Monday, October 25, 2010

Beating Stuxnet to Death (Before it Beats Us)

If it feels like I'm belaboring the importance of understanding Stuxnet, it's because, IHMO, it's a threat well worth belaboring. Stuxnet is Mother of all industrial and utility sector cyber wake-up calls. And if you're an asset owner asleep at the wheel, it could be your momma, and your daddy too (see: who's your daddy?)

As I mentioned in a previous Stuxnet rant, good security tools and best "defense in depth" practices are a less-than-complete defense:
No matter how solid an org's security policies, no matter the level of adherence to defense in depth principles and security best practices, no matter how much security technology was deployed and how up-to-date it was kept, it is very likely that Stuxnet would have found a way in.
Now here's a real expert, Andrew Ginter of Industrial Defender on the excellent Findings from the Field blog, laying out the harsh reality of the Stuxnet wake-up from a (NERC and DHS) security standards point of view:
A site protected with whitelisting/HIPS ... would have been CFATS or NERC compliant, and would have been protected from Stuxnet. Unfortunately, I am aware of only a handful of such sites, and no HIPS protection is mandated by NERC or CFATS. Sites with only anti-virus deployed are seen by today’s regulations as having adequate malware protection, but that protection would not have prevented Stuxnet compromises in the first year the worm circulated.
If you're new to whitelisting, here's a ZDNet blast from the past in 2008, featuring Microsoft security guru Scott Charney making the case that whitelisting is the future for most/all successful cyber security strategies. From my understanding of this approach, it's a huge step forward from where many orgs are today. But I also recall hearing Symantec's reverse engineer and Stuxnet expert Liam O' Murchu saying he thought Stuxnet could/would potentially morph to circumvent whitelisting defenses. Yikes.

Nevertheless, NERC and NERC CSO Mark Weatherford have been busy issuing guidance to utilities on how to best combat Stuxnet and Stuxnet-like threats. We're not privy to the actual details of that guidance, but you can gain a little insight into NERC's actions here and here.  I'm not sure it's a Stuxnet defeater, but I for one am quite happy to hear Weatherford calling for more security in software development and sourcing processes.

Regarding preparations for future versions of Stuxnet targeting electrical infrastructure, forget compact fluorescents for the moment. Got midnight oil? Start burning it.

Much improved sub-optimal defenses and recovery plans are vastly more desirable than what we've got in the field today.

No comments: