×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DHS Chief: What We Learned From Stuxnet

CmdrTaco posted more than 2 years ago | from the can't-wait-for-finals-week dept.

Security 125

angry tapir writes "If there's a lesson to be learned from last year's Stuxnet worm, it's that the private sector needs to be able to respond quickly to cyber-emergencies (CT: Warning, site contains obnoxious interstitial ads. Blocker advised), according to the head of the US Department of Homeland Security. When Stuxnet hit, the US Department of Homeland security was sent scrambling to analyze the threat. Systems had to be flown in from Germany to the federal government's Idaho National Laboratory. In short order the worm was decoded, but for some time, many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

125 comments

Umm (0)

Anonymous Coward | more than 2 years ago | (#35946454)

I smell something...

Re:Umm (0)

Anonymous Coward | more than 2 years ago | (#35947168)

No shit, Sherlock!

It's Microsoft, Watson. (1)

twitter (104583) | more than 2 years ago | (#35949520)

I wonder why Slashdot does not tag stories about Windows malware with "Windows". I know why ComputerWorld and other publishers that deal with WE and take Microsoft advertising money are cowed [techrights.org] and don't Call Out Windows [techrights.org]. Slashdot should be better than that.

#1 thing learned from Stuxnet... (1, Insightful)

mlts (1038732) | more than 2 years ago | (#35946482)

#1 thing learned from Stuxnet:

Air-gap your production SCADA/embedded stuff.

Re:#1 thing learned from Stuxnet... (4, Informative)

rlp (11898) | more than 2 years ago | (#35946508)

Air-gap your production SCADA/embedded stuff

Stuxnet was designed to use USB-flash drives as a transmission vector.

Re:#1 thing learned from Stuxnet... (4, Insightful)

Anonymous Coward | more than 2 years ago | (#35946536)

In other words: the real air gap you need to worry about is the one between your employees' ears.

Re:#1 thing learned from Stuxnet... (2)

Garth Smith (1720052) | more than 2 years ago | (#35947134)

In other words: the real air gap you need to worry about is the one between your employees' ears.

Fact: It is impossible to guarantee zero errors from employees. People make mistakes.

Re:#1 thing learned from Stuxnet... (1)

Runaway1956 (1322357) | more than 2 years ago | (#35950684)

Plugging a USB device into a machine that you're not supposed to plug it into is not a "mistake", it is vandalism, theft, or worse, industrial espionage. For that reason, USB should just be disabled on company computers, unless the USB is truly essential to it's operation. And, I haven't seen a machine yet where USB was essential. Fingerprint scanner, maybe? Get a scanner that plugs into the serial port, FFS!

Re:#1 thing learned from Stuxnet... (0)

Anonymous Coward | more than 2 years ago | (#35950142)

Hindsight is always 20/20. Calling people stupid for failing to foresee something is rarely true, and even more rarely profitable.

Re:#1 thing learned from Stuxnet... (1)

dkf (304284) | more than 2 years ago | (#35950628)

Calling people stupid for failing to foresee something is rarely true, and even more rarely profitable.

But selling them shit because they're stupid and can't foresee something, that's very profitable. Just don't tell them they're stupid to their faces; spoils the sale.

Re:#1 thing learned from Stuxnet... (2)

vlm (69642) | more than 2 years ago | (#35946774)

Some hot glue in the USB holes works wonders on other "secure" systems.

Re:#1 thing learned from Stuxnet... (3, Funny)

ColdWetDog (752185) | more than 2 years ago | (#35946918)

Some hot glue in the USB holes works wonders on other "secure" systems.

Probably would work fairly well for the 'between-the-ears' airgap as well. Worth a try anyway.

Re:#1 thing learned from Stuxnet... (1)

russotto (537200) | more than 2 years ago | (#35948836)

Some hot glue in the USB holes works wonders on other "secure" systems.

And if your system relies on USB to talk to the devices it is supposed to be programming, that hot glue isn't so useful.

Re:#1 thing learned from Stuxnet... (1)

Runaway1956 (1322357) | more than 2 years ago | (#35950690)

Do you have such devices? I don't have any at my worksite. Everything is serial. Assuming you do communicate between devices via USB - how difficult would it be to use a serial?

Re:#1 thing learned from Stuxnet... (1)

Jeek Elemental (976426) | more than 2 years ago | (#35946904)

and delivered by people willing to give their life for it (which they likely did.)

Re:#1 thing learned from Stuxnet... (0)

Anonymous Coward | more than 2 years ago | (#35947630)

Not necessarily...consider that the target systems may have required or enabled the use of a USB key to transfer information across an air gap...and consider that any such key might have been infected unknown to the user, assuming the original infection may have come from for example, an SQL injection attack on a work computer that was also used to do such things as read Al Jazeera or other site, in addition to being used to consolidate data taken from the air-gapped boxes via the USB key.

