DHS Chief: What We Learned From Stuxnet

angry tapir writes "If there's a lesson to be learned from last year's Stuxnet worm, it's that the private sector needs to be able to respond quickly to cyber-emergencies (CT: Warning, site contains obnoxious interstitial ads. Blocker advised), according to the head of the US Department of Homeland Security. When Stuxnet hit, the US Department of Homeland security was sent scrambling to analyze the threat. Systems had to be flown in from Germany to the federal government's Idaho National Laboratory. In short order the worm was decoded, but for some time, many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm."

Re:

[The End Of Days]

get over to that windows 8 story and save it from being almost a puff piece.

#1 thing learned from Stuxnet...

[mlts]

#1 thing learned from Stuxnet:

Air-gap your production SCADA/embedded stuff.

Re:#1 thing learned from Stuxnet...

[rlp]

Air-gap your production SCADA/embedded stuff

Stuxnet was designed to use USB-flash drives as a transmission vector.

Re:#1 thing learned from Stuxnet...

[Anonymous Coward]

In other words: the real air gap you need to worry about is the one between your employees' ears.

Re:

[Garth Smith]

In other words: the real air gap you need to worry about is the one between your employees' ears.

Fact: It is impossible to guarantee zero errors from employees. People make mistakes.

Re:

[Runaway1956]

Plugging a USB device into a machine that you're not supposed to plug it into is not a "mistake", it is vandalism, theft, or worse, industrial espionage. For that reason, USB should just be disabled on company computers, unless the USB is truly essential to it's operation. And, I haven't seen a machine yet where USB was essential. Fingerprint scanner, maybe? Get a scanner that plugs into the serial port, FFS!

Re:

[bipedalhominid]

Wow, lots of trouble and sticky. We just cut the users fingers off.

Re:

[dkf]

Calling people stupid for failing to foresee something is rarely true, and even more rarely profitable.

But selling them shit because they're stupid and can't foresee something, that's very profitable. Just don't tell them they're stupid to their faces; spoils the sale.

Re:

[vlm]

Some hot glue in the USB holes works wonders on other "secure" systems.

Re:#1 thing learned from Stuxnet...

[ColdWetDog]

Some hot glue in the USB holes works wonders on other "secure" systems.

Probably would work fairly well for the 'between-the-ears' airgap as well. Worth a try anyway.

Re:

[russotto]

Some hot glue in the USB holes works wonders on other "secure" systems.

And if your system relies on USB to talk to the devices it is supposed to be programming, that hot glue isn't so useful.

Re:

[Runaway1956]

Do you have such devices? I don't have any at my worksite. Everything is serial. Assuming you do communicate between devices via USB - how difficult would it be to use a serial?

Re:

[russotto]

Do you have such devices? I don't have any at my worksite. Everything is serial. Assuming you do communicate between devices via USB - how difficult would it be to use a serial?

At a previous employer we had some USB programmers for TI MSP430 processors. Sure, they could have been serial, and we had serial ones. But serial is a legacy port nowadays.

Re:

[RussellSHarris]

And the "U" in USB stands for "MacBooks can seamlessly interface with alien ships' computers and upload viruses that shut down their entire fleet".

Okay, not quite.

Re:

[bipedalhominid]

Thank You, best laugh I've had in awhile. Bought the woman a Iphone cause of that scene.

Re:

[Jeek Elemental]

and delivered by people willing to give their life for it (which they likely did.)

Re:

[ColdWetDog]

Many Bothans died to bring us this information.

It's a trap!

[zippthorne]

Boy is egg on their face over that one.

Re:

[gmhowell]

Gonna need a citation for Sergio Aragones' death. Neither wikipedia nor his official page mention it. Maybe you mean Antonio Prohias, who both created Spy vs. Spy and is dead.

Re:

[baderman]

But keep in mind, that worm communicated with c&c servers after installation and was operated remotely.

Re:

[wsxyz]

But there was no requirement for direct access to the network. Worm instances on airgapped systems received updates & transmitted information via later worm instances brought via USB stick.

Re:

[h4rr4r]

If you are going to airgap, you must also disable the USB ports. Physically, not in software.

Re:

[icebike]

That's just ONE vector, not the only one.

Hot glue the USB ports, or disconnect them from the motherboard.
Your employees have no business sticking USB drives into process control computers.

The preponderance of USB-Only keyboard/mouse machines is a problem.

Re:

[innocent_white_lamb]

Your employees have no business sticking USB drives into process control computers.
 
Until the software, firmware, what-have-you needs to be updated or changed. "We now need to change the rotation speed from X to Y in sub-vector Z". Would you like to do that all by keyboarding each one of the 25,000 or so machines?

Re:

[Runaway1956]

What else do you have to do all day? What - you're going to miss a day or six of slashdot reading? Get off yer lazy arse and get to work updating those machines!

