Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS Chief: What We Learned From Stuxnet

Posted by CmdrTaco on from the can't-wait-for-finals-week dept.

angry tapir writes "If there's a lesson to be learned from last year's Stuxnet worm, it's that the private sector needs to be able to respond quickly to cyber-emergencies (CT: Warning, site contains obnoxious interstitial ads. Blocker advised), according to the head of the US Department of Homeland Security. When Stuxnet hit, the US Department of Homeland security was sent scrambling to analyze the threat. Systems had to be flown in from Germany to the federal government's Idaho National Laboratory. In short order the worm was decoded, but for some time, many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm."

125 comments

  1. Umm by Anonymous Coward · · Score: 0

    I smell something...

    1. Re:Umm by Anonymous Coward · · Score: 0

      No shit, Sherlock!

  2. #1 thing learned from Stuxnet... by mlts · · Score: 1, Insightful

    #1 thing learned from Stuxnet:

    Air-gap your production SCADA/embedded stuff.

    1. Re:#1 thing learned from Stuxnet... by rlp · · Score: 4, Informative

      Air-gap your production SCADA/embedded stuff

      Stuxnet was designed to use USB-flash drives as a transmission vector.

      --
      [Insert pithy quote here]
    2. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      Yeahhhh... WiFi for SCADA systems! Genius.

    3. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 4, Insightful

      In other words: the real air gap you need to worry about is the one between your employees' ears.

    4. Re:#1 thing learned from Stuxnet... by iamsolidsnk · · Score: 1

      # thing learned from Stuxnet:

      The human IT factor will always be the weakest link in the computer system equation.

      --
      Here I am, here I remain.
    5. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      The number one thin learned is that Israeli intelligence and probably their US counterparts can penetrate feeble cyber-security in Iran.

      Yup, air-gap for important infrastructure (like centrifuges) is necessary if you have enemies.

    6. Re:#1 thing learned from Stuxnet... by thsths · · Score: 1

      That, and never assume that the payload is harmless. Just because you do not understand it does not mean it does not affect you.

      So why did they have to analyse the code? It is a nice exercise, but for the threat assessment I think it is sufficient to state that the virus is uploading code to your SPS. It's like having an intruder on your premises - you do not need to understand his motives, but you do need to improve security.

    7. Re:#1 thing learned from Stuxnet... by cusco · · Score: 1

      So how do you propose to transmit data from a power dam sensor across half a mile of water?

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    8. Re:#1 thing learned from Stuxnet... by vlm · · Score: 2

      Some hot glue in the USB holes works wonders on other "secure" systems.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    9. Re:#1 thing learned from Stuxnet... by KUHurdler · · Score: 1

      You could build something across the water... like maybe, a dam. Then run fiber to it.

      --
      Fix Your Own TV - RiddledTV.com Avoid the Landfill
    10. Re:#1 thing learned from Stuxnet... by vlm · · Score: 2

      So how do you propose to transmit data from a power dam sensor across half a mile of water?

      Assuming "it" is not free floating, run a wire to it. Or, even better, a fiber. Alternately there are about one zillion non-WiFi non-LAN radio communications technologies that could transmit that telemetry.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    11. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      if you don't want a unofficial dark governments worm, hire real people to manage resources manually.

    12. Re:#1 thing learned from Stuxnet... by Jeek+Elemental · · Score: 1

      and delivered by people willing to give their life for it (which they likely did.)

    13. Re:#1 thing learned from Stuxnet... by ColdWetDog · · Score: 3, Funny

      Some hot glue in the USB holes works wonders on other "secure" systems.

      Probably would work fairly well for the 'between-the-ears' airgap as well. Worth a try anyway.

      --
      Faster! Faster! Faster would be better!
    14. Re:#1 thing learned from Stuxnet... by ColdWetDog · · Score: 2

      Many Bothans died to bring us this information.

      --
      Faster! Faster! Faster would be better!
    15. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      Stuxnet was designed to use USB-flash drives as a transmission vector.

      And relying on human stupidity as the delivery method.

    16. Re:#1 thing learned from Stuxnet... by Kennon · · Score: 1

      How to write better detection avoidance considering they wrote it.

      --
      "All those moments, will be lost in time...like tears in rain..."
    17. Re:#1 thing learned from Stuxnet... by cusco · · Score: 1

      I think the original poster was referring to transmitting data wirelessly in general. No, you're right, SCADA data does not belong on some brain-dead Cisco AP or some such. BTW, yes, it does float.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    18. Re:#1 thing learned from Stuxnet... by Garth+Smith · · Score: 2

      In other words: the real air gap you need to worry about is the one between your employees' ears.

      Fact: It is impossible to guarantee zero errors from employees. People make mistakes.

    19. Re:#1 thing learned from Stuxnet... by baderman · · Score: 1

      But keep in mind, that worm communicated with c&c servers after installation and was operated remotely.

    20. Re:#1 thing learned from Stuxnet... by wsxyz · · Score: 1

      But there was no requirement for direct access to the network. Worm instances on airgapped systems received updates & transmitted information via later worm instances brought via USB stick.

    21. Re:#1 thing learned from Stuxnet... by h4rr4r · · Score: 1

      If you are going to airgap, you must also disable the USB ports. Physically, not in software.

    22. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      Not necessarily...consider that the target systems may have required or enabled the use of a USB key to transfer information across an air gap...and consider that any such key might have been infected unknown to the user, assuming the original infection may have come from for example, an SQL injection attack on a work computer that was also used to do such things as read Al Jazeera or other site, in addition to being used to consolidate data taken from the air-gapped boxes via the USB key.

