ATTN: Systems Integrators.
Guys, we can’t ignore this one. Stuxnet has taught the whole world what can be done. So it is now orders of magnitude more likely that an attacker could develop a modified version of it or design something similar to it in nature with the potential of doing much more damage than Stuxnet actually caused.
Here’s a worst-case scenario:
We’re now in a situation (unlikely, but potential) where an American systems integrator could connect his laptop to a plant in India, pick up something like this, and then bring it back to our in-house systems, where it would then spread to every system they ship. The control systems then start failing, accidents occur, etc.
I don’t think Systems Integrators are at risk to this particular threat (the original Stuxnet) for the following reasons:
The antivirus vendors are all over this one. Its probably in every signature scanner, and its behavioral tricks are probably being watched by all of the behavior-based malware products.
Microsoft issued a fix for the Windows exploit Stuxnet uses in early August (or sooner). So if you’ve done Windows Update since then you’re protected regardless of antivirus status.
The quick policy change I think we need to make is this:
1. Control systems products and Internet surfing must be 100% separated. So if you run Step7 or RSLogix on your native boot laptop, then you need to surf inside a VM. OR, If you surf on your main machine, all your controls programs must run inside VMs.
2. Develop a good firewall procedure for when we connect laptops to foreign plant networks (especially International). We need to block the laptop from accepting inbound IP traffic from any addresses other than the ones in our own panel. This won’t be a big deal to implement and maintain as we travel to different networks.
3. Keep all hosts and VM’s current on Critical updates from Microsoft.
4. Keep current updates on whichever antivirus or antimalware program you’re using. I actually think we’re safer overall if we keep a mix of security products in use (different ones on different machines) rather than picking one single vendor’s solution, because we’re more likely to learn we’ve been infected, even if its just 1 of the products we’re using that detected it. Then we can use appropriate measures to remove it from any systems that didn’t detect it.
Is this good enough for now? Too extreme? Other ideas?