John Cusimano, director of security services at security services and certification vendor exida (www.exida.com), doesn't think so. "Momentum for open systems is too great. Going back is almost not an option," he says. "We're far too dependent on being able to move data around throughout the organization so we can make good decisions and optimize processes. It may slow down a bit, but it won't stop. Nor is the drive to invest COTS systems going to stop. The productivity and technical benefits are too great. Except for the most conservative industries, such as nuclear, most will continue to use them."
Brad Hegrat, principal security consultant at Rockwell Automation (www.rockwellautomation.com) predicts that USB sticks still have a lot of life in them as well. "This is not the end of the USB stick because it's so useful, but it might be the end of the USB stick in control systems. A control system-centric security system has a very limited place to integrate the USB into the environment."
He also suggests limiting the use of USB sticks to non-mission-critical systems. If they are to be used in the control room, they should be purchased from a trusted vendor and be clean—that is, have no other files on them.
"You also have to have physical control over them. You should treat them like keys to the building. [Their use] should be regulated and enforced by strict policies in a formalized program."
Securing Your Systems
Jim Toepper, product marketing manager at industrial networking products supplier Moxa (www.moxa.com) offers a number of suggestions for securing your systems from Stunxet and other malware.
- Begin with the understanding that you need to look at three different kinds of security: physical, network and people security. Then, when looking at network security, understand the two aspects—external and internal. They are equally vulnerable.
- Look to your firewall. Is it configured correctly? Don't leave all the settings in default mode. "In my experience, 95% of users don't set their firewalls correctly. It's just a matter of not having enough experience with network and communications," says Toepper.
- Use both router- and firewall-based security.
- Insist on robust passwords. Limit people and bandwidth on your network. No one should be on your control system network who doesn't need to be there.
- Set up redundancy plans—not just redundant devices, but redundant networks. If a failure occurs, you need a backup plan.
- Configure your systems locally. Remote configuration is tempting and convenient, but risky. The most secure way to configure your system is directly from a serial port. The second most secure way is SSH or SSL security. Make sure all data is encrypted and authenticated. "Almost everyone uses Telnet or a browser, and all that info is transmitted in clear text," says Toepper.
- Look to physical security. Physically turn off USB ports and switches. Set up computers so they won't use a USB stick. Few people need physical access to computers themselves. Lock them away in a secure enclosure and use a wireless keyboard and mouse. Use an industrial computer rather than a PC. Put items on a secure network. Another option is to install software to scan USB stick for malware or just eliminate their use. Disallow executables.
- Finally, train, train, train so good security practices become second nature to everyone.
Want to Know More?
The Stuxnet story is an evolving one. As researchers continue to study it, more information will become available. Here are some places to look for updates.
- The Tofino Security blog written by Eric Byres and Scott Howard. www.tofinosecurity.com/blog/
- Symantec security expert blogs. www.symantec.com/connect/symantec-blogs/security-response/11761/all/all/all/all.
- Industrial Defender. www.industrialdefender.com/. Look for white papers and regular updates on Stuxnet.
- The Repository of Security Incidents. www.securityincidents.org/. A regular compilation of security incidents in the process industries.
- Joe Weiss' "Unfettered" blog. http://community.controlglobal.com/unfettered.
- Also check with your control system vendor's website. Most vendors are watching this story and updating information on a regular basis.