      Of course, on the other hand, many players in this game have been know to follow the old process of search for the guilty, punishment of the innocents, and promotion of the non-participants.

      If "someone died and left me in charge" of making Stuxnet work in a so-called secure environment, and if I had an "asset" in place who was willing to plant the virus, I would want to do all that I could not to "burn" that asset, but rather would find some way to get the transmission to occur without traceablity and/or responsibility for a supposed known intrusion.

      Instead, I would use that asset to find out how the operation operates, and then develop an insertion method that left that person outside the circle of suspicion...maybe even plant the suspicion on a hostile target in the environment instead, e.g, because they were known to visit a site while at work that could have been compromised by a MITM attack.

      Just because the government, for example, does stupid things does NOT mean that everything it does is stupid, and indeed, sometimes there is real brilliance buried within the layers of mediocrity.

      But I doubt that the DHS was on the inside on this one. Sounds more like NSA, the Mossad, or even a false-flag effort by a supposed ally to discredit an enemy of that false flag.

      But independent of the "fact" that "viruses are bad", this was apparently a fairly well planned and executed attack, regardless of whodunit.

      Personally, I kind of hope "the (more or less) good guys" did figure this one out and make it pay off for some meaningful strategic aims.

      But it is unlikely that we will ever find out the truth (just several alternate theories thereof, a la the JFK assassination). Still, it would likely match up with of the better movie versions of such espionage thrillers, I'd wager.

      But turnabout is fair play. And there was a time when the ex- of a friend, who was Iranian, worked in a highly DC restaurant for years after he acquired or dropped out of a nuclear engineering program. Put two plus two together: the first black governer of Va, Doug Wilder, was once quoted as saying he learned how Va. politics worked by bussing tables in a Richmond restaurant while a college student.

      I'm sure the government must have been checking the backgrounds of people working there (at the now defunct DC political hotspot), but there are days when it feels like all of DC is filled with spooks going spy vs. spy, a la the cartoonist Sergio Aragones (RIP), formerly of Mad Magazine.

      As a final note, I would wager that autorun was not turned off on the targetted systems, and/or that it was controlled back on via another vector, before this was done. But I'll bet someone also closed that door after the horse got out of that barn. Comrade hero supreme protector of after the fact cleanup, no doubt.

    23. Re:#1 thing learned from Stuxnet... by evil_aaronm · · Score: 1

      Your point withstanding, from the summary, it said that people with Siemens equipment - disclaimer: I work for them, but not in that group - needed to know how they might be impacted. Yes, block the holes, but you also need to try to fathom how bad the damage is going to be. What are we looking at, here: harmless prank or full enterprise-wide melt-down?

    24. Re:#1 thing learned from Stuxnet... by thegarbz · · Score: 3, Insightful

      #1 thing I've learnt from Stuxnet: People who have no experience with SCADA equipment say "OMGZ TEH HAXORS, Airgap! Airgap! Airgap!", and somehow get modded insightful.

      There is nothing insightful at all about taking the silly approach to simply cutting cables due to the fact that there maybe someone out there with nefarious motives. It's right up there with OH&S departments saying people should wear gloves at all times in case of papercuts.

      Any sizable SCADA system RELY on network access. We're not talking about one small unit running one compressor, but the type of systems that run entire plants. They must be able to communicate with each other, they must be able to communicate with asset management systems, they must be able to communicate with process historians, (all these on a different network of course), these machines must be able to communicate with engineering departments at worst, and at best be accessible by knowledgeable experts in the industry from the other side of the world.

      There are plenty of plants around the world which would turn into oversized holes in the ground if it weren't for the fact that realtime knowledge was accessible remotely. There are many companies which would have been sued out of existence if they put their hands on their hearts in front of congress and said, "Sorry we don't have any data on what has happened, our IT guys said we couldn't network our SCADA systems to the offsite historian, and it has all burnt in a fire".

      Security is NOT and airgap. Security is a complete process, a company culture and something that needs to be designed into every aspect of network design. Limiting access both physical and remote, using a complex heirarchy of firewalls and one way communications, etc etc.

      If you want a truly insightful post maybe read this one below You may learn something.

    25. Re:#1 thing learned from Stuxnet... by icebike · · Score: 1

      That's just ONE vector, not the only one.

      Hot glue the USB ports, or disconnect them from the motherboard.
      Your employees have no business sticking USB drives into process control computers.

      The preponderance of USB-Only keyboard/mouse machines is a problem.

      --
      Sig Battery depleted. Reverting to safe mode.
    26. Re:#1 thing learned from Stuxnet... by gmhowell · · Score: 1

      Gonna need a citation for Sergio Aragones' death. Neither wikipedia nor his official page mention it. Maybe you mean Antonio Prohias, who both created Spy vs. Spy and is dead.

      --
      Jesus was all right but his disciples were thick and ordinary. -John Lennon
    27. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      Not necessarily true, some systems are insecure enough that the time delay involved in using the human link make it stronger than other links.

    28. Re:#1 thing learned from Stuxnet... by russotto · · Score: 1

      Some hot glue in the USB holes works wonders on other "secure" systems.

      And if your system relies on USB to talk to the devices it is supposed to be programming, that hot glue isn't so useful.

    29. Re:#1 thing learned from Stuxnet... by innocent_white_lamb · · Score: 1

      Your employees have no business sticking USB drives into process control computers.
       
      Until the software, firmware, what-have-you needs to be updated or changed. "We now need to change the rotation speed from X to Y in sub-vector Z". Would you like to do that all by keyboarding each one of the 25,000 or so machines?

