Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS Chief: What We Learned From Stuxnet

Posted by CmdrTaco on from the can't-wait-for-finals-week dept.

angry tapir writes "If there's a lesson to be learned from last year's Stuxnet worm, it's that the private sector needs to be able to respond quickly to cyber-emergencies (CT: Warning, site contains obnoxious interstitial ads. Blocker advised), according to the head of the US Department of Homeland Security. When Stuxnet hit, the US Department of Homeland security was sent scrambling to analyze the threat. Systems had to be flown in from Germany to the federal government's Idaho National Laboratory. In short order the worm was decoded, but for some time, many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm."

4 of 125 comments (clear)

  1. #1 thing learned from Stuxnet... by mlts · · Score: 1, Insightful

    #1 thing learned from Stuxnet:

    Air-gap your production SCADA/embedded stuff.

    1. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 4, Insightful

      In other words: the real air gap you need to worry about is the one between your employees' ears.

    2. Re:#1 thing learned from Stuxnet... by thegarbz · · Score: 3, Insightful

      #1 thing I've learnt from Stuxnet: People who have no experience with SCADA equipment say "OMGZ TEH HAXORS, Airgap! Airgap! Airgap!", and somehow get modded insightful.

      There is nothing insightful at all about taking the silly approach to simply cutting cables due to the fact that there maybe someone out there with nefarious motives. It's right up there with OH&S departments saying people should wear gloves at all times in case of papercuts.

      Any sizable SCADA system RELY on network access. We're not talking about one small unit running one compressor, but the type of systems that run entire plants. They must be able to communicate with each other, they must be able to communicate with asset management systems, they must be able to communicate with process historians, (all these on a different network of course), these machines must be able to communicate with engineering departments at worst, and at best be accessible by knowledgeable experts in the industry from the other side of the world.

      There are plenty of plants around the world which would turn into oversized holes in the ground if it weren't for the fact that realtime knowledge was accessible remotely. There are many companies which would have been sued out of existence if they put their hands on their hearts in front of congress and said, "Sorry we don't have any data on what has happened, our IT guys said we couldn't network our SCADA systems to the offsite historian, and it has all burnt in a fire".

      Security is NOT and airgap. Security is a complete process, a company culture and something that needs to be designed into every aspect of network design. Limiting access both physical and remote, using a complex heirarchy of firewalls and one way communications, etc etc.

      If you want a truly insightful post maybe read this one below You may learn something.

  2. Security 101 by bragr · · Score: 5, Insightful

    What they should have done:
    1) anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot, or at least given a stern talking to. Autorun should be disabled
    2) Any machines brought into from the outside (laptops etc) should be placed on a separate, untrusted network
    3) Mission critical machines shouldn't be on a network. If that isn't possible, they should be on a separate network or vlan with only the machines they need to talk to, at the very least they shouldn't be able to access the internet
    4) Always ensure that all security updates are applied promptly and all relevant hardening is performed
    5) At the first sign of such a massive infection across multiple machines and devices, everything should have been taken offline, wiped, flashed, and reinstalled and brought up again on a know clean environment, with security procedures tightened.
    6) If all of your machines are running version X of OS Y, they will all suffer from the same 0 day attacks. Diversity, where appropriate, is useful.

    This may not have prevented a infection, but it would have definitely reduced its impact. I really question the competency of any IT person that had no idea what to do.