Of course, on the other hand, many players in this game have been know to follow the old process of search for the guilty, punishment of the innocents, and promotion of the non-participants.

If "someone died and left me in charge" of making Stuxnet work in a so-called secure environment, and if I had an "asset" in place who was willing to plant the virus, I would want to do all that I could not to "burn" that asset, but rather would find some way to get the transmission to occur without traceablity and/or responsibility for a supposed known intrusion.

Instead, I would use that asset to find out how the operation operates, and then develop an insertion method that left that person outside the circle of suspicion...maybe even plant the suspicion on a hostile target in the environment instead, e.g, because they were known to visit a site while at work that could have been compromised by a MITM attack.

Just because the government, for example, does stupid things does NOT mean that everything it does is stupid, and indeed, sometimes there is real brilliance buried within the layers of mediocrity.

But I doubt that the DHS was on the inside on this one. Sounds more like NSA, the Mossad, or even a false-flag effort by a supposed ally to discredit an enemy of that false flag.

But independent of the "fact" that "viruses are bad", this was apparently a fairly well planned and executed attack, regardless of whodunit.

Personally, I kind of hope "the (more or less) good guys" did figure this one out and make it pay off for some meaningful strategic aims.

But it is unlikely that we will ever find out the truth (just several alternate theories thereof, a la the JFK assassination). Still, it would likely match up with of the better movie versions of such espionage thrillers, I'd wager.

But turnabout is fair play. And there was a time when the ex- of a friend, who was Iranian, worked in a highly DC restaurant for years after he acquired or dropped out of a nuclear engineering program. Put two plus two together: the first black governer of Va, Doug Wilder, was once quoted as saying he learned how Va. politics worked by bussing tables in a Richmond restaurant while a college student.

I'm sure the government must have been checking the backgrounds of people working there (at the now defunct DC political hotspot), but there are days when it feels like all of DC is filled with spooks going spy vs. spy, a la the cartoonist Sergio Aragones (RIP), formerly of Mad Magazine.

As a final note, I would wager that autorun was not turned off on the targetted systems, and/or that it was controlled back on via another vector, before this was done. But I'll bet someone also closed that door after the horse got out of that barn. Comrade hero supreme protector of after the fact cleanup, no doubt.

Re:#1 thing learned from Stuxnet... (1)

gmhowell (26755) | more than 2 years ago | (#35948512)

Gonna need a citation for Sergio Aragones' death. Neither wikipedia nor his official page mention it. Maybe you mean Antonio Prohias, who both created Spy vs. Spy and is dead.

gmhowell, did you escape the loony bin again? (0)

Anonymous Coward | more than 2 years ago | (#35949132)

I live near this person gmhowell, and I think it's only fair that I warn you that he is a known psychotically dangerous schizophrenic. He recently escaped from a mental institution and was put there because he injured himself by masturbating non-stop for 3 days straight. He needs to take his meds, so please, would you all remind him of that? Thank you.

Re:#1 thing learned from Stuxnet... (0)

Anonymous Coward | more than 2 years ago | (#35947024)

Stuxnet was designed to use USB-flash drives as a transmission vector.

And relying on human stupidity as the delivery method.

Re:#1 thing learned from Stuxnet... (1)

baderman (1898604) | more than 2 years ago | (#35947226)

But keep in mind, that worm communicated with c&c servers after installation and was operated remotely.

Re:#1 thing learned from Stuxnet... (1)

wsxyz (543068) | more than 2 years ago | (#35947506)

But there was no requirement for direct access to the network. Worm instances on airgapped systems received updates & transmitted information via later worm instances brought via USB stick.

Re:#1 thing learned from Stuxnet... (1)

h4rr4r (612664) | more than 2 years ago | (#35947564)

If you are going to airgap, you must also disable the USB ports. Physically, not in software.

Re:#1 thing learned from Stuxnet... (1)

icebike (68054) | more than 2 years ago | (#35947944)

That's just ONE vector, not the only one.

Hot glue the USB ports, or disconnect them from the motherboard.
Your employees have no business sticking USB drives into process control computers.

The preponderance of USB-Only keyboard/mouse machines is a problem.

Re:#1 thing learned from Stuxnet... (1)

innocent_white_lamb (151825) | more than 2 years ago | (#35949080)

Your employees have no business sticking USB drives into process control computers.
 
Until the software, firmware, what-have-you needs to be updated or changed. "We now need to change the rotation speed from X to Y in sub-vector Z". Would you like to do that all by keyboarding each one of the 25,000 or so machines?

Re:#1 thing learned from Stuxnet... (0)

Anonymous Coward | more than 2 years ago | (#35946528)

Yeahhhh... WiFi for SCADA systems! Genius.

Re:#1 thing learned from Stuxnet... (1)

cusco (717999) | more than 2 years ago | (#35946730)

So how do you propose to transmit data from a power dam sensor across half a mile of water?

