More on Stuxnet and warnings about the coming worms that will be using the techniques pioneered by the worm

By Rob Raesemann | September 30, 2010 |

I am posting a few more interesting items on Stuxnet. In addition to the information that I posted yesterday, here are a few more facts.

  • Symantec reports that 60% of the infections have occurred in Iran
  • Fewer than 2% of the infections have occurred in the United States
  • The developers created fake device drivers that were signed using stolen certificates from two device manufacturers
  • The exploit used default passwords for the Siemens systems that were apparently hard coded into the systems.

The last item is especially important as I work on systems all the time that are using or still contain default accounts and passwords set up by the supplier. In many cases it isn’t trivial to rid yourself of these accounts and/or change the passwords. You should really start to think about that.

German security researcher Ralph Langner has posted his thoughts during his investigation here.  I would direct you specifically to his recommendations for asset owners…

Stuxnet logbook, Sep 17 2010, 2300 hours MESZ

Recommendations for asset owners:
Define and enforce a high security level for your engineering stations, ESPECIALLY the mobile ones.
Do not allow staff to use these stations for private purposes (surfing on the Internet, using media player etc.).
Start securing these systems with whitelisting solutions.
Define and enforce a high security level for contractors that have network access to your systems either locally or remote.
Start removing shared folders.
Remove critical systems from the network if the network connection is used only for convenience.
Review your security policies for accessing systems with VNC and similar RDP products.
Develop a zoning concept for your network and implement it.
Use PLC version control systems.
Do not assume an attack could never originate from a PLC.
Enforce security policy even during commissioning.

I would generally agree with him that you may not need to worry about Stuxnet specifically but you may want to start worrying about the worms that will be coming as soon as the next 90 days that will be using the exploits and techniques pioneered by Stuxnet.

You may want to start thinking about beefing up your security as quickly as possible for your OSIsoft PI systems and their interfaces. OSIsoft publishes a security best practices white paper containing XML templates for using the Windows security configuration wizard to help to reduce the attach surface. You can configure your PI interface nodes to only allow reads from the control system and prevent any writes. You should also consider firewalling your interfaces and your PI server from the rest of your business network using a three zone approach.

Tags: ,
Posted in Cyber Security, Interesting, OSISoft PI, System Integration

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.