One of the most important parts of network security is detection. As Capt. Jeremy Sparks, instructor at the Air Force's Undergraduate Cyberspace Training school teaches the future Air Force's network defenders: Prevention is key, but detection is a must. Detection not only mitigates the damage and duration of an attack, but it can also deter and prevent an attacker altogether. One of the most appealing aspects of cyber warfare is limited attribution. Without this aspect, the motivation of nation-states and hackers to conduct operations in cyberspace greatly decreases.
All of what is mentioned above is a broad look at network security for control systems; it is not an all-inclusive list. The security mindset must be used to think about each level of the network and what would be available to prevent or mitigate a compromise there. It is an ongoing process that must be given proper attention and resources even when both are limited.
Control system and software vendors must take responsibility as well and provide better software and hardware that has a focus on security instead of just availability. Better code and hardware testing, as well as longer durations for patching support are all a great start. Asset owners must participate in this process too, and work with vendors to identify issues. Both vendors and asset owners must then work with the government and regulation committees to identify regulations and standards that must be enforced. The minimum standard is not something that can foster true security, especially with systems that affect national security. However, this is not an issue of pointing blame at any party involved. Instead, this is an issue of getting the community to come together, and bringing different experiences to find solutions.
This community is where the battle over control systems will be won. Both the cyber community and the control systems community have very talented and passionate individuals working together to bring about positive change. The best advice for those involved in control systems is not based in varying and ever-evolving security practices. Instead, the single greatest piece of advice is to reach out to the community, and share information, practices and lessons learned. There is a real fight going on in cyberspace involving control systems, but it is not a fight one has to wage alone. With a security mindset, networking and a touch of optimism the community as a whole can enable itself to truly secure control systems.
Author's note: I want to thank the individuals I spoke with at the 11th ACS Control System Cyber Security Conference. The information and inspiration gained from the community involved was invaluable. I would also like to thank the Air Force's Undergraduate Cyberspace Training school at Keesler AFB, Mississippi, especially my mentors, Jeremy Sparks and Paul Brandau, for their continued work and acceptance that cyber security is not solely a military issue, but one that affects us all.
Duqu is primarily an information-gathering platform with strong ties to Stuxnet. It seems to target industrial manufacturers.