Re:#1 thing learned from Stuxnet... (1)

KUHurdler (584689) | more than 2 years ago | (#35946786)

You could build something across the water... like maybe, a dam. Then run fiber to it.

Re:#1 thing learned from Stuxnet... (0)

Anonymous Coward | more than 2 years ago | (#35946864)

if you don't want a unofficial dark governments worm, hire real people to manage resources manually.

Re:#1 thing learned from Stuxnet... (2)

vlm (69642) | more than 2 years ago | (#35946800)

So how do you propose to transmit data from a power dam sensor across half a mile of water?

Assuming "it" is not free floating, run a wire to it. Or, even better, a fiber. Alternately there are about one zillion non-WiFi non-LAN radio communications technologies that could transmit that telemetry.

Re:#1 thing learned from Stuxnet... (1)

cusco (717999) | more than 2 years ago | (#35947118)

I think the original poster was referring to transmitting data wirelessly in general. No, you're right, SCADA data does not belong on some brain-dead Cisco AP or some such. BTW, yes, it does float.

Re:#1 thing learned from Stuxnet... (1)

iamsolidsnk (862065) | more than 2 years ago | (#35946584)

# thing learned from Stuxnet:

The human IT factor will always be the weakest link in the computer system equation.

Re:#1 thing learned from Stuxnet... (0)

Anonymous Coward | more than 2 years ago | (#35948520)

Not necessarily true, some systems are insecure enough that the time delay involved in using the human link make it stronger than other links.

Re:#1 thing learned from Stuxnet... (0)

Anonymous Coward | more than 2 years ago | (#35946594)

The number one thin learned is that Israeli intelligence and probably their US counterparts can penetrate feeble cyber-security in Iran.

Yup, air-gap for important infrastructure (like centrifuges) is necessary if you have enemies.

Re:#1 thing learned from Stuxnet... (1)

thsths (31372) | more than 2 years ago | (#35946620)

That, and never assume that the payload is harmless. Just because you do not understand it does not mean it does not affect you.

So why did they have to analyse the code? It is a nice exercise, but for the threat assessment I think it is sufficient to state that the virus is uploading code to your SPS. It's like having an intruder on your premises - you do not need to understand his motives, but you do need to improve security.

Re:#1 thing learned from Stuxnet... (1)

evil_aaronm (671521) | more than 2 years ago | (#35947632)

Your point withstanding, from the summary, it said that people with Siemens equipment - disclaimer: I work for them, but not in that group - needed to know how they might be impacted. Yes, block the holes, but you also need to try to fathom how bad the damage is going to be. What are we looking at, here: harmless prank or full enterprise-wide melt-down?

Re:#1 thing learned from Stuxnet... (1)

Kennon (683628) | more than 2 years ago | (#35947062)

How to write better detection avoidance considering they wrote it.

Re:#1 thing learned from Stuxnet... (-1, Offtopic)

jiteo (964572) | more than 2 years ago | (#35947084)

Things Slashdot needs:

1. Mod points for me
2. A "-1 Ignorant" moderation

Re:#1 thing learned from Stuxnet... (3, Insightful)

thegarbz (1787294) | more than 2 years ago | (#35947924)

#1 thing I've learnt from Stuxnet: People who have no experience with SCADA equipment say "OMGZ TEH HAXORS, Airgap! Airgap! Airgap!", and somehow get modded insightful.

There is nothing insightful at all about taking the silly approach to simply cutting cables due to the fact that there maybe someone out there with nefarious motives. It's right up there with OH&S departments saying people should wear gloves at all times in case of papercuts.

Any sizable SCADA system RELY on network access. We're not talking about one small unit running one compressor, but the type of systems that run entire plants. They must be able to communicate with each other, they must be able to communicate with asset management systems, they must be able to communicate with process historians, (all these on a different network of course), these machines must be able to communicate with engineering departments at worst, and at best be accessible by knowledgeable experts in the industry from the other side of the world.

There are plenty of plants around the world which would turn into oversized holes in the ground if it weren't for the fact that realtime knowledge was accessible remotely. There are many companies which would have been sued out of existence if they put their hands on their hearts in front of congress and said, "Sorry we don't have any data on what has happened, our IT guys said we couldn't network our SCADA systems to the offsite historian, and it has all burnt in a fire".

Security is NOT and airgap. Security is a complete process, a company culture and something that needs to be designed into every aspect of network design. Limiting access both physical and remote, using a complex heirarchy of firewalls and one way communications, etc etc.

If you want a truly insightful post maybe read this one below [slashdot.org] You may learn something.

