Stuxnet, the sequel: Dangerous malware aims to disrupt industrial control systems
Many of these industrial control systems have been in operation for years with little or no modification (no anti-virus updates or patches). This leaves them open to a wide range of cyber threats. It is therefore imperative that we find alternative measures to manage the risk.
Paul Edon, director of international customer services for Tripwire said:
Historically Industrial networks have used airgap and diode based architecture to defend against the risks associated with corporate intranet and Internet communications. However, due to economic pressures i.e. increasing costs and decreasing numbers of skilled resources, it has become necessary for many organizations to centralize some of the management and control functions that would have previously been local to industrial plants, refineries, distribution facilities etc. This centralization has meant expanding the reach of the enterprise network into the industrial environment, and in doing so, exposing those industrial environments to levels of cyber risk for which they were neither secured nor designed.
Post design security is always a much greater challenge than the “security by design and default” that we would expect today. However, the majority of attacks can still be defended against by employing the same strategy as that used for the enterprise i.e. “Security Best Practise,” “Defence in Depth,” and “Foundational Controls.”
For Security Best Practices, select suitable frameworks such as NIST, ISO, CIS, ITIL etc. to help direct, manage and drive security programmes and ensure your strategy includes all three pillars of security; People, Process and Technology.
For defence in depth, protection should apply at all levels; Perimeter, Network and End Point. Again, make sure you are supporting your efforts using all three pillars of security; People, Process and Technology.
For Foundational Controls, select the foundational controls that best suit your environment. Firewalls, IDS/IPS, Encryption, Duel Factor Authentication, System Integrity Monitoring, Change Management, Off-line Backup, Vulnerability Management and Configuration Management to name but a few. Don’t forget - ensure you are taking advantage of all three pillars of security; People, Process and Technology.
We will continue to see the introduction of new threats targeting the industrial technologies, but it is important to understand that good security hygiene will greatly reduce the effectiveness and therefore the success.”
Senator Maria Cantwell (D-Washington), the top Democrat on the Energy and Natural Resources panel, told Politico that the malware illustrated the dangers of the fiscal 2018 budget proposed by President Donald Trump. For instance, the Trump budget proposes a reduction in funding for the Energy Department’s Office of Electricity Delivery and Energy Reliability, which works to strengthen grid defenses against hackers. “Instead of responsibly performing the requested assessment that today we’ve discovered is more necessary than ever, the administration has proposed slashing funding to the very offices tasked with protecting our grid from Russian cyberattack,” Cantwell said.
“This is where you really see the convergence of cyber and physical into destructive attacks,” Caitlin Durkovich, a former assistant secretary for infrastructure protection and now a director at Toffler Associates, told Politico. “It is concerning.” Yet she added: “We have had a very good battle rhythm and partnership between government and industry. In the last three or four years, there has been more unity of effort around the protection of the grid.” She said DHS has been, or likely would be, offering malware analysis and advice to industry and convening calls with top energy company officials. In fact, DHS’s Computer Emergency Readiness Team issued an alert Monday evening.