BTW - I've been in a lot of production plants in my lifetime. I mean, a lot. You'll be hard pressed to find a list of plants with 25,000 machines doing similar jobs, all requiring the same or similar updates. Perhaps some corporation like General Motors has that many machines spread out across it's corporate landscape, including spare replaceme

Re:

[hawkinspeter]

The port isn't the problem - it's the OS that auto-plays that's the problem

Re:

[cusco]

So how do you propose to transmit data from a power dam sensor across half a mile of water?

Re:

[KUHurdler]

You could build something across the water... like maybe, a dam. Then run fiber to it.

Re:

[vlm]

So how do you propose to transmit data from a power dam sensor across half a mile of water?

Assuming "it" is not free floating, run a wire to it. Or, even better, a fiber. Alternately there are about one zillion non-WiFi non-LAN radio communications technologies that could transmit that telemetry.

Re:

[cusco]

I think the original poster was referring to transmitting data wirelessly in general. No, you're right, SCADA data does not belong on some brain-dead Cisco AP or some such. BTW, yes, it does float.

Re:

[iamsolidsnk]

# thing learned from Stuxnet:

The human IT factor will always be the weakest link in the computer system equation.

Re:

[thsths]

That, and never assume that the payload is harmless. Just because you do not understand it does not mean it does not affect you.

So why did they have to analyse the code? It is a nice exercise, but for the threat assessment I think it is sufficient to state that the virus is uploading code to your SPS. It's like having an intruder on your premises - you do not need to understand his motives, but you do need to improve security.

Re:

[evil_aaronm]

Your point withstanding, from the summary, it said that people with Siemens equipment - disclaimer: I work for them, but not in that group - needed to know how they might be impacted. Yes, block the holes, but you also need to try to fathom how bad the damage is going to be. What are we looking at, here: harmless prank or full enterprise-wide melt-down?

Re:

[Kennon]

How to write better detection avoidance considering they wrote it.

Re:#1 thing learned from Stuxnet...

[thegarbz]

#1 thing I've learnt from Stuxnet: People who have no experience with SCADA equipment say "OMGZ TEH HAXORS, Airgap! Airgap! Airgap!", and somehow get modded insightful.

There is nothing insightful at all about taking the silly approach to simply cutting cables due to the fact that there maybe someone out there with nefarious motives. It's right up there with OH&S departments saying people should wear gloves at all times in case of papercuts.

Any sizable SCADA system RELY on network access. We're not talking about one small unit running one compressor, but the type of systems that run entire plants. They must be able to communicate with each other, they must be able to communicate with asset management systems, they must be able to communicate with process historians, (all these on a different network of course), these machines must be able to communicate with engineering departments at worst, and at best be accessible by knowledgeable experts in the industry from the other side of the world.

There are plenty of plants around the world which would turn into oversized holes in the ground if it weren't for the fact that realtime knowledge was accessible remotely. There are many companies which would have been sued out of existence if they put their hands on their hearts in front of congress and said, "Sorry we don't have any data on what has happened, our IT guys said we couldn't network our SCADA systems to the offsite historian, and it has all burnt in a fire".

Security is NOT and airgap. Security is a complete process, a company culture and something that needs to be designed into every aspect of network design. Limiting access both physical and remote, using a complex heirarchy of firewalls and one way communications, etc etc.

If you want a truly insightful post maybe read this one below [slashdot.org] You may learn something.

Re:

[thegarbz]

I'm sure there are other ways to ensure that if boxes are compromised on one segment, the intrusion won't spread to the subnet with the juicy embedded toys. Of course, a good, hardened router is one way, but it would be nice to have defense in depth and not bet the farm on one piece of equipment.

The one way firewall and segregated networks is actually quite a good way of doing it. Consider a plant with a control system, a data historian, and a corporate network. The control system should be on its own hardened network behind a firewall that allows communication only one way (out). A data historian who's only job is to collect data can sit on a network immediately above this and collect the data. Then above that via another firewall is a corporate network which is locked away from the network below

Re:

[cusco]

Don't know much about the Iranian nuclear power program, do you? Even though I grew up in northern Michigan it still amazes me how gleefully people suck down even the most blatant of propaganda and believe it like they had personally been handed engraved tablets by god.

Re:

[iamwahoo2]

Whats the latest threat from imagination land?

Re:

[cusco]

You do realize that "wipe off the map" is an English idiom, and that there is no equivalent in Farsi, don't you? That phrase was inserted by the Memri news service, a company founded by former intelligence officials (it's right on their web site) which "directly supports fighting the U.S. War on Terror," and which count on its board and staff such lunatics as John Bolton, John Ashcroft, and Eliot Abrams.

Re:

[Runaway1956]

The reading that I've done on that subject included words to the effect, "Drive the Jews into the sea". I believe that GP may have inserted his own words with that "wipe off the map", or some author interpreted that before he read it.