Re:#1 thing learned from Stuxnet... (0)

Anonymous Coward | more than 2 years ago | (#35949598)

Yes, there are places that require remote monitoring to function. However, that is the exception, not the rule. There are a lot of SCADA networks which don't need to be on the Net whatsoever, but some PHB wants to look at some Excel chart of a valve over time, so it ends up online for anyone with nmap to find and play with. These dumb PHBs are lucky so far -- someone hasn't decided to maliciously trash embedded systems... yet.

There are ways to get data out of a truly sensitive network without giving an attacker a chance to get in. I designed one for a university which used two UNIX boxes (each on their private networks), a serial cable with one TX line cut, and custom utilities to write data from the serial port, and on the other end, read data. Obviously, this wasn't the fastest in bandwidth (the data was fairly low bandwidth), but an attacker who would manage to get root on the receiving box might be able to tamper with data coming across the line, but physically could not make the jump to the other side to affect data there.

I'm sure there are other ways to ensure that if boxes are compromised on one segment, the intrusion won't spread to the subnet with the juicy embedded toys. Of course, a good, hardened router is one way, but it would be nice to have defense in depth and not bet the farm on one piece of equipment.

Of course, there are places that need the remote monitoring capability. However, the mantra seems to be in business is "security has no ROI, so why bother?" Unless there is a need for this capability, it needs to be well thought out by people more security savvy than some hired "consultants" who also install car stereo equipment.

We learned it was created by the CIA & Israel! (0)

Anonymous Coward | more than 2 years ago | (#35946570)

Confirmed: Stuxnet Was False Flag Launched by Israel and U.S.

http://www.infowars.com/confirmed-stuxnet-was-false-flag-launched-by-israel-and-u-s/

Kurt Nimmo
Infowars.com
January 16, 2011

On Saturday, the Gray Lady of establishment propaganda, the New York Times, passively admitted that the Stuxnet virus responsible for crippling Iran’s nuclear energy program was engineered by Israeli and U.S. intelligence.

“Officially, neither American nor Israeli officials will even utter the name of the malicious computer program, much less describe any role in designing it,” writes the Times. “But Israeli officials grin widely when asked about its effects.”

Re:We learned it was created by the CIA & Isra (0)

Anonymous Coward | more than 2 years ago | (#35946646)

someone just assaulted a program designed to bathe you, your family, and your entire nation in nuclear fire. Of course you're going to grin.

Re:We learned it was created by the CIA & Isra (1)

cusco (717999) | more than 2 years ago | (#35946778)

Don't know much about the Iranian nuclear power program, do you? Even though I grew up in northern Michigan it still amazes me how gleefully people suck down even the most blatant of propaganda and believe it like they had personally been handed engraved tablets by god.

Re:We learned it was created by the CIA & Isra (0)

Anonymous Coward | more than 2 years ago | (#35947026)

One of us is in the intelligence community. Is it you?

Re:We learned it was created by the CIA & Isra (0)

Anonymous Coward | more than 2 years ago | (#35947114)

Don't know much about the Iranian nuclear power program, do you? Even though I grew up in northern Michigan it still amazes me how gleefully people suck down even the most blatant of propaganda and believe it like they had personally been handed engraved tablets by god.

And you fell off the turnip truck just yesterday, too, from the looks of it.

Because I'm sure all the senior leadership of that Iranian nuclear program has gone out of their way to keep the oh-so-important smashed Michigan turnip up-to-date on the goals of their program. (That's YOU in case you don't get it - figured I'd have to spell that out since you don't seem to be the sharpest tool in the shed...)

Let's see:

1. Leader of nearby nation claims he wants to wipe you off the map - literally. And he has about a thousand years of religious history [wikipedia.org] behind him backing up that EXACT wording
2. Said leader's country maintains a proxy army right next door in a failed state. The publicly-stated goal of proxy army is to "wipe your country off the map" [wikipedia.org].
2. Said leader's country begins a secret nuclear program.

Nah, there's no reason why someone who's the target of being "wiped off the map" wouldn't be happy about that no-longer-secret nuclear program suffering a major setback. Not at all. :-P

Unless maybe you haven't even fallen off the turnip truck yet. Then maybe you'd think the Iranian nuclear program could never have any non-peaceful purposes.

And you probably think you're getting a pony for Christmas, too.

Re:We learned it was created by the CIA & Isra (1)

cusco (717999) | more than 2 years ago | (#35950304)

You do realize that "wipe off the map" is an English idiom, and that there is no equivalent in Farsi, don't you? That phrase was inserted by the Memri news service, a company founded by former intelligence officials (it's right on their web site) which "directly supports fighting the U.S. War on Terror," and which count on its board and staff such lunatics as John Bolton, John Ashcroft, and Eliot Abrams.

