Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS Chief: What We Learned From Stuxnet

Posted by CmdrTaco on from the can't-wait-for-finals-week dept.

angry tapir writes "If there's a lesson to be learned from last year's Stuxnet worm, it's that the private sector needs to be able to respond quickly to cyber-emergencies (CT: Warning, site contains obnoxious interstitial ads. Blocker advised), according to the head of the US Department of Homeland Security. When Stuxnet hit, the US Department of Homeland security was sent scrambling to analyze the threat. Systems had to be flown in from Germany to the federal government's Idaho National Laboratory. In short order the worm was decoded, but for some time, many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm."

16 of 125 comments (clear)

  1. Re:#1 thing learned from Stuxnet... by rlp · · Score: 4, Informative

    Air-gap your production SCADA/embedded stuff

    Stuxnet was designed to use USB-flash drives as a transmission vector.

    --
    [Insert pithy quote here]
  2. Re:#1 thing learned from Stuxnet... by Anonymous Coward · · Score: 4, Insightful

    In other words: the real air gap you need to worry about is the one between your employees' ears.

  3. Security 101 by bragr · · Score: 5, Insightful

    What they should have done:
    1) anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot, or at least given a stern talking to. Autorun should be disabled
    2) Any machines brought into from the outside (laptops etc) should be placed on a separate, untrusted network
    3) Mission critical machines shouldn't be on a network. If that isn't possible, they should be on a separate network or vlan with only the machines they need to talk to, at the very least they shouldn't be able to access the internet
    4) Always ensure that all security updates are applied promptly and all relevant hardening is performed
    5) At the first sign of such a massive infection across multiple machines and devices, everything should have been taken offline, wiped, flashed, and reinstalled and brought up again on a know clean environment, with security procedures tightened.
    6) If all of your machines are running version X of OS Y, they will all suffer from the same 0 day attacks. Diversity, where appropriate, is useful.

    This may not have prevented a infection, but it would have definitely reduced its impact. I really question the competency of any IT person that had no idea what to do.

    1. Re:Security 101 by Relic+of+the+Future · · Score: 2
      "anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot,"

      And how do you propose that updates be made to the system? Code them whole-cloth from within the secured network? Without testing the changes on a test system?

      --
      Those who fail to understand communication protocols, are doomed to repeat them over port 80.
    2. Re:Security 101 by HungryHobo · · Score: 2

      without autorun.

      hell if you really want to be paranoid set up as suggested above and make the the important machines only run EXEs signed with a specific key and be damn careful with what you sign.

    3. Re:Security 101 by williamyf · · Score: 2

      Number 4 is not possible on SCADA machines like struxnet targets, or even on machines like an OSS system in a telco.

      You see, these application makers do not regard the machines as an HP-UX box (or Solaris box, or Sinix box or Windows box) running some software, but as, let's say, an NMS-2000, which, by pure random luck, "happens" to be implemented on HP-UX.

      Therefore, you are not allowed to install the latest patches from HP until the application provider (Nokia, in the Case of the NMS-2000, Siemens, in the case of Swtich Commander and Radio Comander, SCADA, or IN) tested said patches, otherwise, you would not get any software support whatsoever...

      At some times we had delays of between 6 months to 1 year on the security patches. We (and I mean we opperators all over the planet) had to push to get em security patches tested and delivered...

      The situation has improved A LOT lately, but still, the application provider will have a gap while testing the OS patches for compatibility with the application...

      How do I know? , I was sysadmin to NMS-2000, NMS10, Nokia IN, Siemens IN, OMC-S, OMC-B, Netviwer, and Siemens IN, way back at the turn of the milenium (99-02), and still have enogh contacts to know how things are going nowadays.

      --
      *** Suerte a todos y Feliz dia!
  4. Watch this awsome ted talk "Cracking Stuxnet" by Portal1 · · Score: 2

    Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon
    http://www.ted.com/ When first discovered in 2010, the Stuxnet computer

    http://www.youtube.com/watch?v=CS01Hmjv1pQ

    In short he shows/claims US was behind it.