Re:

[El Torico]

The more accurate translation is -
"The Imam said this regime occupying Jerusalem must vanish from the page of time."

The closest analogy I can think of is the "dustbin of history". In either case, it means that someone or something isn't a concern any more. Either it no longer exists or is no longer relevant. I agree that the statement isn't as militant as "wipe of the map", but it's still threatening.

Re:

[Runaway1956]

You didn't get your tablet? You must be a bad, bad, bad boy, or God would have given you one. Have you been worshipping false idols or something? All of MY freinds have their tablets. And, I wouldn't leave the house without mine!

Re:

[acedotcom]

wait...we needed a conspiracy nut to inform us that Stuxnet was written by the CIA??? i cant be the only one that figured it out a year ago. But really why is it a surprise. this is basic espionage.

if they can do it, they will do it

[kubitus]

that is the lesson learned.

so:

1.) keep not only production but all but communication system from the Internet

2) do not allow removable media to the users, apply extreme caution to 'upgrades'

3) verify by viewing the source code ( or let it be done by 2 or more separate parties )

-

you have no source code? forget your IT security!!

Re:

[badboy_tw2002]

If you want to keep your involvement a secret you need to react normally. Best way to do that is not tell the guys who react to this stuff (until they get too close, then you tell their boss's boss's boss's boss to put a cork in it.)

Re:

[cavreader]

Where are the verifiable facts that support blaming the US or Israel? All I have heard are theories and suppositions but no supporting facts.

Re:

[dbIII]

That's lesson one from about 1975. We have no excuse at all for this elevated privilige bullshit today.

Security 101

[bragr]

What they should have done:
1) anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot, or at least given a stern talking to. Autorun should be disabled
2) Any machines brought into from the outside (laptops etc) should be placed on a separate, untrusted network
3) Mission critical machines shouldn't be on a network. If that isn't possible, they should be on a separate network or vlan with only the machines they need to talk to, at the very least they shouldn't be able to access the internet
4) Always ensure that all security updates are applied promptly and all relevant hardening is performed
5) At the first sign of such a massive infection across multiple machines and devices, everything should have been taken offline, wiped, flashed, and reinstalled and brought up again on a know clean environment, with security procedures tightened.
6) If all of your machines are running version X of OS Y, they will all suffer from the same 0 day attacks. Diversity, where appropriate, is useful.

This may not have prevented a infection, but it would have definitely reduced its impact. I really question the competency of any IT person that had no idea what to do.

Re:

[Relic of the Future]

"anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot,"

And how do you propose that updates be made to the system? Code them whole-cloth from within the secured network? Without testing the changes on a test system?

Re:

[HungryHobo]

without autorun.

hell if you really want to be paranoid set up as suggested above and make the the important machines only run EXEs signed with a specific key and be damn careful with what you sign.

Re:

[bragr]

"anyone bringing in flashdrives from the outside and plugging them into mission critical should be taken out back and shot,"

Fixed

Re:

[Ken Erfourth]

I propose using USB!!

However, I propose having USB access on removable PCI cards, or some similar removable interface. Keep the cards locked up unless you are doing an update.

Sure, a very stupid user could go buy a USB card to play his collection of Lady Gaga hits in the reactor control mainframe, but he's probably more likely to buy a USB player instead of going to the trouble of installing a card and rebooting the system.

A process engineer I used to work for had a Golden Rule: Design the work space s

Re:

[couchslug]

"1) anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot,"

Iran is lucky enough to have that BOFH option.

Re:

[cusco]

A SCADA system **IS** a network, even if transmission is over power lines, POTS lines or microwave links. If you mean it shouldn't be on the organization's standard LAN then you'd be right, and in this case it wasn't. Only the terminally stupid connect SCADA networks to their corporate backbones, and most of those have been weeded out by now.

Re:

[Platinumrat]

Well, items 1), 2) & 3) amount to the same thing with SCADA equipment. Btw: how do you do item 4) if you haven't got one of the 1st three. Now having worked with / as well as developed SCADA software, I can tell you that the number of "Security" patches can be, sometimes, overwelming. So in effect, it's very easy to slip a trojan into a SCADA system.

As to looking at source code(as an earlier poster suggested): Good luck with that. 99.99% of SCADA systems are proprietry, closed sourced and encu

Re:

[williamyf]

Number 4 is not possible on SCADA machines like struxnet targets, or even on machines like an OSS system in a telco.

You see, these application makers do not regard the machines as an HP-UX box (or Solaris box, or Sinix box or Windows box) running some software, but as, let's say, an NMS-2000, which, by pure random luck, "happens" to be implemented on HP-UX.