Re:We learned it was created by the CIA & Isra (1)

acedotcom (998378) | more than 2 years ago | (#35946948)

wait...we needed a conspiracy nut to inform us that Stuxnet was written by the CIA??? i cant be the only one that figured it out a year ago. But really why is it a surprise. this is basic espionage.

if they can do it, they will do it (1)

kubitus (927806) | more than 2 years ago | (#35946598)

that is the lesson learned.

so:

1.) keep not only production but all but communication system from the Internet

2) do not allow removable media to the users, apply extreme caution to 'upgrades'

3) verify by viewing the source code ( or let it be done by 2 or more separate parties )

-

you have no source code? forget your IT security!!

Silly (0)

Anonymous Coward | more than 2 years ago | (#35946634)

US government responded quickly to the worm created by the US government...and then patted themselves on the back.

Just ask the guy across the hall (0)

Anonymous Coward | more than 2 years ago | (#35946662)

I'm amused to see reports of the DHS analyzing something that might have been constructed by the guy they were sharing a cafeteria with....

Written/Used by the US government, But a surprise? (0)

Anonymous Coward | more than 2 years ago | (#35946680)

I'm sorry what? All accounts suggest that the US and Israel jointly created and/or utilized Stuxnet to target Iran. There would be no reason for DHS to scramble to analyze it when the government itself created it! Unless of course one government agency is not talking to the other - Completely possible. I think this is misinformation from DHS.

Re:Written/Used by the US government, But a surpri (1)

badboy_tw2002 (524611) | more than 2 years ago | (#35946870)

If you want to keep your involvement a secret you need to react normally. Best way to do that is not tell the guys who react to this stuff (until they get too close, then you tell their boss's boss's boss's boss to put a cork in it.)

Re:Written/Used by the US government, But a surpri (2)

cavreader (1903280) | more than 2 years ago | (#35948614)

Where are the verifiable facts that support blaming the US or Israel? All I have heard are theories and suppositions but no supporting facts.

get out of the Administrators group (0)

Anonymous Coward | more than 2 years ago | (#35946700)

The lesson is: get yourself out of the Administrators group for day to day use, even in Windows 7.

Re:get out of the Administrators group (1)

dbIII (701233) | more than 2 years ago | (#35947188)

That's lesson one from about 1975. We have no excuse at all for this elevated privilige bullshit today.

Security 101 (5, Insightful)

bragr (1612015) | more than 2 years ago | (#35946736)

What they should have done:
1) anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot, or at least given a stern talking to. Autorun should be disabled
2) Any machines brought into from the outside (laptops etc) should be placed on a separate, untrusted network
3) Mission critical machines shouldn't be on a network. If that isn't possible, they should be on a separate network or vlan with only the machines they need to talk to, at the very least they shouldn't be able to access the internet
4) Always ensure that all security updates are applied promptly and all relevant hardening is performed
5) At the first sign of such a massive infection across multiple machines and devices, everything should have been taken offline, wiped, flashed, and reinstalled and brought up again on a know clean environment, with security procedures tightened.
6) If all of your machines are running version X of OS Y, they will all suffer from the same 0 day attacks. Diversity, where appropriate, is useful.

This may not have prevented a infection, but it would have definitely reduced its impact. I really question the competency of any IT person that had no idea what to do.

Re:Security 101 (2)

Relic of the Future (118669) | more than 2 years ago | (#35946954)

"anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot,"

And how do you propose that updates be made to the system? Code them whole-cloth from within the secured network? Without testing the changes on a test system?

Re:Security 101 (2)

HungryHobo (1314109) | more than 2 years ago | (#35947008)

without autorun.

hell if you really want to be paranoid set up as suggested above and make the the important machines only run EXEs signed with a specific key and be damn careful with what you sign.

Re:Security 101 (0)

Anonymous Coward | more than 2 years ago | (#35947774)

And how does that protect against vulnerabilities like the LNK one? Or a more complicated one?
Fact of the matter is that once you have communication in any way or form between the two, if the attack is specifically targeted (as StuxNet was) it will probably be able to cross through.

Re:Security 101 (1)

bragr (1612015) | more than 2 years ago | (#35947198)

"anyone bringing in flashdrives from the outside and plugging them into mission critical should be taken out back and shot,"

Fixed

Re:Security 101 (1)

couchslug (175151) | more than 2 years ago | (#35947048)

"1) anyone bringing in flashdrives and plugging them into mission critical should be taken out back and shot,"

Iran is lucky enough to have that BOFH option.

Re:Security 101 (1)

cusco (717999) | more than 2 years ago | (#35947158)

A SCADA system **IS** a network, even if transmission is over power lines, POTS lines or microwave links. If you mean it shouldn't be on the organization's standard LAN then you'd be right, and in this case it wasn't. Only the terminally stupid connect SCADA networks to their corporate backbones, and most of those have been weeded out by now.

Re:Security 101 (1)

Platinumrat (1166135) | more than 2 years ago | (#35947484)

Well, items 1), 2) & 3) amount to the same thing with SCADA equipment. Btw: how do you do item 4) if you haven't got one of the 1st three. Now having worked with / as well as developed SCADA software, I can tell you that the number of "Security" patches can be, sometimes, overwelming. So in effect, it's very easy to slip a trojan into a SCADA system.

As to looking at source code(as an earlier poster suggested): Good luck with that. 99.99% of SCADA systems are proprietry, closed sourced and encumbered with a massive amount of patents, so it ain't going to happen.

The other standard defence:- not running an account with Admin rights; won't work on most SCADA systems, as they are typically designed to require "Admin" rights just to run.

Security, is the last thing that the developers of these systems worry about. That will remain until a few more cases like this pop up, and they are forced by legislation to change their ways.

Re:Security 101 (2)

williamyf (227051) | more than 2 years ago | (#35947850)

Number 4 is not possible on SCADA machines like struxnet targets, or even on machines like an OSS system in a telco.

You see, these application makers do not regard the machines as an HP-UX box (or Solaris box, or Sinix box or Windows box) running some software, but as, let's say, an NMS-2000, which, by pure random luck, "happens" to be implemented on HP-UX.

Therefore, you are not allowed to install the latest patches from HP until the application provider (Nokia, in the Case of the NMS-2000, Siemens, in the case of Swtich Commander and Radio Comander, SCADA, or IN) tested said patches, otherwise, you would not get any software support whatsoever...

At some times we had delays of between 6 months to 1 year on the security patches. We (and I mean we opperators all over the planet) had to push to get em security patches tested and delivered...

The situation has improved A LOT lately, but still, the application provider will have a gap while testing the OS patches for compatibility with the application...

How do I know? , I was sysadmin to NMS-2000, NMS10, Nokia IN, Siemens IN, OMC-S, OMC-B, Netviwer, and Siemens IN, way back at the turn of the milenium (99-02), and still have enogh contacts to know how things are going nowadays.

Re:Security 101 (0)

Anonymous Coward | more than 2 years ago | (#35948372)

Clearly you have no idea what Stuxnet is, or how it operated. I'll address your points individually.

1.) Agreed. Plugging in a USB device to mission-critical equipment that has: (a) ever been outside the facility, (b) ever been connected to an internet-connected device -- is asinine, and the person should be fired.
2.) Machines should not be brought in from outside. Nobody needs access to their home videos at the nuclear enrichment plant. Nobody needs nuclear enrichment plant information at home. Period.
3.) Note that the compromised network was airgapped, i.e., no possible internet connection (ever). Mission critical information often must be on *some* network, particularly since SCADA equipment must talk to each other. With respect to the Windows desktops that were connected, they were used for monitoring the SCADA equipment, and must be able to communicate with it to perform monitoring. The Windows desktops, and a 0-day exploit with USB-mounted devices was the issue. Disabling auto-run with policy settings would not have prevented this attack, per Microsoft. The vulnerability was through a specially-crafted shortcut and icon file [1].
4.) There were multiple 0day exploits, in addition to correctly-signed driver modules. System updates were entirely irrelevant in this scenario.
5.) There was no sign of a massive infection across multiple machines and devices. Stuxnet had highly advanced rootkit behavior, and was not detected by commercial antivirus. Nobody noticed it until a security researcher happened to pick up a sample, and it made the news.
6.) Diversity is useful... sometimes. It also leads to more facets that one must secure. More configurations to be verified, etc. Homogeneity is extremely useful when you want to lock things down as much as humanly possible. Should Iran have been running some form of Linux with SELinux extensions configured and enabled? Yes. Does Siemens make SCADA control software for such a Linux environment? No.

1: http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx

Re:Security 101 (1)

bragr (1612015) | more than 2 years ago | (#35949058)

Clearly you do no know Stuxnet nearly as well as you think you do, I'll address you mistakes individually

1) No contention

2) No contention

3) The Irian network was airgapped as far as we know, however that is no the only vector that Stuxnet uses. Stuxnet can spread quite rapidly through windows networks, thus leading to more machines that could potentially infect flash drives that would latter be used in critical machines. It also makes the task of cleaning a facility much more difficult because any missed machine could potentially reinfect the entire facility. Additionally, Stuxnet contains code to contact control servers in order to report information and update the software, allowing updated and more virulent versions to propagate quickly, further worsening the problem.

4) While being up to date would not have prevented the initial spread of the worm, after the exploits were identified patches were released fixing those issues. Patches for Windows have been around for 9 months. If everyone affected had applied those patches as quickly as reasonable, the infection rate would have significantly decreased.

5) I never claimed that everyone noticed all a once, I'm just saying would should have happened at the first sign (which in this case is the security researcher making a big deal about it)

6) I never claimed that it was a good idea to have a veritable buffet of OS's and versions, its a huge pain in the ass. But lets say that they deployed Windows and RHEL on servers and workstations, where appropriate. The linux boxes could have acted as a moderator for the spread of the worm. And, despite the large of amount of work that comes with deploying a new OS, the long term added work of managing 2 OS, when both are standardized

As I said before, none of these steps (except perhaps the flash drives) would have stopped the worm, I a merely suggesting that the statement "many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm" is quite stupid since good IT practices would have greatly reduced and restricted the impact and spread of the worm, and its clear that among those most affected, some or all of them were not followed.

