CG1010_StunextCyber
CG1010_StunextCyber
CG1010_StunextCyber
CG1010_StunextCyber
CG1010_StunextCyber

Anti-Stuxnet-and Other Cyber Nasties-Tools

Oct. 22, 2010
Malware Attacks the Control System, It Can Insert Itself Into the Internal Communications to the PLC, Passing Itself as a PLC Device

By Nick Denbow, Industrial Automation Insider

Anti-Stuxnet-and Other Cyber Nasties-Tools

After the Stuxnet worm, all industrial control systems, PLCs and RTUs with embedded systems now have to be regarded as at risk. So says Walt Sikora, vice president of security solutions at Industrial Defender, Inc. (ID). He adds, "This is a very sophisticated, very scary piece of malware."

In his webcast, first presented on 19 August, Sikora explains that the malware attacks the control system, and can insert itself into the internal communications to the PLC, being dubbed the first rootkit for a PLC device. While the Siemens PCS7 is the target in this instance, the Stuxnet worm is not the result of a bored schoolboy prankster. It is being described as a sophisticated cyber-war weapon, with a payload targeted at a specific industrial control system. The conclusion is that control systems are to be the targets for future worms: despite any future fast response from Microsoft, Siemens and AV suppliers, their actions can only slam doors shut after an attack has been successful. 

So What’s a Process Automation Company to Do?

For one thing, look to vendors to be coming out with more sophisticated security packages. 

In the ID webcast Sikora continues with a demonstration of the Stuxnet, and then goes on to show that the new Industrial Defender HIPS (Host Intrusion Prevention System) would stop the Stuxnet worm penetrating a protected system. HIPS is therefore offered as a valid method for in-depth protection of industrial control systems against such malware. This is a part of the Defense in Depth strategy promoted by Industrial Defender. HIPS only allows good executables, from a "whitelist" of programs allowed to run. It uses intrusion prevention and access management and has no regular scanning issues, such as the scans used by AV software that tie up a computer or system for extended timescales. Sikora claims that HIPS would have prevented the Stuxnet worm accessing the known infected control systems. 

Industrial Defender has also announced Compliance Manager, a security process automation and information management system that enables control system managers in the utility, chemical, oil, gas, water and transportation industries to cost-effectively implement and sustain best practices that assure system security, availability and compliance to corporate and industry security standards.

" ,Utilities are being overwhelmed by the amount of information, events and tasks that they need to manage as they continue to enhance their critical system security processes," said Brian M. Ahern, president and CEO of Industrial Defender. "Industrial Defender's Compliance Manager automates data collection and analysis tasks that would otherwise require extensive manual operations, while providing the tools needed to improve system integrity and meet the extensive compliance auditing requirements of NERC CIP cyber security standards."

Compliance Manager and the associated Industrial Defender sensor and collector technologies are specifically built to operate with both mission-critical automation systems (e.g., SCADA, EMS/DMS, DCS/PCS) and industrial end-point devices without impacting system performance and availability. It automates the collection, retention, analysis and reporting of a comprehensive set of system and security management information. It consolidates and analyzes device inventories, event logs, system configurations, software/patch status and user accounts, as well as archives of log and configuration files for automation control applications, operating systems, firewalls, network devices and end-point industrial devices.