      --
      If you're a zombie and you know it, bite your friend!
    30. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      Yes, there are places that require remote monitoring to function. However, that is the exception, not the rule. There are a lot of SCADA networks which don't need to be on the Net whatsoever, but some PHB wants to look at some Excel chart of a valve over time, so it ends up online for anyone with nmap to find and play with. These dumb PHBs are lucky so far -- someone hasn't decided to maliciously trash embedded systems... yet.

      There are ways to get data out of a truly sensitive network without giving an attacker a chance to get in. I designed one for a university which used two UNIX boxes (each on their private networks), a serial cable with one TX line cut, and custom utilities to write data from the serial port, and on the other end, read data. Obviously, this wasn't the fastest in bandwidth (the data was fairly low bandwidth), but an attacker who would manage to get root on the receiving box might be able to tamper with data coming across the line, but physically could not make the jump to the other side to affect data there.

      I'm sure there are other ways to ensure that if boxes are compromised on one segment, the intrusion won't spread to the subnet with the juicy embedded toys. Of course, a good, hardened router is one way, but it would be nice to have defense in depth and not bet the farm on one piece of equipment.

      Of course, there are places that need the remote monitoring capability. However, the mantra seems to be in business is "security has no ROI, so why bother?" Unless there is a need for this capability, it needs to be well thought out by people more security savvy than some hired "consultants" who also install car stereo equipment.

    31. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      Hindsight is always 20/20. Calling people stupid for failing to foresee something is rarely true, and even more rarely profitable.

    32. Re:#1 thing learned from Stuxnet... by dkf · · Score: 1

      Calling people stupid for failing to foresee something is rarely true, and even more rarely profitable.

      But selling them shit because they're stupid and can't foresee something, that's very profitable. Just don't tell them they're stupid to their faces; spoils the sale.

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    33. Re:#1 thing learned from Stuxnet... by Runaway1956 · · Score: 1

      Plugging a USB device into a machine that you're not supposed to plug it into is not a "mistake", it is vandalism, theft, or worse, industrial espionage. For that reason, USB should just be disabled on company computers, unless the USB is truly essential to it's operation. And, I haven't seen a machine yet where USB was essential. Fingerprint scanner, maybe? Get a scanner that plugs into the serial port, FFS!

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    34. Re:#1 thing learned from Stuxnet... by Runaway1956 · · Score: 1

      Do you have such devices? I don't have any at my worksite. Everything is serial. Assuming you do communicate between devices via USB - how difficult would it be to use a serial?

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    35. Re:#1 thing learned from Stuxnet... by Runaway1956 · · Score: 1

      What else do you have to do all day? What - you're going to miss a day or six of slashdot reading? Get off yer lazy arse and get to work updating those machines!

      BTW - I've been in a lot of production plants in my lifetime. I mean, a lot. You'll be hard pressed to find a list of plants with 25,000 machines doing similar jobs, all requiring the same or similar updates. Perhaps some corporation like General Motors has that many machines spread out across it's corporate landscape, including spare replacements in warehouses.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    36. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      That's just ONE vector, not the only one.

      Hot glue the USB ports, or disconnect them from the motherboard.
      Your employees have no business sticking USB drives into process control computers.

      The preponderance of USB-Only keyboard/mouse machines is a problem.

      Or just remove support for USB flash disks from the operating system, while keeping support for your USB keyboard/mouse. It is _trivial_ to do so in Linux, and should not be impossible for governments to do the same with Windows (since they tend to have deals with Microsoft). While you're at it, remove support for external DVD writers, memory card readers and so on.

      On the other hand, if USB flash disks are essential, for example if one wishes to update the software of the production machines, it should be possible to scan them block by block using a hardened independent machine (surrounded by air-gaps of course) before plugging them into the sensitive equipment.

    37. Re:#1 thing learned from Stuxnet... by hawkinspeter · · Score: 1

      The port isn't the problem - it's the OS that auto-plays that's the problem

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    38. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      It is impossible to completely secure a system that you have to transfer data to. Any useful system will require new data from time to time. Whether this comes via network, USB drive or human typing, it is still an attack vector.

    39. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      At USEUCOM J5 all of the usb ports are filled with epoxy (at least they were 10 years ago)

    40. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      The "S" in USB stands for Serial :-)

    41. Re:#1 thing learned from Stuxnet... by RussellSHarris · · Score: 2

      And the "U" in USB stands for "MacBooks can seamlessly interface with alien ships' computers and upload viruses that shut down their entire fleet".

      Okay, not quite.

    42. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      The biggest gap lies between DHS and the DOD, you can't not say it's a work of genius and the DOD has the worlds best funded cyberwarfare department they are also very pro Israel.

    43. Re:#1 thing learned from Stuxnet... by bipedalhominid · · Score: 1

      Wow, lots of trouble and sticky. We just cut the users fingers off.

      --
      This aint Daytona and you aint Dale Earnhardt. So stop trying to draft on Interstate 40.
    44. Re:#1 thing learned from Stuxnet... by bipedalhominid · · Score: 1

      Thank You, best laugh I've had in awhile. Bought the woman a Iphone cause of that scene.

      --
      This aint Daytona and you aint Dale Earnhardt. So stop trying to draft on Interstate 40.
    45. Re:#1 thing learned from Stuxnet... by russotto · · Score: 1

      Do you have such devices? I don't have any at my worksite. Everything is serial. Assuming you do communicate between devices via USB - how difficult would it be to use a serial?

      At a previous employer we had some USB programmers for TI MSP430 processors. Sure, they could have been serial, and we had serial ones. But serial is a legacy port nowadays.

    46. Re:#1 thing learned from Stuxnet... by thegarbz · · Score: 1

      I'm sure there are other ways to ensure that if boxes are compromised on one segment, the intrusion won't spread to the subnet with the juicy embedded toys. Of course, a good, hardened router is one way, but it would be nice to have defense in depth and not bet the farm on one piece of equipment.