Re:Security 101 (1)

laddiebuck (868690) | more than 2 years ago | (#35950336)

It's never one IT person, especially for such a massive outbreak or such an important site. Any actual boots-on-the-ground guy could have done what you said, but getting a whole org to do things is just a hair short of infinitely harder.

Watch this awsome ted talk "Cracking Stuxnet" (2)

Portal1 (223010) | more than 2 years ago | (#35946754)

Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon
http://www.ted.com/ [ted.com] When first discovered in 2010, the Stuxnet computer

http://www.youtube.com/watch?v=CS01Hmjv1pQ [youtube.com]

In short he shows/claims US was behind it.

Re:Watch this awsome ted talk "Cracking Stuxnet" (0)

Anonymous Coward | more than 2 years ago | (#35947036)

Ummm, we already knew that the US and Israel were behind it, what's your point?

Re:Watch this awsome ted talk "Cracking Stuxnet" (0)

Anonymous Coward | more than 2 years ago | (#35948998)

I have never seen/read a more terrifying take on Stuxnet than what I just saw.

The thing that bothers me most regarding Stuxnet is how generic and easily modifiable it apparently is, and after he points this out, he then goes on to vocalize my fear - that it could easily come back to bite us. He speaks of power plants and automobile plants, but SCADA/PLCs are everywhere. Having worked for small a water treatment company that had clients in everything from energy production to drug manufacturing (our largest client-base), I can't even begin to describe the amount of havoc something like this has the potential to cause.

True enough, many of these PLCs are on systems that are not accessible from the big bad internet, or even on the local network. Most of our systems were maintained by us and when, I don't know, de-ionizers needed to be recharged it would simply dial out via modem and we would get a pre-recorded message letting us know that "Site X building X water resistivity is down to 10 Megohms" (thus the de-ionizers need to be re-charged). This system is safe right? Wrong.

The problem exists all along the chain. Let's say a new version popped up 6months ago, the machine used to program the PLC was infected, no one has seen it yet - no warnings yet - and even if there were, the guy programming the thing for some small third-party contractor has no idea, he doesn't do IT. In fact, there is no IT department for his company. The completely non-networked systems that he built last year would be fine, but what about the one he installed last month? Or, if it goes undetected long enough, what about the one he's going to install in another 6 months?

What if, all of a sudden, the clock strikes 10am on a Monday in March five years from now and every Allen-Bradley PLC installed in the past 5 years suddenly goes rogue? OK, fine, let's say half of the Allen-Bradley PLCs installed. OK, fine, say one-quarter.

No matter how you look at this thing, it's bad. Really bad. And we (the US) wrote it. And we (the US) put it out in the wild.

What they learned... (0)

Anonymous Coward | more than 2 years ago | (#35946808)

One department rubbing a lamp doesn't mean another can control what comes out.

Inter-department communications (0)

Anonymous Coward | more than 2 years ago | (#35946922)

Maybe the branch that created the malware and sent it to Iran should fill the DHS in on a few things...

farther reaching problems (0)

Anonymous Coward | more than 2 years ago | (#35946956)

Not to get conspiratorial, but i read a few places that the Fukushima Daichi plant was infected by stuxnet which is part of the reason why they had such difficulty getting it back together.

Re:farther reaching problems (0)

Anonymous Coward | more than 2 years ago | (#35947726)

Please, let us know how this virus operated without any hardware or source of electricity. Or alternately, get your head out of your ass.

Steps to responding quickly (1)

bl8n8r (649187) | more than 2 years ago | (#35946976)

1) Warn Boss of vulnerabilities
2) Boss asks for time/cost estimate to fix
2a) Boss brings estimate to talking-head meeting
2b) people protest about their job process changing
3) estimate sits on Boss's desk for 3 months
4) Boss golfs with his sis's brother-in-law and they talk security
5) Boss comes to work next day, calls meeting about security
6) You remind him of estimate on desk for 3 months
7) meeting devolves into yucks about golfing/hangover
8) Boss calls you into office after meeting
9) Asks you to pick two of the "hottest" security bullets in your list
10) time/cost gets approved for two of the 10 security items
11) system eventually gets compromised
12) everyone runs amok, asks how is this possible
13) Boss approves 8 remaining security bullets
14) Goto 1

Glad I don't do security anymore.

Re:Steps to responding quickly (1)

bragr (1612015) | more than 2 years ago | (#35947274)

Clearly you need to brush up on some BOFH-style Boss/Employee diplomacy.

