2011-01-12

Review: Tofinosecurity.com’s Stuxnet Central

(This article was originally published on the Findings From the Field blog.)

The Byres Security Tofinosecurity.com site has a useful page called Stuxnet Central. Some of the materials on the page require that you become a member of the site to access them, but once you have a password, you have access to everything. On Stuxnet Central, Tofinosecurity.com has links to all of their own Stuxnet materials, including a handy list of links to all of the Stuxnet-related Practical SCADA Security blog entries. There are also links to a nice cross-section of external resources, everything from Microsoft's vulnerability reports, to representative articles from the popular press, to detailed technical discussions of the worm. If you are coming up to speed on Stuxnet, or if you have been following along and want to know there is nothing you missed, I can recommend Tofino's Stuxnet Central. If you've never looked through the page in detail, there are a couple of interesting surprises...

Pleasant Surprises

The non-surprise on the page is of course the Eric Byres/Scott Howard whitepaper "Analysis of the Siemens WinCC / PCS7 “Stuxnet” Malware for Industrial Control System Professionals." It is a good paper but was no surprise because I saw it long ago and it received a fair bit of press when it was published. The two pleasant surprises are application notes: "Stuxnet Mitigation Matrix" and "Using Tofino™ to Control the Spread of Stuxnet Malware."

The "Stuxnet Mitigation Matrix" app note is a short 2-page chart that really helps make sense of different aspects of the Stuxnet worm and recommended protections. The worm has been described by forensics experts as the most complex and sophisticated they have ever seen. There are literally dozens of important things to know about the worm, and almost as many different things that various authorities have recommended people do to protect themselves against compromise. The matrix focuses on Windows operating systems and for each of nine major variants, explains which mitigations will and will not work for that variant. It is a very useful piece of work, compressing all of that knowledge into two simple pages.

The "Using Tofino™ to Control the Spread of Stuxnet Malware" app note is a concise six pages that explains how to configure the Tofino Industrial Security Solution for maximum effect against threats like the Stuxnet worm. Now, you might think the note has limited value if you have deployed other kinds of network protections, but not so. Most of the note's content talks about firewall functionality which is available on any firewall. So the app note is a handy, detailed walk-through of how to configure one vendor's firewall for Stuxnet and similar threats. The exception to this rule is of course where the note starts discussing how to configure Tofino's NETBIOS filtering and OPC Enforcer capabilities. The ability to restrict RPC traffic to specific Windows services, and the ability to track OPC dynamic port assignments is not a feature of most firewalls, but is interesting none the less. For added credibility points, the note not only tells you how to configure the devices, it also explains how to test them, and includes the (repeated) obligatory warnings to confirm the proposed security measures with your vendor and test them in a context where there is no risk of production outages.

Looking Forward

Much has been said about "advanced persistent threats" in the last two years. The threats are not specific malware, but rather the organizations behind the malware. The key characteristic of advanced threats is their focus on specific objectives, rather than targets of opportunity. Advanced threats know what they are after - military secrets, diplomatic intelligence, product and process designs, source code, or sabotage - and they continue their attacks until their objectives are achieved.

Over the years, there have been reports of advanced threats targeting industrial control systems, for example recent comments by the CEO of the U.S. Cyber Consequences Unit. However, details of those attacks have never been made public. The Stuxnet worm is the first well-documented example of an advanced attack targeted specifically at industrial control systems. This makes at least a high-level understanding of the worm a required skill for anyone working to secure critical production facilities.

The consensus among security analysts is that advanced threats will continue to target industrial control systems. The Tofinosecurity.com Stuxnet Central page is a great place to learn more about the first well-documented advanced threat to control systems.

No comments:

Post a Comment