Your Process; A Prime Target

Written by Jason Rako,

Stuxnet is one of the first worms specifically designed to wreak havoc with an industrial process operating with Siemen controls. It managed to penetrate a military-level nuclear enrichment facility and damange key equipment while covering its tracks.  According to Eric Byres from Tofino Security, more process-targeting worms may be on the way. Is your system at risk?

Can your system be infected?

DSCN1415

During his seminar at Power Connect 2011, Byres outlined all the various ways a worm can make its way deep into a control system. Common methods would include infected USB drives, infected employee project files and through Intranets. Unusual methods included infected software drivers, counterfeit product disks handed out at trade shows and conventions, system patches and even electronic manuals (PDFs being common).

Some companies state that they have an “air gap” preventing their systems from being infected. The truth is, according to Byres, a determined individual will be able to breach any form of security; there is no such thing as an air gap.

Spreading through your system

Once a worm gets into your system, it does not immediately begin causing havoc. Instead, a worm like Stuxnet will evolve in stages:

  1. The worm will begin infecting one machine. A successfully infected machine will serve as the worm’s base camp.
  2. The worm will now begin infecting as many machines as possible at a rapid rate.
  3. The worm will avoid detection, even by masquerading as your anti-spyware and firewall.
  4. The worm will identify its target and make its move to modify the target.

The word is out:

The success of Stuxnet opened a door for the hacking community. Process controls and systems are now in the spotlight and Byres believes that Stuxnet is the first of many process-specific worms to come. In fact, there are already websites freely offering the code behind the Stuxnet worm.

Protection: 

To really be effective, an anti-virus system must go beyond just creating one defensive perimeter. According to Byres, the best strategy is to create layers of firewalls with the greatest amount of protection lying at the core of your process. A company must also ensure that each firewall is unique to make it harder for a worm to penetrate deeper into the system. Direct communication channels betweem systems lying on the perimeter of a network must be heavily guarded (or perferably non-existant without an intermediate system and firewall).