By Jim Montague, Executive Editor
Pay attention. That's the first thing.
Icy pavement, dark alleys, newly mopped floors, biker bars, Wall Street, banana peels and industrial control networks all demand caution—or expect bruised backsides or worse. Your choice.
Likewise, anyone can kick in your front door or break a window, but that doesn't mean locking them is a waste of time or that you never can leave the house. Common-sense barriers prevent most residential break-ins, and keeping cash and other valuables in a bank lessens the losses from the few intrusions that statistics show must happen eventually. Both deterrence and mitigation mean never having to say you made it easy for the bad guys. Your choice again.
These physical analogies hold equally true for industrial network security. It also demands attention and focus because some intrusions might occur, but ongoing and evolving deterrence and mitigation can prevent most break-ins and limit those that do happen.
The Need to Prepare
"Our end users aren't making drastic changes because of viruses like Stuxnet, but they're certainly aware of it," says Steve Goldberg, industrial systems division director at Matrix Technologies (www.matrixti.com), a system integrator in Maumee, Ohio. "Most of our larger end users in oil and gas and food products feel like they're on top of their network security because they know they have to learn as they go. They already have their own security policies, but now they're telling their independent contractors that they must use the end user's laptops to access their system."
Tom Lycans, Matrix's senior engineer, adds, "One adverse incident would show some end users how they could prepare their network security and the worth of doing it, but it's still hard for many of the smaller ones to justify it ahead of time. For instance, one client has its whole plant and corporate office on the same network, but just doesn't have the manpower to divide it yet. That's why we're helping them to prevent exposing the control layer to the business layer by only allowing communications across a firewall, which defines what data can go to the control layer, or by only letting data go one way from the PLC to business level. For example, we typically deploy two separate IP ranges on one PC with two NIC cards."
Matrix helps its users define and understand their specific network security needs, such as how much outside contact their users and applications require and how much they can do without, Goldberg and Lycans add. Next, they review what type and level of security is needed in each area of the organization, such as how much access is allowed to the corporate VPN, or if machines on the plant floor need to be locked down. Based on these studies, Matrix helps users pick and apply equipment that satisfies the security level required for each area.
"We still want basic antivirus software on each PC, so it helps that it's been learning to play nicer with our HMI/SCADA and controls software over the past five years," Lycans says. "I think Microsoft, Norton and McAfee got enough complaints about antivirus software identifying HMIs as viruses, so they added more-intelligent software engines, and stopped putting on the broad and indiscriminate threat masks they used to put on. We also have a couple of users that maintain ideal images of just the operating system software they need to run their PCs, and then ghost them to each new PC at installation or when needed. They also back up their data and software, so they can restore it during a recovery. These are tasks that can't be ignored. We and our users have to be as vigilant as we can, and these efforts have to be ongoing, and then evolve as needed."
How Badly Stuxnet bites
Despite these logical security steps, some of the always-simmering panic over network security boiled over last summer when Stuxnet officially emerged on July 14. The violently destructive Trojan-style virus used a security breach to exploit all versions of Microsoft Windows and infect Siemens Industry's Simatic WinCC SCADA software, PCS 7 distributed control system (DCS) and S7 controllers.
Symantec (www.symantec.com) reported that Stuxnet can steal code and design projects, hide using a Windows rootkit, use programming software to upload its code to PLCs monitored by SCADA systems, and then hide these code blocks, too. As a result, Stuxnet isn't just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC, according to Symantec. It adds that Stuxnet contains 70 encrypted code blocks that appear to replace some "foundation routines," which take care of simple yet common tasks such as comparing file times, and others that are custom code and data blocks. By writing code to a PLC, Stuxnet potentially can control or alter how a system operates.
Although Stuxnet seems to have been coded specifically for Siemens products, other products could be just as vulnerable to similar viruses or attempted intrusions, according to John Cusimano, security services director at exida (www.exida.com). "WinCC is by far the largest SCADA HMI package. It's embedded into everything. Whether you know you're buying it or not, it might be embedded in your system. That's probably why it was the target."
After Stuxnet was created and initial versions started circulating in June 2009, its developers created a second, more powerful iteration, which allowed it to spread among USB devices with virtually no intervention by victims. They also used encryption keys belonging to chipmakers Realtek and JMicron, and digitally signed the malware, so antivirus scanners would have a harder time detecting it. This allowed Stuxnet to defeat multiple-factor authentication.