Stuxnet — the sophisticated computer worm that struck Iranian nuclear facilities last year — has ushered in a new era of industrial cybercrime. As we discussed last month, the worm targeted VFDs slaved to PLCs by Profibus, whipping them through frequency changes to destroy attached motors.
In contrast with traditional malware, Stuxnet exploits multiple vulnerabilities to pass its payload and wreak havoc in a very specific way. It is also the first automated malware using a modular, framework-based approach. Even so, Stuxnet derivatives may not pose an immediate threat to the average automated manufacturing line. Why? Though there's no certainty of its origins (and speculation has earned journalistic disdain for many media outlets) evidence suggests that the U.S. and Israeli governments are Stuxnet's authors. Ironically, a government-created computer virus may buy some time for manufacturers to strengthen automation-network security: Such a tailored weapon is narrowly targeted, and the virus is quite difficult to reverse engineer for repurposing.
According to Brad Hegrat, certified information security manager and senior principle security consultant for Rockwell Automation, “A Stuxnet-type virus is highly damaging if it affects your system — but the level of expertise, engineering, and funding required to develop such a virus make that unlikely, unless your system is a very high-value target.” What a relief.
That said, there's no crime in being proactively cautious. To reduce vulnerability to industrial security risks, manufacturers are advised to take these five actionable steps right now: Control (or even restrict) personnel access, manage passwords, keep systems updated, employ firewalls and intrusion detection, and ensure that processor keys are in Run mode to prevent unauthorized changes. According to Hegrat, these steps will prevent accidental and malicious control changes and protect IP; help manufacturers comply with emerging global standards such as ISA S99 and IEC 62443; and meet the guidelines of government offices (such as the U.S. Department of Homeland Security) and industry consortia (NERC, for example) that regulate standards of operation for critical infrastructure processes — in oil and gas, energy and power, water, and transportation, for example.
Another option is a new breed of dedicated security appliances that monitor system control functions. One such DIN-mount mGuard module from Innominate of Phoenix Contact Inc., Middletown, Pa., is a mouse-sized unit loaded with software that goes beyond the typical pattern recognition of commercial software, to block all unsolicited connections — in and outbound. Legitimate controller communication is verified with node-specific identification. It's an interesting approach, and its designers have demonstrated that the unit stops Stuxnet in its tracks.