Therefore, you are not allowed to install the latest patches from HP until the application provider (Nokia, in the Case of the NMS-2000, Siemens, in the

Re:

[laddiebuck]

It's never one IT person, especially for such a massive outbreak or such an important site. Any actual boots-on-the-ground guy could have done what you said, but getting a whole org to do things is just a hair short of infinitely harder.

How to do telemetry analysis?

[mangu]

I've been working with SCADA and real-time control systems for 30+ years and I see one security hole cannot be plugged by any of the steps you mention.

Ultimately, data must be *analyzed*. Your telemetry files will have to be brought in some manner to an engineer's desktop for that. A system that has no way to transfer data to less secure networks is useless.

For me, the most secure control system would be a Linux system. In Linux, differently from closed-source OSes, you can configure exactly what's running.

Re:

[bragr]

Clearly you do no know Stuxnet nearly as well as you think you do, I'll address you mistakes individually

1) No contention

2) No contention

3) The Irian network was airgapped as far as we know, however that is no the only vector that Stuxnet uses. Stuxnet can spread quite rapidly through windows networks, thus leading to more machines that could potentially infect flash drives that would latter be used in critical machines. It also makes the task of cleaning a facility much more difficult because any missed

Watch this awsome ted talk "Cracking Stuxnet"

[Portal1]

Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon
http://www.ted.com/ [ted.com] When first discovered in 2010, the Stuxnet computer

http://www.youtube.com/watch?v=CS01Hmjv1pQ [youtube.com]

In short he shows/claims US was behind it.

Re:

[Portal1]

Just watch the talk as the commenter after you did.

Re:

[Runaway1956]

Shhhh - don't say "Allen-Bradley" and "rogue" in the same sentence like that. We have thousands of A-B's and only a few dozen Siemens PLC's. Give me Stuxnet, please!

What we learned from Stuxnet?!

[Laguerre]

We created it! http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104/ [vanityfair.com]

That it was effective?

[LWATCDR]

I thought the US wrote this? I still think it was Canada.

Re:

[El Torico]

Actually, you are being conspiratorial. You didn't cite any references; which places did you read this and what evidence do they have? You then made an allegation concerning a high profile disaster. So, you're being alarmist also.

Steps to responding quickly

[bl8n8r]

1) Warn Boss of vulnerabilities
2) Boss asks for time/cost estimate to fix
2a) Boss brings estimate to talking-head meeting
2b) people protest about their job process changing
3) estimate sits on Boss's desk for 3 months
4) Boss golfs with his sis's brother-in-law and they talk security
5) Boss comes to work next day, calls meeting about security
6) You remind him of estimate on desk for 3 months
7) meeting devolves into yucks about golfing/hangover
8) Boss calls you into office after meeting
9) Asks you to pick two

Re:

[bragr]

Clearly you need to brush up on some BOFH-style Boss/Employee diplomacy.

Re:

[ginbot462]

So that's where the 8's in your name come from.

Another thing Learned...

[StickyWidget]

...is that guys at Langner Communications have seriously the best control system security chops out there.

~Sticky
/My opinions are my own.

Not what I thought...

[scorp1us]

I thought they would have learned that with enough private sector forensics, everything gets traced back to them? Didn't DHS in Conjunction with Siemens and Israel write this?

Re:

[Relayman]

Sorry, wrong federal agency. I doubt DHS had anything to do with it except to shit themselves when they found out how vulnerable U.S. infrastructure is.

Re:

[account_deleted]

Comment removed based on user account deletion

"...left wondering..."

[swb]

"...but for some time, many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm."

The implication of this statement is that DHS didn't have an immediate answer (outside of pedantic default answers like "unplug your equipment" or "reload software" or anything else from answers.com).

Gee, let's see -- a new worm never seen before, apparently written by a sophisticated group from the intelligence community and someone's actual

Wait a Moment

[Nom du Keyboard]

According to Iran, who is never wrong about these things as they will tell you themselves, We wrote this virus in collusion with the Zionist enemy. So why are we having to now go to all of this trouble to decode it?

What We Learned From Stuxnet

[Kernel Kurtz]

is that like with the events leading up to 9/11, various government entities still don't share information with other ones.

Until they fix that (isn't that what DHS was supposed to be for?) Iran is the least of their problems.

that doesn't make any sense

[kaplong!]

Last I checked DHS are part of the US government. So all they needed to find out about stuxnet was to talk to their Federales buddies who helped create it.

INL sure was fast

[nonsequitor]

The way I hear it, Idaho National Labs was able to quickly decode the worm since it was likely a weaponized exploit from a report they wrote. I'm betting when DHS got them involved, it was not their first time seeing this equipment as they audit our infrastructure all the time.

Re:

[nonsequitor]

Not that they would have known they were involved, since it would have been redacted from their report if DoE decided to pocket the exploit.

DHS is the Department of Homeland Security

[eyegone]

The same folks who bring us the TSA.

Based on that alone, I can confidently say that they didn't learn anything from Stuxnet.