      The one way firewall and segregated networks is actually quite a good way of doing it. Consider a plant with a control system, a data historian, and a corporate network. The control system should be on its own hardened network behind a firewall that allows communication only one way (out). A data historian who's only job is to collect data can sit on a network immediately above this and collect the data. Then above that via another firewall is a corporate network which is locked away from the network below it via remote solutions like citrix clients. To the internet naturally another firewall and usually VPN server.

      This form of layering is actually quite effective and employed at most of the Fortune 50 industrial plants. It allows access to information and engineering data while keeping the user separate via 3 firewalls and a remote interface. We use exactly this layout worldwide (large oil company with many large plants) and when Stuxnet hit us it never got past the corporate network.

    47. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 0

      Alternately there are about one zillion non-WiFi non-LAN radio communications technologies that could transmit that telemetry.

      Citation please.

      Sorry, couldn't help myself.

      -@|

  3. We learned it was created by the CIA & Israel! by Anonymous Coward · · Score: 0

    Confirmed: Stuxnet Was False Flag Launched by Israel and U.S.

    http://www.infowars.com/confirmed-stuxnet-was-false-flag-launched-by-israel-and-u-s/

    Kurt Nimmo
    Infowars.com
    January 16, 2011

    On Saturday, the Gray Lady of establishment propaganda, the New York Times, passively admitted that the Stuxnet virus responsible for crippling Iran’s nuclear energy program was engineered by Israeli and U.S. intelligence.

    “Officially, neither American nor Israeli officials will even utter the name of the malicious computer program, much less describe any role in designing it,” writes the Times. “But Israeli officials grin widely when asked about its effects.”

  4. if they can do it, they will do it by kubitus · · Score: 1
    that is the lesson learned.

    so:

    1.) keep not only production but all but communication system from the Internet

    2) do not allow removable media to the users, apply extreme caution to 'upgrades'

    3) verify by viewing the source code ( or let it be done by 2 or more separate parties )

    -

    you have no source code? forget your IT security!!

  5. Silly by Anonymous Coward · · Score: 0

    US government responded quickly to the worm created by the US government...and then patted themselves on the back.

  6. Re:We learned it was created by the CIA & Isra by Anonymous Coward · · Score: 0

    someone just assaulted a program designed to bathe you, your family, and your entire nation in nuclear fire. Of course you're going to grin.

  7. Just ask the guy across the hall by Anonymous Coward · · Score: 0

    I'm amused to see reports of the DHS analyzing something that might have been constructed by the guy they were sharing a cafeteria with....

  8. Written/Used by the US government, But a surprise? by Anonymous Coward · · Score: 0

    I'm sorry what? All accounts suggest that the US and Israel jointly created and/or utilized Stuxnet to target Iran. There would be no reason for DHS to scramble to analyze it when the government itself created it! Unless of course one government agency is not talking to the other - Completely possible. I think this is misinformation from DHS.

  9. get out of the Administrators group by Anonymous Coward · · Score: 0

    The lesson is: get yourself out of the Administrators group for day to day use, even in Windows 7.

    1. Re:get out of the Administrators group by dbIII · · Score: 1

      That's lesson one from about 1975. We have no excuse at all for this elevated privilige bullshit today.

  10. Security 101 by bragr · · Score: 5, Insightful

    What they should have done:
    1) anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot, or at least given a stern talking to. Autorun should be disabled
    2) Any machines brought into from the outside (laptops etc) should be placed on a separate, untrusted network
    3) Mission critical machines shouldn't be on a network. If that isn't possible, they should be on a separate network or vlan with only the machines they need to talk to, at the very least they shouldn't be able to access the internet
    4) Always ensure that all security updates are applied promptly and all relevant hardening is performed
    5) At the first sign of such a massive infection across multiple machines and devices, everything should have been taken offline, wiped, flashed, and reinstalled and brought up again on a know clean environment, with security procedures tightened.
    6) If all of your machines are running version X of OS Y, they will all suffer from the same 0 day attacks. Diversity, where appropriate, is useful.

    This may not have prevented a infection, but it would have definitely reduced its impact. I really question the competency of any IT person that had no idea what to do.

    1. Re:Security 101 by Relic+of+the+Future · · Score: 2
      "anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot,"

      And how do you propose that updates be made to the system? Code them whole-cloth from within the secured network? Without testing the changes on a test system?

      --
      Those who fail to understand communication protocols, are doomed to repeat them over port 80.
    2. Re:Security 101 by HungryHobo · · Score: 2

      without autorun.

      hell if you really want to be paranoid set up as suggested above and make the the important machines only run EXEs signed with a specific key and be damn careful with what you sign.

    3. Re:Security 101 by couchslug · · Score: 1

      "1) anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot,"

      Iran is lucky enough to have that BOFH option.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    4. Re:Security 101 by cusco · · Score: 1

      A SCADA system **IS** a network, even if transmission is over power lines, POTS lines or microwave links. If you mean it shouldn't be on the organization's standard LAN then you'd be right, and in this case it wasn't. Only the terminally stupid connect SCADA networks to their corporate backbones, and most of those have been weeded out by now.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    5. Re:Security 101 by bragr · · Score: 1

      "anyone bringing in flashdrives from the outside and plugging them into mission critical should be taken out back and shot,"

      Fixed

    6. Re:Security 101 by Platinumrat · · Score: 1
      Well, items 1), 2) & 3) amount to the same thing with SCADA equipment. Btw: how do you do item 4) if you haven't got one of the 1st three. Now having worked with / as well as developed SCADA software, I can tell you that the number of "Security" patches can be, sometimes, overwelming. So in effect, it's very easy to slip a trojan into a SCADA system.

