The Sum of All Malware Fears: Siemens on Stuxnet

David Clark - November 23, 2010

Printer Friendly

E-Mail Article
- To: (e-mail address)
  
  From: (e-mail address)
  
  Subject:
  
  Message:

Articles RSS

Rate this article

Average Reader Rating 0.00

Other articles written by David Clark:

Are ERP Workarounds a Terrific Way of Shooting Yourself in the Foot?

TEC Spotlight Report: Pronto Software

TEC Spotlight Report: Sage Accpac ERP

Read Comments

When Stuxnet malware hit the mainstream media in September 2010, it all sounded like a plotline straight from a Tom Clancy thriller. After all, Stuxnet—the first worm ever developed to reprogram industrial systems—was reportedly designed to take aim at Iranian nuclear power stations. More specifically, Stuxnet targeted the Siemens industrial control systems implemented at so-called “high-value infrastructure” installations in Iran.

The media response was appropriately hysterical.

TEC’s managing editor David Clark decided to de-Clancify the affair by going straight to the front lines of defense, at Siemens AG.

Clark interviews Stefan Woronka, Siemens’ director of professional services.

TEC: Please tell me about your role at Siemens.

Woronka: Director, Professional Services—responsible for Industrial IT Security Services within the Industrial Automations Systems Business Unit. We offer consulting and implementation of solutions around industrial IT security. This starts with risk assessments for existing sites and suggesting measures for implementation. We support the implementation and conduct reviews on a regular basis. The reviews are based either on a policy established at the client or an accepted standard.

Could you tell me a little bit about the way in which Stuxnet was first brought to your attention, and about your initial thoughts and reactions?

Our management informed relevant departments, including Industrial IT Security Services. My first thoughts were: “What´s that, I want to know more,” as first information about Stuxnet was not really clear about what the malware was dedicated to. Within hours a team in our organization was activated and actions were defined, such as detailed analysis within our security labs together with Siemens CERT [computer emergency response team] cyber forensics experts.

According to a Kaspersky Lab news item, “Stuxnet is a working—and fearsome—prototype of a cyber weapon, that will lead to the creation of a new arms race in the world.” Is there really something we should all be worrying about, or is this simply a hyperbolic sound bite?

Now, more than three months after the first appearance of Stuxnet in the news, we can state that in none of the cases known to Siemens from the industrial environment was a plant’s control system affected.

Manufacturers of virus scan software have reported massive Stuxnet infections in some countries, with no distinction being made as to whether office PCs or industrial systems are affected. In the four months, a total of 21 Siemens customers worldwide from an industrial environment have reported an infection with the Trojan.

In all cases, Stuxnet exploited security gaps in Windows-based operating systems. The virus could be removed in every case without any adverse effects on plant processes. In none of the cases did Stuxnet influence control software or even attempt to do so. This behavior corresponds to the insights gained from the analysis that Siemens carried out on the virus.

Stuxnet searches systematically for a very specific plant configuration. If it does not find such a configuration, the virus is not activated. But the potential which lies in Stuxnet is something that everyone should take seriously. It was obviously the first attempt at malware for industry or infrastructure applications. And the experts say this may not be the last such attempt. Therefore, operating companies as well as system integrators now should be sensitized and should undertake measures to analyze their security situation.

Security is not buyable as a single product or a technical feature. Security is a steadily ongoing process that links products, people, and processes.

Do you anticipate copycat attempts to replicate some or all of Stuxnet’s capabilities?

Microsoft has issued security patches to close “the Stuxnet gap.” So the Stuxnet case will be finished soon. But as I mentioned, experts say this may not be the last such attempt. So the whole security community, as well as Siemens, is working on concepts and improvements to withstand future attacks.

A hypothetical question: Imagine you were the project manager for the conception and development of Stuxnet. What criticisms would you be leveling at your development team right now? Any lessons learned for the Stuxnet dev team?

If you find the dev team for this, let me know. I also have some questions. I’m working on the opposite side.

Let’s move on now to questions that relate more broadly to IT security concerns for manufacturers. The Siemens white paper Security Concept PCS 7 and WinCC outlines strategies for dealing with the following threats (page 23):

Denial of service
Circumvention of specific security mechanisms (such as “Man in the middle”)
Intentional maloperation through permitted actions (such as password theft)
Maloperation through non-configured user rights
Data spying (e.g., of recipes and business secrets or operational plans for plants and their security mechanisms)
Manipulation of data (e.g., to downplay the importance of alarms)
Deletion of data (e.g., log files to cover up attack activities)

That’s a lot of worrying, right there. Is there any such thing as a bulletproof IT security approach?

