CyberwarfarePreparing your organization for Stuxnet-like attack

Published 2 May 2011

A cybersecurity expert describes Stuxnet as “this epochal change”; he says that although Stuxnet was of such complexity and required such significant resources to develop that few attackers will be in a position to produce a similar threat in the near future, we now know that the dangers of Stuxnet-like threats are no longer theoretical

Preparation and monitoring is crucial in the Stuxnet era // Source: zdnet.com

If even you do not work for the Iranian nuclear program, you may want to learn how to protect your organization from a Stuxnet-like attack.

Writing in PCAdvisor, Francis deSouza, senior vice-president of the Enterprise Security Group at Symantec, describes Stuxnet as “this epochal change,” and says it was “one of the most complex threats observed to date.” Stuxnet not only did it use innovative antivirus evasion techniques and complex process injection code, but “it also pioneered new frontiers in virus design, including the use of four separate zero-day vulnerabilities and the first ever rootkit designed specifically for programmable logic controller systems.”

What was remarkable about Stuxnet was that it was designed to reprogram industrial control systems, that is, computer programs used to manage industrial environments such as power plants, oil refineries, and gas pipelines. “It is the first known malware designed to specifically target such systems with the goal of impacting real-world equipment and processes,” deSouza writes.

Stuxnet’s ultimate objective was to disrupt Iran’s uranium enrichment program by targeting systems with drives that functioned at a certain frequency such as gas-centrifuge-based systems. “Altering the frequencies of the drives, as Stuxnet is designed to do, will effectively sabotage the enrichment procedure, likely damaging the affected centrifuges in the process,” deSouza notes.

Stuxnet-like malware, however, may be used to attack industrial control systems more generally, and those who rely on such systems in their enterprises should take the necessary precautions. DeSouza recommends the following measures (the PCAdvisor piece offers more details for each measure:

Leverage reputation-based detection techniques

  • Take advantage of managed security services
  • Implement and enforce device control policies
  • Install, and if necessary lobby for the ability to install, host-based intrusion prevention systems
  • Ensure your tempo of software certificate revocation updating is appropriate
  • Use endpoint management software to ensure adequate patching procedures
  • Capitalise on effective data loss prevention solutions
  • Where able, employ automated compliance monitoring to root out default password use

DeSouza concludes:

 

Stuxnet was of such great complexity and required such significant resources to develop that few attackers will be capable of producing a similar threat in the near future. Thus, we do not expect masses of threats of similar sophistication to suddenly appear. However, the real-world dangers of Stuxnet-like threats are obvious.