      As to looking at source code(as an earlier poster suggested): Good luck with that. 99.99% of SCADA systems are proprietry, closed sourced and encumbered with a massive amount of patents, so it ain't going to happen.

      The other standard defence:- not running an account with Admin rights; won't work on most SCADA systems, as they are typically designed to require "Admin" rights just to run.

      Security, is the last thing that the developers of these systems worry about. That will remain until a few more cases like this pop up, and they are forced by legislation to change their ways.

    7. Re:Security 101 by Anonymous Coward · · Score: 0

      And how does that protect against vulnerabilities like the LNK one? Or a more complicated one?
      Fact of the matter is that once you have communication in any way or form between the two, if the attack is specifically targeted (as StuxNet was) it will probably be able to cross through.

    8. Re:Security 101 by williamyf · · Score: 2

      Number 4 is not possible on SCADA machines like struxnet targets, or even on machines like an OSS system in a telco.

      You see, these application makers do not regard the machines as an HP-UX box (or Solaris box, or Sinix box or Windows box) running some software, but as, let's say, an NMS-2000, which, by pure random luck, "happens" to be implemented on HP-UX.

      Therefore, you are not allowed to install the latest patches from HP until the application provider (Nokia, in the Case of the NMS-2000, Siemens, in the case of Swtich Commander and Radio Comander, SCADA, or IN) tested said patches, otherwise, you would not get any software support whatsoever...

      At some times we had delays of between 6 months to 1 year on the security patches. We (and I mean we opperators all over the planet) had to push to get em security patches tested and delivered...

      The situation has improved A LOT lately, but still, the application provider will have a gap while testing the OS patches for compatibility with the application...

      How do I know? , I was sysadmin to NMS-2000, NMS10, Nokia IN, Siemens IN, OMC-S, OMC-B, Netviwer, and Siemens IN, way back at the turn of the milenium (99-02), and still have enogh contacts to know how things are going nowadays.

      --
      *** Suerte a todos y Feliz dia!
    9. Re:Security 101 by Anonymous Coward · · Score: 0

      Clearly you have no idea what Stuxnet is, or how it operated. I'll address your points individually.

      1.) Agreed. Plugging in a USB device to mission-critical equipment that has: (a) ever been outside the facility, (b) ever been connected to an internet-connected device -- is asinine, and the person should be fired.
      2.) Machines should not be brought in from outside. Nobody needs access to their home videos at the nuclear enrichment plant. Nobody needs nuclear enrichment plant information at home. Period.
      3.) Note that the compromised network was airgapped, i.e., no possible internet connection (ever). Mission critical information often must be on *some* network, particularly since SCADA equipment must talk to each other. With respect to the Windows desktops that were connected, they were used for monitoring the SCADA equipment, and must be able to communicate with it to perform monitoring. The Windows desktops, and a 0-day exploit with USB-mounted devices was the issue. Disabling auto-run with policy settings would not have prevented this attack, per Microsoft. The vulnerability was through a specially-crafted shortcut and icon file [1].
      4.) There were multiple 0day exploits, in addition to correctly-signed driver modules. System updates were entirely irrelevant in this scenario.
      5.) There was no sign of a massive infection across multiple machines and devices. Stuxnet had highly advanced rootkit behavior, and was not detected by commercial antivirus. Nobody noticed it until a security researcher happened to pick up a sample, and it made the news.
      6.) Diversity is useful... sometimes. It also leads to more facets that one must secure. More configurations to be verified, etc. Homogeneity is extremely useful when you want to lock things down as much as humanly possible. Should Iran have been running some form of Linux with SELinux extensions configured and enabled? Yes. Does Siemens make SCADA control software for such a Linux environment? No.

      1: http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx

    10. Re:Security 101 by bragr · · Score: 1

      Clearly you do no know Stuxnet nearly as well as you think you do, I'll address you mistakes individually

      1) No contention

      2) No contention

      3) The Irian network was airgapped as far as we know, however that is no the only vector that Stuxnet uses. Stuxnet can spread quite rapidly through windows networks, thus leading to more machines that could potentially infect flash drives that would latter be used in critical machines. It also makes the task of cleaning a facility much more difficult because any missed machine could potentially reinfect the entire facility. Additionally, Stuxnet contains code to contact control servers in order to report information and update the software, allowing updated and more virulent versions to propagate quickly, further worsening the problem.

      4) While being up to date would not have prevented the initial spread of the worm, after the exploits were identified patches were released fixing those issues. Patches for Windows have been around for 9 months. If everyone affected had applied those patches as quickly as reasonable, the infection rate would have significantly decreased.

      5) I never claimed that everyone noticed all a once, I'm just saying would should have happened at the first sign (which in this case is the security researcher making a big deal about it)

      6) I never claimed that it was a good idea to have a veritable buffet of OS's and versions, its a huge pain in the ass. But lets say that they deployed Windows and RHEL on servers and workstations, where appropriate. The linux boxes could have acted as a moderator for the spread of the worm. And, despite the large of amount of work that comes with deploying a new OS, the long term added work of managing 2 OS, when both are standardized

      As I said before, none of these steps (except perhaps the flash drives) would have stopped the worm, I a merely suggesting that the statement "many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm" is quite stupid since good IT practices would have greatly reduced and restricted the impact and spread of the worm, and its clear that among those most affected, some or all of them were not followed.