Basically I´d like to point out that

there is no 100% security, and

there is no silver bullet for security threats.

For every defense there is an offense and for every offense there must be a defense.

A solid security solution touches three domains: people, products, and processes. To start with a project, you have to design security into the solution, you have to raise awareness by all people doing the project and later operating the site, and you have to take care of standard operation procedures to cover all relevant aspects. And you have to build your security architecture with several layers of defense. Those layers may also address one of the three above domains.

As you know, cloud computing is being pushed very hard by software vendors with a lot of marketing spend; if I’m to believe their white papers and case studies, manufacturers seem to indeed be moving toward increased cloud adoption. Does cloud computing present inherent security challenges that you’d like to bring to the attention of manufacturers considering such a move?

Cloud computing, like any other IT solution, has general as well as specific risks that need to be analyzed. Once analyzed, measures need to be defined to mitigate the risks.

Security solutions for industry: Are there new or future solutions/features/developments you’d particularly like to highlight?

There are solutions that are becoming more popular within the industrial IT security community, but need to be developed and evaluated further. In my opinion, whitelisting technology and intrusion detection technology will give the opportunity to gain higher levels of security in the future. Also we will see special solutions for industrial IT security that take care of the needs of the operators’ priorities, which lie in availability and integrity (without ranking these two) and lastly in confidentiality.

But these are only products or solutions, which still need to be implemented properly. This is where our organization comes into play. We help our customers implement security solutions, but it does not end with the mere solution. It always comes back to the three domains: people, products, and processes. Setting up a security program and using external knowledge may help to raise the overall level of security.

What advice would you give to IT managers who are perennially trying to dispel the perception of the IT department as an impediment to user productivity (thanks to restrictions on the use of various information media and mobile devices, constrictive rights management, and so on)?

The highest priorities for an operator of a plant lie in integrity and availability, and lastly in confidentiality. It falls upon the IT department to understand the order and then to adjust its measures accordingly. But it also falls upon the operator to understand the need for IT security, and that the IT department can offer support with its expertise. Working jointly together will help both, and give the operation a higher level of security.

Thus within the community we expect a higher degree of security programs coming up.

What top-level advice would you give to a manufacturing organization seeking a comprehensive IT security solution for the first time?

The first questions I ask is: “Do you have a security policy for your operations in place?”

Within that policy the organization should address all relevant topics. For the creation of a policy, manufacturing organizations should start with an assessment of all critical assets. Assessing the risks gives deep insight into what is really critical, and thus needs higher attention. From there, measures will be defined to mitigate those risks. Finally, IT security is not a one-time project. It must be the daily business of everyone.

Compare ERP solutions now

comments powered by Disqus

Secure Mobile ERP—Is It Possible? | Ventyx—Utilities’ One-Stop-Shop Provider? | Emptoris: Powered Up to Empower Global 2000 Users | Demystifying SAP Solution Manager | Cloud Assets: A Guide for SMBs—Part 3 | Workforce Scheduling and Optimization: The Missing Link on the Shop Floor? | I Want My Private Cloud | Reference Guide to Supply Chain Management (SCM) Features and Functions | Managing the Overflow of E-mails | The Marriage of Virtual Machines, Software as a Service, and Cloud Computing | Security Risk Assessment and Management in Web Application Security | Open Platform Provider Answers Questions about the State of the Market | A Partner-friendly Platform Provider Discusses Market Trends | Are You Adequately Protecting Your IT Infrastructure Components Inside the Firewall? | Asset Data for Accurate Lifecycle Management |

