Symantec Dossier Updated: v1.4

(This article was originally published on the Findings From the Field blog.)

A week ago, Symantec released the third update to their Stuxnet Dossier, adding sections on chains of infection and on the 417 PLC exploits. The new information is interesting because it suggests new things about the target site and how it was initially infected. Ralph Langner's team has also investigated the S7-417 code and disagrees with Symantec in a number of ways.


How Stuxnet Spreads

Eric Byres, Joel Langill and I have just released a new whitepaper: How Stuxnet Spreads - A Study of Infection Paths in Best Practice Systems. The paper details how the worm moves through what appear to be well-protected enterprise, plant and control system networks and firewalls on the way to its objective - the PLCs controlling the physical process. Existing best-practice security measures are shown to be insufficient to the task of deflecting attacks as sophisticated as this one.


McAfee Documents “Night Dragon” APT

(This article was originally published on the Findings From the Field blog.)

McAfee has released a report describing a new Advanced Persistent Threat they dubbed "Night Dragon." The attackers were able to take remote control of assets they compromised. In this attack, though, the motive was not sabotage, but the theft of competitive intelligence. What is distressing is that while the adversary behind the attack seems very capable, the technology of the attacks was not very sophisticated. These adversaries were able to take over control system assets and energy-industry infrastructure using fairly unsophisticated "remote administration" toolkits.


Still No Report on Fly-Away Teams

(This article was originally published on the Findings From the Field blog.)

The ICS-CERT has released a 7-page 2010 Year in Review summary. Prominent industrial security commentators Dale Peterson, PJ Coyle and Joel Langill have each posted on the summary, with Joel posting a mostly-positive review, and Dale and PJ indicating that the Stuxnet "lessons learned" section is very much lacking those important lessons the ICS-CERT should itself have learned about its own response to the worm. My own opinion of the report reflects my desire for better indications of progress in the field of ICS security. Reading between the lines of the "lessons learned" by the fly-away teams is suggestive, but such speculation should not be necessary.


Compliance Managers Support Forensics

(This article was originally published on the Findings From the Field blog.)

One aspect of forensics practice which is regularly mentioned but is rarely described in any detail is configuration management. All of the references in last week's post Security Basics: Control System Forensics recommend documenting security configuration and other aspects of important hosts so that when there is an incident, you can compare the state of a potentially compromised host to the approved configuration for that host. However, none of the references describes how to record or manage such "approved configuration" information.