    11. Re:Security 101 by laddiebuck · · Score: 1

      It's never one IT person, especially for such a massive outbreak or such an important site. Any actual boots-on-the-ground guy could have done what you said, but getting a whole org to do things is just a hair short of infinitely harder.

    12. Re:Security 101 by Anonymous Coward · · Score: 0

      Nope, it is just flashdrives from other computers in the same building but on less secure networks.

    13. Re:Security 101 by Ken+Erfourth · · Score: 1

      I propose using USB!!

      However, I propose having USB access on removable PCI cards, or some similar removable interface. Keep the cards locked up unless you are doing an update.

      Sure, a very stupid user could go buy a USB card to play his collection of Lady Gaga hits in the reactor control mainframe, but he's probably more likely to buy a USB player instead of going to the trouble of installing a card and rebooting the system.

      A process engineer I used to work for had a Golden Rule: Design the work space so that doing things right is the easiest way to do it.

      --
      Fundamentalism is a crime against humanity
  11. Watch this awsome ted talk "Cracking Stuxnet" by Portal1 · · Score: 2

    Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon
    http://www.ted.com/ When first discovered in 2010, the Stuxnet computer

    http://www.youtube.com/watch?v=CS01Hmjv1pQ

    In short he shows/claims US was behind it.

    --
    There are no stupid questions, Just a lot of inquisitive idiots. (from a good friend)
    1. Re:Watch this awsome ted talk "Cracking Stuxnet" by Anonymous Coward · · Score: 0

      Ummm, we already knew that the US and Israel were behind it, what's your point?

    2. Re:Watch this awsome ted talk "Cracking Stuxnet" by Anonymous Coward · · Score: 0

      I have never seen/read a more terrifying take on Stuxnet than what I just saw.

      The thing that bothers me most regarding Stuxnet is how generic and easily modifiable it apparently is, and after he points this out, he then goes on to vocalize my fear - that it could easily come back to bite us. He speaks of power plants and automobile plants, but SCADA/PLCs are everywhere. Having worked for small a water treatment company that had clients in everything from energy production to drug manufacturing (our largest client-base), I can't even begin to describe the amount of havoc something like this has the potential to cause.

      True enough, many of these PLCs are on systems that are not accessible from the big bad internet, or even on the local network. Most of our systems were maintained by us and when, I don't know, de-ionizers needed to be recharged it would simply dial out via modem and we would get a pre-recorded message letting us know that "Site X building X water resistivity is down to 10 Megohms" (thus the de-ionizers need to be re-charged). This system is safe right? Wrong.

      The problem exists all along the chain. Let's say a new version popped up 6months ago, the machine used to program the PLC was infected, no one has seen it yet - no warnings yet - and even if there were, the guy programming the thing for some small third-party contractor has no idea, he doesn't do IT. In fact, there is no IT department for his company. The completely non-networked systems that he built last year would be fine, but what about the one he installed last month? Or, if it goes undetected long enough, what about the one he's going to install in another 6 months?

      What if, all of a sudden, the clock strikes 10am on a Monday in March five years from now and every Allen-Bradley PLC installed in the past 5 years suddenly goes rogue? OK, fine, let's say half of the Allen-Bradley PLCs installed. OK, fine, say one-quarter.

      No matter how you look at this thing, it's bad. Really bad. And we (the US) wrote it. And we (the US) put it out in the wild.

    3. Re:Watch this awsome ted talk "Cracking Stuxnet" by Runaway1956 · · Score: 1

      Shhhh - don't say "Allen-Bradley" and "rogue" in the same sentence like that. We have thousands of A-B's and only a few dozen Siemens PLC's. Give me Stuxnet, please!

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    4. Re:Watch this awsome ted talk "Cracking Stuxnet" by Portal1 · · Score: 1

      Just watch the talk as the commenter after you did.

      --
      There are no stupid questions, Just a lot of inquisitive idiots. (from a good friend)
  12. Re:We learned it was created by the CIA & Isra by cusco · · Score: 1

    Don't know much about the Iranian nuclear power program, do you? Even though I grew up in northern Michigan it still amazes me how gleefully people suck down even the most blatant of propaganda and believe it like they had personally been handed engraved tablets by god.

    --
    "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  13. What they learned... by Anonymous Coward · · Score: 0

    One department rubbing a lamp doesn't mean another can control what comes out.

  14. Re:Written/Used by the US government, But a surpri by badboy_tw2002 · · Score: 1

    If you want to keep your involvement a secret you need to react normally. Best way to do that is not tell the guys who react to this stuff (until they get too close, then you tell their boss's boss's boss's boss to put a cork in it.)

  15. What we learned from Stuxnet?! by Laguerre · · Score: 1

    We created it! http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104/

  16. Inter-department communications by Anonymous Coward · · Score: 0

    Maybe the branch that created the malware and sent it to Iran should fill the DHS in on a few things...

  17. That it was effective? by LWATCDR · · Score: 1

    I thought the US wrote this? I still think it was Canada.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  18. Re:We learned it was created by the CIA & Isra by acedotcom · · Score: 1

    wait...we needed a conspiracy nut to inform us that Stuxnet was written by the CIA??? i cant be the only one that figured it out a year ago. But really why is it a surprise. this is basic espionage.

    --
    they say it is often more relevant then the comment above, all we know is its called the Sig!
  19. farther reaching problems by Anonymous Coward · · Score: 0

    Not to get conspiratorial, but i read a few places that the Fukushima Daichi plant was infected by stuxnet which is part of the reason why they had such difficulty getting it back together.

    1. Re:farther reaching problems by Anonymous Coward · · Score: 0

      Please, let us know how this virus operated without any hardware or source of electricity. Or alternately, get your head out of your ass.

