Now that the dust has settled a bit a few comments on the worm and how it impacts SCADA.

1) The time between the vulnerability being made public an exploit was five days. Even if a patch is available on the day the vulnerability is released, it is difficult for a SCADA vendor to run regression tests to prove or disprove the patch will impact the application in that time period. The asset owner needs additional time to test in the lab. So we are looking at some amount of time when an exploit is available and the SCADA servers are vulnerable.

There have been a number of loose articles blaming system administrators for not patching systems on a timely basis. This is fine if you are in an environment when you can patch and see if anything breaks, but patching in days is not practical for SCADA systems and any mission critical networks. We work with some non-SCADA clients who have mission critical e-commerce networks. Their maintenance window is something like 3:30AM to 4:00AM every other Sunday.

It seems like the buck is being passed from the culprit that caused the problem to the end user.

2) This is another example of the importance of detection. Even if a patch was available, there would have been a period of time during testing when the SCADA network would have unpatched, vulnerable servers. Adding Zotob detection signatures to the IDS sensor would have at least identified when the worm was introduced, via a consultant laptop, support vendor, or other means, to the SCADA network. Adding signatures is easy.

3) There have been comments in the press that only Windows 2000 users are affected and everyone should have upgraded by now. This flies in the face of the fact that many control systems are still running on Windows NT. I think this is a challenge to the SCADA vendors to make it easy to upgrade applications to supported versions of the operating system - - Windows NT has not been supported by Microsoft since 2004.

4) From a Starthis newsletter, “Among the hardest hit organizations from the latest set of worm attacks have been media companies and manufacturers. This week the companies that have been hit include: Caterpillar, DaimlerChrysler, General Electric, General Motors, Kraft Foods, United Parcel Service, and York International.At York International in Norman, Oklahoma, four manufacturing shifts were missed, beginning on Monday.

On Tuesday, production at 13 of DaimlerChrysler’s 23 US plants was disrupted for periods of between 5 and 50 minutes. On Wednesday, at a General Motors plant in Adelaide, Australia, a production line was halted for three hours, resulting in $6 million of lost production.”