Captured by Data | Contributing to the Rejuvenation of Legacy Systems in the Enterprise Resource Planning Field | Aligning Information Technology with Corporate Strategy | Enterprise Resource Planning Giants Eye the Shop Floor | A New Development Framework on iSeries or i5/OS: Architecture | Customer Choices for Achieving Growth | Competitive Advantage in a Saturated Market: How Will the Big Few Do It? | Achieving Growth: New Accounts versus Up-selling to Existing Accounts | Who Else is Using Your Wireless Network? | Information Security Firewalls Market Report Part Two: Current Market Trends and User Recommendations | Information Security Firewalls Market Report Part One: Market Overview and Technology Background | Automated Enterprise: Many High-ROI Opportunities | Secure Transfers of Large Files Over the Internet Using YouSendIt | Fed Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply? Part Two: Challenges and User Recommendations | Feds Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply? Part One: Event Summary and Market Impact | Product Review: GFI's LANguard Network Security Scanner | The Best ACT! Is Still to Come | HIPAA-Watch for Security Speeds Up Compliance Part Two: Phase III and IV, and Product and User Recommendations | HIPAA-Watch for Security Speeds Up Compliance Part One: Vendor and Product Information | EAM Versus CMMS: What's Right for Your Company? Part One | Using PKI to Protect Your Business Information | The CyberAngel: Laptop Recovery and File Encryption All-in-One | Evaluating Enterprise Software-Business Process or Feature/Function-Based Approach? All the above, Perhaps? Part Three: Knowledge Bases and User Recommendations | InsideOut Firewall Reporter Unravels the Mysteries of Your Firewall Logs | The Future of Secure Remote Password (SRP) Part Two: Overcoming Obstacles to Success | The Future of Secure Remote Password (SRP) | Integrated Security: A New Network Approach Part Two: The Shift Toward Integration | Integrated Security: A New Network Approach | Vendor Analysis: Kaspersky Anti-Virus Products Examined | 6 Immediate Business Improvements Offered by an Online SRM System: Part 3: Other Points to Consider | Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates? | Fourth Shift's evolution Within SoftBrands' DemandStream | OKENA Brews Up a StormSystem that Secures All Applications | Incident Handling and Response Capability: An IT Security Safeguard Part 2: Establishing the Capability | Incident Handling and Response Capability: An IT Security Safeguard Part 1: Are You Ready to Support an Incident Response Capability? | Outsourcing Security Part 3: Selecting a Managed Security Services Provider | Outsourcing Security Part 2: Measuring the Cost | Outsourcing Security Part 1: Noting the Benefits | Vendor Review: SecureWave Protects Microsoft Operating System Platforms | Thanks to a Smart Little Company called Lexias, CIOs Can Now Empower their Users to Assist in eBusiness Security | Feds Buckle Down on Customer Information Security | Identix Leads Biometric Authentication | Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards | Vendor Analysis: Interliant's Security Vulnerability Assessment | OKENA Pioneers Next-Generation Intrusion Prevention | Social Engineering Can Thwart the Best Laid Security Plans | Application Single-Sign On: Netegrity, Securant, or Evidian? | Lost Your Laptop? The CyberAngel® Brings It Back | InsideOut Makes Firewall Reporting Useful | The SOAP Opera Progresses - Helping XML to Rule the World | Talarian and NextSet Team for B2B Solutions | Tempest Creates a Secure Teapot | E*Trade Ignores Private Security Warning, But Public Hullaballoo Gets Response | IBM Server Line Redrawn | My Network Engineers are Talking about Implementing Split DNS. What Does that Mean? | Human-Machine Interaction Company Ramps Up Firewall Product Line | Security Information Market Heading for Growth | Alibris Charged with Intercepting Email | Cart32 in Need of Duct Tape | Deutsche Telekom to Acquire VoiceStream Wireless | Study Shows: FBI Alienates Industry Security Experts | Firewall Cowboyz Set the Stage to Free Innocent Convict | Yahoo! Goes Mobile in Greece | Symantec Swallows AXENT; Takes on Network Associates | Novatel Wireless and Diversinet Team Up to Provide Security for Wireless Modems | Windows 2000 Bug Fixes Posted | Baltimore Technologies Doubles Revenues, Offers World-Class PKI Hosting | The Whys and Hows of a Security Vulnerability Assessment | Earthlink Leads the Way in DSL Security | PKI and Biometrics Ready for Take-Off | Secure Transport of EDI and XML for Trading Exchanges | Can You Trust Entrust? | Standard & Poor's Announces Security Certification | Check Point Leads Firewall Market | Fighting Cybercrime on the Internet | NetWare for Small Business – NetWhy? | Let