    2. Re:farther reaching problems by El+Torico · · Score: 1

      Actually, you are being conspiratorial. You didn't cite any references; which places did you read this and what evidence do they have? You then made an allegation concerning a high profile disaster. So, you're being alarmist also.

      --
      In the land of the blind, the one-eyed man is usually crucified.
  20. Steps to responding quickly by bl8n8r · · Score: 1

    1) Warn Boss of vulnerabilities
    2) Boss asks for time/cost estimate to fix
    2a) Boss brings estimate to talking-head meeting
    2b) people protest about their job process changing
    3) estimate sits on Boss's desk for 3 months
    4) Boss golfs with his sis's brother-in-law and they talk security
    5) Boss comes to work next day, calls meeting about security
    6) You remind him of estimate on desk for 3 months
    7) meeting devolves into yucks about golfing/hangover
    8) Boss calls you into office after meeting
    9) Asks you to pick two of the "hottest" security bullets in your list
    10) time/cost gets approved for two of the 10 security items
    11) system eventually gets compromised
    12) everyone runs amok, asks how is this possible
    13) Boss approves 8 remaining security bullets
    14) Goto 1

    Glad I don't do security anymore.

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org
    1. Re:Steps to responding quickly by bragr · · Score: 1

      Clearly you need to brush up on some BOFH-style Boss/Employee diplomacy.

    2. Re:Steps to responding quickly by ginbot462 · · Score: 1

      So that's where the 8's in your name come from.

      --
      Atlas Shrugged : Thematic Story :: Battlefield Earth : Organized Religion
  21. Re:We learned it was created by the CIA & Isra by Anonymous Coward · · Score: 0

    One of us is in the intelligence community. Is it you?

  22. Another thing Learned... by StickyWidget · · Score: 1
    ...is that guys at Langner Communications have seriously the best control system security chops out there.

    ~Sticky
    /My opinions are my own.

  23. What I learned from stuxnet by Anonymous Coward · · Score: 0

    Don't try and make weapons-grade fissile material without the blessing of the USA?

  24. Not what I thought... by scorp1us · · Score: 1

    I thought they would have learned that with enough private sector forensics, everything gets traced back to them? Didn't DHS in Conjunction with Siemens and Israel write this?

    --
    Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
    1. Re:Not what I thought... by Relayman · · Score: 1

      Sorry, wrong federal agency. I doubt DHS had anything to do with it except to shit themselves when they found out how vulnerable U.S. infrastructure is.

      --
      If I used a sig over again, would anyone notice?
    2. Re:Not what I thought... by Anonymous Coward · · Score: 0

      Probably USCYBERCOM.

      Still a serious WTF that the Army and civilian law enforcement didn't communicate about this.

      Or Napolitano's trying to play both sides.

  25. Re:We learned it was created by the CIA & Isra by Anonymous Coward · · Score: 0

    Don't know much about the Iranian nuclear power program, do you? Even though I grew up in northern Michigan it still amazes me how gleefully people suck down even the most blatant of propaganda and believe it like they had personally been handed engraved tablets by god.

    And you fell off the turnip truck just yesterday, too, from the looks of it.

    Because I'm sure all the senior leadership of that Iranian nuclear program has gone out of their way to keep the oh-so-important smashed Michigan turnip up-to-date on the goals of their program. (That's YOU in case you don't get it - figured I'd have to spell that out since you don't seem to be the sharpest tool in the shed...)

    Let's see:

    1. Leader of nearby nation claims he wants to wipe you off the map - literally. And he has about a thousand years of religious history behind him backing up that EXACT wording
    2. Said leader's country maintains a proxy army right next door in a failed state. The publicly-stated goal of proxy army is to "wipe your country off the map".
    2. Said leader's country begins a secret nuclear program.

    Nah, there's no reason why someone who's the target of being "wiped off the map" wouldn't be happy about that no-longer-secret nuclear program suffering a major setback. Not at all. :-P

    Unless maybe you haven't even fallen off the turnip truck yet. Then maybe you'd think the Iranian nuclear program could never have any non-peaceful purposes.

    And you probably think you're getting a pony for Christmas, too.

  26. Re:We learned it was created by the CIA & Isra by iamwahoo2 · · Score: 1

    Whats the latest threat from imagination land?

  27. quick solution for affected controller users by nimbius · · Score: 1

    step 1: Log into your SCADA environment and observe controllers accordingly

    step 2: issue commands to check if you are you an active ally of the United States government with regular trade and economic ties and no dissenting opinion of its policy?

    step 3: log out of your SCADA environment, sigh despondently as you lift your hands from the Dell keyboard, pick something off the value menu at McDonalds for lunch today.

    --
    Good people go to bed earlier.
  28. "...left wondering..." by swb · · Score: 1

    "...but for some time, many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm."

    The implication of this statement is that DHS didn't have an immediate answer (outside of pedantic default answers like "unplug your equipment" or "reload software" or anything else from answers.com).

    Gee, let's see -- a new worm never seen before, apparently written by a sophisticated group from the intelligence community and someone's actually surprised that there was no immediate 5 step fix or concrete and specific guidance?

    I *know* the Intraweb age has increased everyone's sense of entitlement and expectation of an easy fix on the first Google search page, but instead of trying to blame someone else for not being able to tell you what to do, completely, comprehensively and correctly, NOW, maybe these companies could have taken CEO bonus dollars and done their own research.

  29. Wait a Moment by Nom+du+Keyboard · · Score: 1

    According to Iran, who is never wrong about these things as they will tell you themselves, We wrote this virus in collusion with the Zionist enemy. So why are we having to now go to all of this trouble to decode it?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
    1. Re:Wait a Moment by Anonymous Coward · · Score: 0

      It's not Iran that's primarily making this claim. The claim comes from some of the people who have studied Stuxnet the most. Scroll down for some links.

