Skip Links

Safeguarding critical infrastructure from the next Stuxnet

An analysis of best practices to protect against new digital threats targeting industrial control systems

By Francis deSouza, senior vice president, Enterprise Security Group, Symantec, special to Network World
April 27, 2011 04:39 PM ET

Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

While it has been disturbing to see Internet threats become driven by financial gain, Stuxnet signals the arrival of something more worrisome: a new class of threat designed to seize and control critical infrastructure.

Stuxnet is one of the most complex threats observed to date. Not only did it utilize interesting antivirus evasion techniques and complex process injection code, it also pioneered new frontiers in virus design, including the use of four separate zero-day vulnerabilities and the first ever rootkit designed specifically for programmable logic controller systems.

EXPERTS: Stuxnet changed the cybersecurity landscape

Most notably, however, is the fact that it was designed to reprogram industrial control systems -- computer programs used to manage industrial environments such as power plants, oil refineries and gas pipelines. It is the first known malware designed to specifically target such systems with the goal of impacting real-world equipment and processes.

Stuxnet's ultimate objective was to alter the speed at which certain frequency converter drives -- power supplies that control the rotational speed of electric motors -- operated. Stuxnet only targeted systems with drives that functioned at a certain frequency, most notably, gas-centrifuge-based systems used in uranium enrichment. Altering the frequencies of the drives, as Stuxnet is designed to do, will effectively sabotage the enrichment procedure, likely damaging the affected centrifuges in the process.

Much of the threat posed by Stuxnet has been neutralized, but this epochal change in the threat landscape still raises many troubling questions. Enterprises that run or manage critical infrastructure have much to learn from Stuxnet. For those charged with the management of industrial control systems, implementing specific recommended defenses can spell the difference between a safeguarded and properly functioning system or an infected system.

What follows is a breakdown of best practices to help erect a defense-in-depth barrier to this new type of threat.

* Leverage reputation-based detection techniques. Traditional protections, such as signature-based antivirus, are the most common method of defending against the initial infection stage. Unfortunately, many modern pieces of targeted malware rely on mutated code that is altered before each new attack and tested against antivirus solutions to ensure it will evade detection. Some malware even utilizes self-mutating code that makes it all but invisible to traditional signature-based protection. In addition, signature-based detection is ineffective at identifying brand new, never-before-seen malware. Such was the case with many of the initial Stuxnet infections. Look for a reputation-based detection system that leverages massive databases containing demographic information on virtually all good and bad files in existence to single out unknown and likely malicious software applications.

* Take advantage of managed security services. Managed security services are offered by many security vendors. The goal is to shift the burden of security operations to a qualified vendor. In the case of Stuxnet, managed security services would, for example, watch for downloaded data traffic carrying .LNK files, which could potentially be related to one of the now patched zero-day vulnerability exploits used by the threat.

* Implement and enforce device control policies. A feature of advanced endpoint protection solutions, device control provides administrators with the ability to monitor and control the behavior of devices by creating and enforcing related policies. Because industrial control systems are often disconnected from the Internet and overall corporate networks for security reasons, thumb drives are frequently used to transfer data to and from such systems and also to implement patch updates. Stuxnet authors knew this and the spread of the threat relied on this fact. In fact, infected thumb drives carried into organizations by unwary contractors was likely one of the initial propagation methods used to spread the threat. Device control policies can control what files and applications are allowed to run off thumb drives and, if properly set, will prevent malicious executable files, like those used by Stuxnet, from running on targeted systems.

* Install, and if necessary lobby for the ability to install, host-based intrusion prevention systems. Installing intrusion prevention software directly on industrial control systems is another effective way of preventing a Stuxnet infection. Such a host-based intrusion prevention system would watch for suspicious behavior taking place on the actual industrial control system and force the lockdown of the system when called for so new malware cannot be injected. Many industrial control system developers are reluctant to load third-party software that they will have to validate and support, but Stuxnet demonstrated the game has changed and greater cooperation is warranted.

* Ensure your tempo of software certificate revocation updating is appropriate. In order to further evade detection and bury itself deeper into targeted systems, Stuxnet used two stolen digital certificates, one from JMicron and another from Realtek, to try and make itself appear as a legitimate program. Both of these certificates were revoked, but if a system were not kept up-to-date in terms of certificate revocations, the stolen certificates used by Stuxnet would have still serve as an effective deception. There is no reason to think that future threats will not also attempt to exploit compromised certificates.

* Use endpoint management software to ensure adequate patching procedures. As previously mentioned, Stuxnet -- like many targeted and non-targeted attacks -- used previously unknown software vulnerabilities to gain access to susceptible systems. Security updates were issued to fix the vulnerabilities exploited by Stuxnet, but unless the patches were actually applied, systems were as vulnerable as ever. Endpoint management solutions can help manage patch updates and ensure they are applied properly. This is especially important when it comes to patches issued out-of-band, as these updates can often be overlooked because they fall outside the routine patch schedule.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News