want to know the most effective way I can think of to improve computer security, break Microsoft up into at least two companies BOTH with full rights to the windows code, forbid them from any nonpublic communication or collusion. Let Microsoft A and Microsoft B bid against one another for contracts and we'll see just how fast they can make real security improvements at lower costs in order to win that contract.
Interesting idea.
Nothing happens..
Why? because competent system designer and installer would have disabled USB storage capabilities.
How about a CD, sure, got the key to open the rackmount computer door? No... sowwy...
It's easy to fix that issue.
Do not look at laser with remaining good eye.
As to this particular virus, yeah, they CHOSE Windows. They could have chosen to make the virus work via neutral arch (i.e. all intel/amd OS; which is hard), pure hardware (which is doable, but again hard), OR simply use a singular easy to hit target (which is always windows). Had germany had any real thoughts about Security, they would have done Linux, Mac, or simply Unix. Thank God that some damn lazy marketer foisted windows into Siemens. Otherwise, I think that it would have been a LOT MORE DIFFICULT to hit the box. Not because it is *nix, but because if you push *nix and push Security for the reason, then Iran would have had a secured network. As it is, Iranians are obviously just as foolish as others that run that junk, so it was exposed.
Personally, I find it interesting that Iran is in such turmoil from it. If anybody wanted proof, that was it. The modification allows the final uranium to be usable for nuke plants, but it is worthless for bomb-making. IOW, Iran would have no reason to be concerned if this was for peaceful uses. The fact that they are near panic about it, says that this is purely about weapons. As such, I say that offer Iran an ultimatium:
Finally, we change our no-nuke pledge to the world to include the possibility of using it on Iran and anybody that they transfer nuke tech to.
I prefer the "u" in honour as it seems to be missing these days.
O RLY?
Contrary to the popular belief, there indeed is no God.
They were thinking: 'look at all this money'. Windows = minimum level of comfort to clueless PHBs that sign fat POs. Ca-ching!
"Imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer"
Yep, Congress acting in the interest of the corporate-welfare state could end innovation in the USA. Market/Customer-base elitist protectionist legislation has never made anything, over the last 50 years, better or safer for people or economics.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Stuxnet is precise because it was designed to attack a very specific target and hide for as long as possible, not because it had to be. Anyone could use the same principles to attack a much broader range of PLC's and other SCADA systems much more aggressively.
SJW: Someone who has run out of real oppression, and has to fake it.
Is the government that created Stuxnet liable for any damage as a result of the modified version?
Stuxnet doesn't use the internet as its only attack vector. It also uses thumb drives and optical drives. That's how most of the facilities in Iran were infected.
SJW: Someone who has run out of real oppression, and has to fake it.
Correction: The Siemens WinCC software had that password, as did the Step 7 development package. Siemens used it as some sort of idiotic way to validate licenses. That is why they were unable to tell anyone to change the password. It was hardwired everywhere. Note that this password was disclosed publicly in 2008, and yet Siemens did nothing to change the code.
The PLC did not have this password. The PLC was built on the assumption that those who have physical access to the unit have ultimate authority anyway (they can walk over to a motor control center and just turn a switch). In today's networked to everywhere situation, this looks foolishly quaint. However, back when these devices were designed, it was assumed that those who build these networks are doing all they can to block the traffic on to the office network.
Unfortunately, there are way too many office IT "experts" who think that because they know the office that they know the plant floor IT as well. They design the one great big network of everything and then use a VLAN to keep it apart. The VLAN gets bridged when some dreamy eyed idiot wants to surf the web and monitor the plant from the same box. And that's when things go downhill pretty fast. I speak from experience. If you do any form of office IT, you would be wise to pause and think before you post your ignorance for the world to see. If you have never done embedded computing, worked on a Programmable Logic Controller, or managed a real industrial process, there will be surprises in store for you. This is not just another app.
The Stuxnet PLC code was looking for something very specific. Current speculation leans toward the notion that this was aimed at the Uranium Enrichment facility in Natanz, Iran. However, there is only circumstantial evidence at best and the clues are awfully thin. Even if this is true, I doubt anyone will be confirming this story in our lifetimes.
One of the interesting aspects to targeting an S7 PLC platform is this: It is one of the most popular PLCs world wide. If someone were to install a back door timebomb that stopped this PLC cold, the world economy as we know it would collapse in a matter of weeks. There is a significant amount of high energy stuff based upon this PLC platform. Aim at more than one platform of PLC and the world as we know it could change overnight.
This is the Nuclear option of weaponized software. Anyone who launches an attack like this has very little concern for anyone but himself. That is why Stuxnet was probably so narrowly targeted at one facility. If they hadn't it would have blown back on the rest of the world.
The lesson learned from Stuxnet is that the response by the CERT agencies world wide was either bad or awful. Even today, Siemens have very little to say about how to remove the Stuxnet rootkit. They'll only remove the payload carrier. Gee. Thanks. It would have done that by itself eventually.
It took a business consultant like Ralph Langner to break open the first evidence of the nature of the PLC code. I was there at the ACS conference in DC when he gave his first presentation on the subject. Yes, there were rumors that INL was doing it too, but they never released their findings. DHS keeps stamping their work secret even when it would have been better not to.
We need to do better. The CERT groups need to step up to the plate and realize that there are other platforms besides the PC. Furthermore, they also need to realize how issues of functional and I/O validation fit in to the picture, and how safety is handled. This may be a simpler platform in many ways, but the social and safety issues that go along with it make financial information system designs look like child's play. At least you can restore the latter from a backup and nobody gets maimed or killed.
Welcome to my world...
Nearly fifty percent of all graduates come from the bottom half of the class!
Funny, I see the same pattern in politicians.
Campaign promises may be popular but at best are short-sighted and at worst outright lies. No one would vote for a candidate that campaigns on the premise of making those hard long-term decisions.
"Humans in general and managers in particular are famously bad at correctly estimating the factors of low-probability/high-impact risks. Not always in the same direction - we vastly overestimate the risk of some stuff, and vastly underestimate others. "
This is also true of politicians and I see many political issues that seem vastly over-hyped or under-valued.
oldhack: "Security is a waste of money until shit hits the fan. 5 minutes later, it becomes waste of money again. "
You've obviously never owned a Linux server on the web.
I have, for, oh, a decade or so, I'd say. I've had my machine rooted *once*, many many years ago. How? By having a POP3 server exposed to the world. Solution? Firewall. Problem == solved.
'course, the same is true of any other OS. The key to securing a server: minimize your surface area, and stay updated. If your server is directly exposed to the internet, you're doing it wrong. Period.
Lots of IT pros have been screaming for a DECADE that only complete fucking morons put a SCADA system on anything that is connected to an external network. Let me repeat that. ONLY A COMPLETE MORON will hook up a scada system to a pc that bridges the internet and the secured network, OR puts the whole damn thing on a unsecured network.
It's not just the network. Malware predates general Internet accessibility by a number of years. The earliest ones were spread by removable disks carried via sneakernet.
"Only a complete moron" would build into a scada system a machine loaded with software that has THOUSANDS of wide-open known ways to infect it, if malware comes in on ANY vector: Network, removable disks, storage sticks, infrared flickering, WiFi signals, ...
Such a machine is an agar plate waiting for the first bacterium to land. And a well designed chunk of malware (and this one looks like a masterpiece) can spread from network to machine to storage device to whatever and try them ALL, so that if there is even ONE POSSIBLE PATH it will be found.
Which apparently is what happened to Iran's uranium enrichment system, since reports are that it WASN'T connected to the net.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Such mission critical systems should NEVER have untrusted media inserted, and they should NEVER be on the public internet. Further, inserting a media such as a USB stick should be safe because nothing should be automatically run.
How about removing the commodity black-box software, chock full of known vulnerabilities, that is wide open to infection by such paths, replacing it with software where you CAN disable or control such access.
Belt and suspenders.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I do not mind the government telling industry that they must secure their systems. Who else is going to do that? Customers?
Stockholders. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Next up: the police starts killing people so they can use the higher homicide rates to motivate expansion.
Interestingly, there have been a number of instances of firemen, or whole fire departments, who committed repeated and serious arson.
Probably more for the fun of putting the fires out than as a budget booster, but still ...
However police administrations also have a long history of prescribing "solutions" to crime rates that actually increase them. The commonest one is opposing private use of guns for self-protection, which drastically hikes violentcrime rates. Others include the "DARE" program, which increases illegal drug use and related crime.
And practically everything governments do create more problems than they claim to solve - often the same ones they claim to be solving. Wars on poverty increase the number and misery of the poor. Housing assistance ends up with people being thrown out of their homes. (This round isn't the first for the US: Search for "HUD houses".) Education. "Homeland Security". "War on terrorism" and the resulting "blowback" is just the latest in foreign policy bullying-inspiring-retaliation-by-asymmetric-warfare.
I could go on for pages.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Ok lets get some real facts into this conversation.
1. Windows should not be used in SCADA systems
we all know that windows has a number of security holes. Whether this is because it is inherently insecure, its closed source aspect or its familiarity is a debating point. Probably some of all 3. Unfortunately it is a fact most SCADA systems use windows. The reason for this is historical. The most common SCADA communication system is OPC. When it was originally specified it was based on communication over DCOM. Now you could argue that this is one of the most insane decisions ever because basically it has given windows a near monopoly on SCADA over the past decade. However things are changing OPC-XA is the latest standard and this is more open. However the ubiquity of windows means that I can't see other OS making an impact anywhere in the near future. So we just need to deal with it.
2. Outside networks should not be connected to a industrial control system.
Great in theory, and maybe achievable in a factory environment as long as you have engineers on 24 hour call. But there are many situations where it is not practical. For example a offshore wind farm. In these situations unless you are going to lay your own cables, the most efficient way of monitoring your system is over the internet cloud. Now this does not mean you are using the internet. You will use VLAN over dedicated portals. Your system will be protected behind multiple firewalls.There are many levels of protection you can put in and while no protection is totally secure it will still survive the majority of attacks.
In fact a greater danger is often not the internet but the ubiquity of USB memory keys. Basically if you lock down your system so there is no network access, support and commissioning engineering being persistent little buggers will find ways to make there life easier like putting patches on via USB keys which were only recently connected to there home computer. At least with network access you can monitor the activity.
The one thing the Stuxnet virus has done is wake people up to the dangers. Most people who work in the industry new industrial systems are far less secure than say a banking system. However the assumption has been that because viruses were targeted at things like obtaining credit card details, there was little damage they could do if they infected a control network. Also the assumption was that control networks OS are outside the knowledge area of the average virus writer so targeted viruses would be rare. This is awake up call that now control systems are seen as the new battleground by governments. Why bomb a nuclear plant when you can plant a virus? There is going to a lot more emphasis on security on such systems going forward and that can only be a good thing
Choose your allies carefully, it is highly unlikely you will be held accountable for the actions of your enemies