SCADA-targeted malware was inevitable and I suspect, despite the fact that it took this long to happen, that we haven’t seen the last of it. There’s a forest and trees lesson here that I hope we learn through this. Before we get too carried away on a specific vulnerability and throwing stones at software vendors, let’s not forget about the importance and value of basic, layered security controls.
The Stuxnet malware was active for at least a month and spread around the world before it was identified and recognized. To Dale’s point, what else is out there that we don’t know about yet? And if you can’t prevent an attack, how can you limit the damage through effective security controls? Here are a few random thoughts:
Egress filtering. Most control system networks have room for improvement on this and I still find myself explaining why it is important. This is one area where control systems have more ability to be restrictive than enterprise networks. Take advantage of it.
Your control system application has default accounts and passwords. I would just start with that assumption and plan accordingly. If you can change them, great. If not, implement mitigating controls like IP-based restrictions and then monitor where possible. Don’t forget about supporting applications like database servers. If you’re buying a new system, make sure you address default accounts and passwords in the requirements and verify at FAT and SAT.
Host hardening. You had to know I’d mention this one. Obviously it doesn’t always prevent a 0day exploit, but it may limit the damage or effectiveness. Case-in-point: Microsoft’s Security Advisory for Stuxnet lists disabling the WebClient service as a means to block a likely remote attack vector (WebDAV) for this malware. Many of our Bandolier Security Audit Files verify that the WebClient service is disabled for control system applications components running on Windows.
Application whitelisting. Yes, I’m still a fan. CoreTrace, maker of the Bouncer application, has a blog related to Stuxnet here. They continue to make inroads to the control system world. I know it’s not a cure-all but what else has as much promise of preventing 0day threats? Traditional AV obviously doesn’t.
I realize that I’m lumping vulnerability, exploit, and payload into one issue here and only hitting a few possible controls but I think the point is valid: basic layered defense is still important and we can do better at it in the control system space. Let’s let the Stuxnet/WinCC malware be a reminder and a call to action.