Your Hard Drives Tell You Where they Are! | E&Y Spins-Off eSecurity Online and Unveils Security Vulnerability Assessment Services | With Record Revenues, AXENT Puts Down a Solid Fist | NAI Will Pay Trend $12.5 Million Resulting from Law Suit | Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle | E-Cash Rollout Replaces Amex | GSA Schedule Partnership Gets Network-1 in the Door | Los Alamos Loses Top-Secret Information, Again! | Standard & Poor's Exposes Customers' Security | The AS/400 Takes You Securely Where You Want to Go | Trend Micro Steps into PDA/Wireless AntiVirus Information Market | CryptoSwift Takes Rainbow Revenues Up 620% | Smart Shoppers Go Abroad for Affordable Information Security Programs | Anti-Virus Advisories: Rating Them | The 7 Habits of Highly Effective Security | Fischer’s Prio! SecureSync ~ A Solution to Enterprise Directory Chaos | Abandon All Insecurity, Ye Who Enter Here | Top 10 Excuses For Not Securing Your Website or Network | Ernst & Young Leads Big 5 in Security | IBM Taking on Sun in Web Infrastructure? | 6 Days After Advisory Posted, AboveNet Gets Hit | A Firewall is Cheaper Than a Lawyer | Fixing Security Backdoors:
Red Hat 1, Microsoft 0 | WAP Forum Specifies RSA’s RC5 Encryption For Wireless | Netpliance Responds Quickly to Hardware Hack | IBM Updates the Netfinity Line | Security Stocks Burn Rubber | DSL Provider Scoops up Netscreen Firewall Goldmine | Cyclone Untangles Digital Partnerships | Security Begins on Your Desktop | Network Associates Hopes to Rekindle the Flame | Hacker Publication Gets Top Defense Attorney | Saudi Arabian Network Security Provokes Local Considerations | Gosh, There’s a Bug in Windows 98 | How Many Napkins Have to Die Needlessly? A Case for Business Architecture | Robust Systems are Built from the Bottom Up | DOJ Keeps Low Profile on Curador; Protect Your IIS Server Today! | Security Breach: Now What? | IBM and Deutsche Telecom Announce Plans for 100 Terabyte Data Warehouse | Is There a Magic Pill for Web Performance Problems? | Sendmail, Inc. and Disappearing, Inc. Team Up to Add Enhanced Security | Tentative Unification in Server I/O Architecture Battle | Is Your Financial Transaction Secure? | Compaq, HP, IBM, Intel and Microsoft Create New PC Security Alliance | Expect Boom in Electronic Signatures | Secure Your Search Engine | President Proposes Security of Medical Records | Sendmail Takes Security to the Next Level with Version 3.0 for NT | CheckPoint & Nokia Team Up to Unleash a Rockin' Security Appliance | Trend Micro Anti-Virus Server for Microsoft Exchange ~ A Secure Choice For Enterprise Wide Anti Virus Protection. | Security Snafu at NetBank | Freeware Vendor's Web Tracking Draws Curses | The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too) | Content Technologies releases MIMEsweeper PolicyPlus | Hackers Will Be Out in Full Force On New Year's Eve | Analysis of Virgin Net's Hacker Scare | Network Associates RePositions Itself as a Security E-Village | Lexiguard™: The Coming "Adobe Acrobat" of Encryption | CyberPeepers from Korean Sites Peek at U.S. Networks | Would You Hire a Hacker? What Would Your Mother Say? | @Home Scans Own Customers | CIOs Need to Be Held Accountable for Security | New Market for Security Insurance | At Least Your Boss Can't Read Your Home E-mail, Right? Wrong! | PrettyPark Virus Litters Cyberspace | Dell, IBM in $6B Services Deal | IBM to Sell Aptiva Direct | Packard Bell / NEC Leads Secure Etoken Deployment | Congress Acknowledges Outdated Banking Laws | How Secure is Your E-Mail? | Trend Virus Control System - A Centralized Approach to Protection | VPNs Are Hot, but What Are They? | ATM Machines Hacked in Moscow | How To Mitigate Holiday Cybercrime | Surf's Up at Akamai |

2006 Email Contacts Of People In Usa	Define Business Intelligence Analyst	Empower Software Solutions 2010 Symposium	Inventory Control System Inventory Management	Enterprise Risk Management Courses	Dynamic Stretching	Verizon Internet Software Downloads
2006 Email Contacts Of Usa	Api 653 Code	Warehouse Inventory Software Download	Personal Financial Software For Mac	Ots Dj Software Free	Content Management Server	Open Source Email Campaign Management
Web Portal Software Cms	Free Software Dictionary Indonesia English	Network Marketing Software Free	Open Source Mrp	Oracle Monitor	Peachtree Software Support Atlanta

Analyst Reports

Interactive Case Studies

Downloadable Reports and Templates

Custom Reports

Selection Services Overview

Complete Selection Projects

Software Selection Reports

Supplementary Services

Case Studies and Brochures

Consultants

TEC Advisor

ERGO

RFI / RFP Templates

Software Evaluation Reports

Company Overview

Careers

Press Room

Analysts / Selection Services

The Sum of All Malware Fears: Siemens on Stuxnet