Post-Stuxnet Industrial Security: How to Detect Industrial Malware on Day Zero

Overview:

Preventing the next Stuxnet-like attack on the control world might be impossible, but operators can mitigate the effects and contain worms and viruses through early detection.

Key concepts:

• Although the Stuxnet worm has received a great deal of media attention, the greater threat to most control systems is that copycats could use Stuxnet as a blueprint for future attacks.
• An ideal network security appliance with both preventive and diagnostic functions can boost security against Stuxnet-like attacks and reduce their associated risks.
• While such a device will not completely prevent malware infections, fast and reliable discovery of such infections is a key aspect of protection.

Introduction

Following its discovery in June 2010, the Stuxnet worm caused a worldwide sensation. It is the first publicly known rootkit attack targeted at industrial plants. It has infected tens of thousands of PCs, and abused and manipulated automation software running on Windows operating systems. Its ultimate purpose: to infiltrate malicious code into the controllers of specific real-world industrial installations.

Experts have long warned that malware and insufficient IT security pose a threat to automation networks, but Stuxnet offers concrete proof that these threats can no longer be ignored. The actual hazard, however, no longer originates from Stuxnet itself, but rather comes from mutations that copycats can now create with the same basic techniques. And while Stuxnet focused on products from the Siemens SIMATIC family and on STEP 7 PLC projects with very specific properties, such mutations could affect components from other vendors as well, ultimately turning out malware a lot less selective in its damaging impact.

Apart from the fact that industrial PCs are often not (and cannot be) equipped with antivirus software, Stuxnet has also made clear that conventional virus scanners do not provide protection against this caliber of attacks. The analysis of Stuxnet has shown that the worm had been around in the wild unnoticed for at least 12 months before its discovery. Because Stuxnet did not use any of the known malware signatures, existing antivirus programs did not detect it during that time.