    2. Re:Wait a Moment by Anonymous Coward · · Score: 0

      Plausible Deniability. And no I don't have any sympathies for Iran.

    3. Re:Wait a Moment by Anonymous Coward · · Score: 0

      If you learned anyging from 9/11 it should be that your TLA agencies have trouble communicating with each other. One writes and deploys it, another investigates because it didn't know who wrote it.

  30. What We Learned From Stuxnet by Kernel+Kurtz · · Score: 1

    is that like with the events leading up to 9/11, various government entities still don't share information with other ones.

    Until they fix that (isn't that what DHS was supposed to be for?) Iran is the least of their problems.

    1. Re:What We Learned From Stuxnet by Anonymous Coward · · Score: 0

      They DO share information, but it is via USB memory sticks...

  31. Analyze? by Anonymous Coward · · Score: 0

    Analyze? Some say they scambled for creating it.

  32. It's a trap! by zippthorne · · Score: 1

    Boy is egg on their face over that one.

    --
    Can you be Even More Awesome?!
  33. Re:Written/Used by the US government, But a surpri by cavreader · · Score: 2

    Where are the verifiable facts that support blaming the US or Israel? All I have heard are theories and suppositions but no supporting facts.

  34. gmhowell, did you escape the loony bin again? by Anonymous Coward · · Score: 0

    I live near this person gmhowell, and I think it's only fair that I warn you that he is a known psychotically dangerous schizophrenic. He recently escaped from a mental institution and was put there because he injured himself by masturbating non-stop for 3 days straight. He needs to take his meds, so please, would you all remind him of that? Thank you.

  35. What We Know by Anonymous Coward · · Score: 0

    The U.S.A. Governmnet IS untrustworthy. Period!

    DHS, how appaling. Such a reched motley crue of miss fits and anthro

    FBI ... what a laugh. 30 years ago, under a "FORCED" technology upgrade program.

    The Executive Office of the President of the United States of America. What a laughing stock! If Obama were a hermaphrodite, that would explain all of the the dissinformation.

    Without Gitmo, Obama does not have a reason, nor rational to exist.

    That is Obama's horror? Kill Gitmo, and Kill ....

    You read it here first ... FBI!

    Kill me? ....

  36. that doesn't make any sense by kaplong! · · Score: 1

    Last I checked DHS are part of the US government. So all they needed to find out about stuxnet was to talk to their Federales buddies who helped create it.

  37. Re:It's Microsoft, Watson. by The+End+Of+Days · · Score: 1

    get over to that windows 8 story and save it from being almost a puff piece.

  38. INL sure was fast by nonsequitor · · Score: 1

    The way I hear it, Idaho National Labs was able to quickly decode the worm since it was likely a weaponized exploit from a report they wrote. I'm betting when DHS got them involved, it was not their first time seeing this equipment as they audit our infrastructure all the time.

    1. Re:INL sure was fast by nonsequitor · · Score: 1

      Not that they would have known they were involved, since it would have been redacted from their report if DoE decided to pocket the exploit.

  39. Re:We learned it was created by the CIA & Isra by cusco · · Score: 1

    You do realize that "wipe off the map" is an English idiom, and that there is no equivalent in Farsi, don't you? That phrase was inserted by the Memri news service, a company founded by former intelligence officials (it's right on their web site) which "directly supports fighting the U.S. War on Terror," and which count on its board and staff such lunatics as John Bolton, John Ashcroft, and Eliot Abrams.

    --
    "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  40. Re:We learned it was created by the CIA & Isra by Runaway1956 · · Score: 1

    You didn't get your tablet? You must be a bad, bad, bad boy, or God would have given you one. Have you been worshipping false idols or something? All of MY freinds have their tablets. And, I wouldn't leave the house without mine!

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  41. Re:We learned it was created by the CIA & Isra by Runaway1956 · · Score: 1

    The reading that I've done on that subject included words to the effect, "Drive the Jews into the sea". I believe that GP may have inserted his own words with that "wipe off the map", or some author interpreted that before he read it.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  42. Re:We learned it was created by the CIA & Isra by El+Torico · · Score: 2

    The more accurate translation is -
    "The Imam said this regime occupying Jerusalem must vanish from the page of time."

    The closest analogy I can think of is the "dustbin of history". In either case, it means that someone or something isn't a concern any more. Either it no longer exists or is no longer relevant. I agree that the statement isn't as militant as "wipe of the map", but it's still threatening.

    --
    In the land of the blind, the one-eyed man is usually crucified.
  43. How to do telemetry analysis? by mangu · · Score: 1

    I've been working with SCADA and real-time control systems for 30+ years and I see one security hole cannot be plugged by any of the steps you mention.

    Ultimately, data must be *analyzed*. Your telemetry files will have to be brought in some manner to an engineer's desktop for that. A system that has no way to transfer data to less secure networks is useless.

    For me, the most secure control system would be a Linux system. In Linux, differently from closed-source OSes, you can configure exactly what's running. You can strip down the system to allow only the needed functions.

    With Linux you can make the data transfer as unidirectional as possible, allowing downloads for analysis but uploads only in a very controlled manner for carefully vetted upgrades.

  44. LOLZ by Anonymous Coward · · Score: 0

    He said this:

    We are very l33t now - we have learned how to pwn nuclear reactors LOLZ

  45. DHS is the Department of Homeland Security by eyegone · · Score: 1

    The same folks who bring us the TSA.

    Based on that alone, I can confidently say that they didn't learn anything from Stuxnet.

    --
    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."