Another thing Learned... (1)

StickyWidget (741415) | more than 2 years ago | (#35947042)

...is that guys at Langner Communications have seriously the best control system security chops out there.

~Sticky
/My opinions are my own.

What I learned from stuxnet (0)

Anonymous Coward | more than 2 years ago | (#35947092)

Don't try and make weapons-grade fissile material without the blessing of the USA?

Not what I thought... (1)

scorp1us (235526) | more than 2 years ago | (#35947102)

I thought they would have learned that with enough private sector forensics, everything gets traced back to them? Didn't DHS in Conjunction with Siemens and Israel write this?

Re:Not what I thought... (1)

Relayman (1068986) | more than 2 years ago | (#35949048)

Sorry, wrong federal agency. I doubt DHS had anything to do with it except to shit themselves when they found out how vulnerable U.S. infrastructure is.

Re:Not what I thought... (0)

Anonymous Coward | more than 2 years ago | (#35950450)

Probably USCYBERCOM.

Still a serious WTF that the Army and civilian law enforcement didn't communicate about this.

Or Napolitano's trying to play both sides.

quick solution for affected controller users (1)

nimbius (983462) | more than 2 years ago | (#35947234)

step 1: Log into your SCADA environment and observe controllers accordingly

step 2: issue commands to check if you are you an active ally of the United States government with regular trade and economic ties and no dissenting opinion of its policy?

step 3: log out of your SCADA environment, sigh despondently as you lift your hands from the Dell keyboard, pick something off the value menu at McDonalds for lunch today.

"...left wondering..." (1)

swb (14022) | more than 2 years ago | (#35947240)

"...but for some time, many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm."

The implication of this statement is that DHS didn't have an immediate answer (outside of pedantic default answers like "unplug your equipment" or "reload software" or anything else from answers.com).

Gee, let's see -- a new worm never seen before, apparently written by a sophisticated group from the intelligence community and someone's actually surprised that there was no immediate 5 step fix or concrete and specific guidance?

I *know* the Intraweb age has increased everyone's sense of entitlement and expectation of an easy fix on the first Google search page, but instead of trying to blame someone else for not being able to tell you what to do, completely, comprehensively and correctly, NOW, maybe these companies could have taken CEO bonus dollars and done their own research.

Wait a Moment (1)

Nom du Keyboard (633989) | more than 2 years ago | (#35947292)

According to Iran, who is never wrong about these things as they will tell you themselves, We wrote this virus in collusion with the Zionist enemy. So why are we having to now go to all of this trouble to decode it?

Re:Wait a Moment (0)

Anonymous Coward | more than 2 years ago | (#35947570)

It's not Iran that's primarily making this claim. The claim comes from some of the people who have studied Stuxnet the most. Scroll down for some links.

Re:Wait a Moment (0)

Anonymous Coward | more than 2 years ago | (#35948772)

Plausible Deniability. And no I don't have any sympathies for Iran.

What We Learned From Stuxnet (1)

Kernel Kurtz (182424) | more than 2 years ago | (#35947318)

is that like with the events leading up to 9/11, various government entities still don't share information with other ones.

Until they fix that (isn't that what DHS was supposed to be for?) Iran is the least of their problems.

Re:What We Learned From Stuxnet (0)

Anonymous Coward | more than 2 years ago | (#35949988)

They DO share information, but it is via USB memory sticks...

Analyze? (0)

Anonymous Coward | more than 2 years ago | (#35947478)

Analyze? Some say they scambled for creating it.

What We Know (0)

Anonymous Coward | more than 2 years ago | (#35949544)

The U.S.A. Governmnet IS untrustworthy. Period!

DHS, how appaling. Such a reched motley crue of miss fits and anthro

FBI ... what a laugh. 30 years ago, under a "FORCED" technology upgrade program.

The Executive Office of the President of the United States of America. What a laughing stock! If Obama were a hermaphrodite, that would explain all of the the dissinformation.

Without Gitmo, Obama does not have a reason, nor rational to exist.

That is Obama's horror? Kill Gitmo, and Kill ....

You read it here first ... FBI!

Kill me? ....

that doesn't make any sense (1)

kaplong! (688851) | more than 2 years ago | (#35949552)

Last I checked DHS are part of the US government. So all they needed to find out about stuxnet was to talk to their Federales buddies who helped create it.

INL sure was fast (1)

nonsequitor (893813) | more than 2 years ago | (#35949950)

The way I hear it, Idaho National Labs was able to quickly decode the worm since it was likely a weaponized exploit from a report they wrote. I'm betting when DHS got them involved, it was not their first time seeing this equipment as they audit our infrastructure all the time.

Re:INL sure was fast (1)

nonsequitor (893813) | more than 2 years ago | (#35949970)

Not that they would have known they were involved, since it would have been redacted from their report if DoE decided to pocket the exploit.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...