Industrial Defender Updates Stuxnet Whitepaper

(This article was originally published on the Findings From the Field blog.) Industrial Defender has released their updated Stuxnet Whitepaper: The Stuxnet Worm and Defenses for Advanced Threats. You do need to register to access the paper, but once registered you will have access to all of Industrial Defender’s archived papers and webinars. The updated whitepaper assumes you understand control systems, and provides control systems engineers with the information needed to evaluate their security programs in light of advanced threats. The whitepaper uses the Stuxnet example to illustrate how products from the Industrial Defender security suite react to advanced threats. The paper concludes that given the apparent success of recent attacks, it is only reasonable to expect new advanced attacks in the months ahead. Historical Accuracy The whitepaper is noteworthy in that the product claims made for Industrial Defender products are historically accurate. For each of the products with claims made about it, the product was set up as it would have been configured in the key 3-4 month period between March and late June of 2010. That period is important when talking about Stuxnet, since that is when the mature version of the Stuxnet worm circulated undetected. In that period no patches were available for most of the vulnerabilities it exploited, and no anti-virus or intrusion detection signatures were available either. Each of the products described in the paper was set up as it existed in the “circulating undetected” period, with the correct vintage software versions, rules and signatures loaded as well. Then each product was tested against a mature copy of the worm taken from that time period. In contrast, many other vendors, especially enterprise vendors, have made claims about the worm which either were not tested at all, or were not tested in the correct configuration. Of course intrusion detection products can detect the worm now – ever since July of 2010 the worm has been recognized as an advanced attack and signatures and rules have been available for it. Technologies which can prevent an attack once that attack is well known will not protect you while the next advanced attack circulates undetected. A key characteristics of an advanced attack is the ability to operate undetected long enough to do damage. To protect against new advanced threats and advanced attacks, organizations need to deploy “anomaly” type technologies – technologies which notify you when something unexpected and suspicious happens, rather than when a known threat is detected. Looking Forward Looking forward, the paper concludes that there are many reasons why we should expect new advanced attacks. To start with, consider the apparent success of the Stuxnet worm and other advanced attacks observed in 2009 and 2010. While there is no authoritative estimate, various analysts suggest that the Stuxnet worm damaged at least 3% and possibly as much as 50% of its presumed target: the gas centrifuges Iran uses for uranium enrichment. Most analysts describe the worm as reasonably successful, and this success comes at an apparently low cost. The worm is estimated to have cost 1-2 million dollars to develop, which is a tiny fraction of what a conventional assault on the presumed target would have cost. Another reason to expect new advanced attacks is the lack of consequences for the authors of the attack. In fact, while conspiracy theories abound, there is no hard evidence or even consensus of opinion as to who the authors really were. With the apparent success of the attack, and with no negative consequences arising from it, what would deter the authors of the worm, or other equally-capable authors, from attacking again? A third reason to expect new advanced attacks is the amount of money many of the world’s governments have admitted investing in cyber-warfare capabilities. With many nations of all political persuasions investigating in advanced cyber-attack capabilities, and with the apparent success and the low cost of the example which is the Stuxnet worm, it is only reasonable to expect that attacks like the worm will be repeated. The time is upon us to act to create security programs and deploy security technologies which can anticipate, detect and frustrate new advanced attacks.