More on Stuxnet and warnings about the coming worms that will be using the techniques pioneered by the worm
I am posting a few more interesting items on Stuxnet. In addition to the information that I posted yesterday, here are a few more facts.
- Symantec reports that 60% of the infections have occurred in Iran
- Fewer than 2% of the infections have occurred in the United States
- The developers created fake device drivers that were signed using stolen certificates from two device manufacturers
- The exploit used default passwords for the Siemens systems that were apparently hard coded into the systems.
The last item is especially important as I work on systems all the time that are using or still contain default accounts and passwords set up by the supplier. In many cases it isn’t trivial to rid yourself of these accounts and/or change the passwords. You should really start to think about that.
German security researcher Ralph Langner has posted his thoughts during his investigation here. I would direct you specifically to his recommendations for asset owners…
|
I would generally agree with him that you may not need to worry about Stuxnet specifically but you may want to start worrying about the worms that will be coming as soon as the next 90 days that will be using the exploits and techniques pioneered by Stuxnet.
You may want to start thinking about beefing up your security as quickly as possible for your OSIsoft PI systems and their interfaces. OSIsoft publishes a security best practices white paper containing XML templates for using the Windows security configuration wizard to help to reduce the attach surface. You can configure your PI interface nodes to only allow reads from the control system and prevent any writes. You should also consider firewalling your interfaces and your PI server from the rest of your business network using a three zone approach.