    --
    There are no stupid questions, Just a lot of inquisitive idiots. (from a good friend)
  5. Re:#1 thing learned from Stuxnet... by vlm · · Score: 2

    Some hot glue in the USB holes works wonders on other "secure" systems.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  6. Re:#1 thing learned from Stuxnet... by vlm · · Score: 2

    So how do you propose to transmit data from a power dam sensor across half a mile of water?

    Assuming "it" is not free floating, run a wire to it. Or, even better, a fiber. Alternately there are about one zillion non-WiFi non-LAN radio communications technologies that could transmit that telemetry.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  7. Re:#1 thing learned from Stuxnet... by ColdWetDog · · Score: 3, Funny

    Some hot glue in the USB holes works wonders on other "secure" systems.

    Probably would work fairly well for the 'between-the-ears' airgap as well. Worth a try anyway.

    --
    Faster! Faster! Faster would be better!
  8. Re:#1 thing learned from Stuxnet... by ColdWetDog · · Score: 2

    Many Bothans died to bring us this information.

    --
    Faster! Faster! Faster would be better!
  9. Re:#1 thing learned from Stuxnet... by Garth+Smith · · Score: 2

    In other words: the real air gap you need to worry about is the one between your employees' ears.

    Fact: It is impossible to guarantee zero errors from employees. People make mistakes.

  10. Re:#1 thing learned from Stuxnet... by thegarbz · · Score: 3, Insightful

    #1 thing I've learnt from Stuxnet: People who have no experience with SCADA equipment say "OMGZ TEH HAXORS, Airgap! Airgap! Airgap!", and somehow get modded insightful.

    There is nothing insightful at all about taking the silly approach to simply cutting cables due to the fact that there maybe someone out there with nefarious motives. It's right up there with OH&S departments saying people should wear gloves at all times in case of papercuts.

    Any sizable SCADA system RELY on network access. We're not talking about one small unit running one compressor, but the type of systems that run entire plants. They must be able to communicate with each other, they must be able to communicate with asset management systems, they must be able to communicate with process historians, (all these on a different network of course), these machines must be able to communicate with engineering departments at worst, and at best be accessible by knowledgeable experts in the industry from the other side of the world.

    There are plenty of plants around the world which would turn into oversized holes in the ground if it weren't for the fact that realtime knowledge was accessible remotely. There are many companies which would have been sued out of existence if they put their hands on their hearts in front of congress and said, "Sorry we don't have any data on what has happened, our IT guys said we couldn't network our SCADA systems to the offsite historian, and it has all burnt in a fire".

    Security is NOT and airgap. Security is a complete process, a company culture and something that needs to be designed into every aspect of network design. Limiting access both physical and remote, using a complex heirarchy of firewalls and one way communications, etc etc.

    If you want a truly insightful post maybe read this one below You may learn something.

  11. Re:Written/Used by the US government, But a surpri by cavreader · · Score: 2

    Where are the verifiable facts that support blaming the US or Israel? All I have heard are theories and suppositions but no supporting facts.

  12. Re:We learned it was created by the CIA & Isra by El+Torico · · Score: 2

    The more accurate translation is -
    "The Imam said this regime occupying Jerusalem must vanish from the page of time."

    The closest analogy I can think of is the "dustbin of history". In either case, it means that someone or something isn't a concern any more. Either it no longer exists or is no longer relevant. I agree that the statement isn't as militant as "wipe of the map", but it's still threatening.

    --
    In the land of the blind, the one-eyed man is usually crucified.
  13. Re:#1 thing learned from Stuxnet... by RussellSHarris · · Score: 2

    And the "U" in USB stands for "MacBooks can seamlessly interface with alien ships' computers and upload viruses that shut down their entire fleet".

    Okay, not quite.