Real Security Is About Prevention Not Recovery

Over the last few months, we have been hearing more and more about the Stuxnet Worm.  Originating in 2007, it became a topic of conversation in the main stream media after its global deployment in 2010.  At the time, Symantec reported that less than 2% of all known Stuxnet infections were on machines in the United States.  Now, almost two years later, it is once again front and center for both its relationship to the newly discovered Flame malware, and recent surge in infecting new networks and machines.

Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements. “The attackers took great care to make sure that only their designated targets were hit.  It was a marksman’s job,” stated Ralph Langer, an independent security expert who was one of the first to decode Stuxnet.  While the worm is destructive, it makes itself inert if specific industrial control software is not found on infected computers and contains safeguards to prevent infected computers from spreading the worm to more than three others.

For its targets, Stuxnet contains code for an attack that replicates industrial process control sensor signals so an infected system does not shut down due to abnormal behavior. It is initially spread using infected removable drives such as USB flash drives, and then uses other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet.  Such complexity is very unusual for malware and one of the reasons why it continues to spread today.

The entirety of the Stuxnet code has not yet been disclosed, but it targets only those SCADA configurations that meet criteria it is programmed to identify.  Stuxnet installs malware into a memory block of the PLC that monitors the messaging bus of the system.  When certain criteria are met, it periodically modifies the frequency, and thus affects the operation of the connected motors by changing their rotational speed.  It also installs a rootkit that hides the malware on the system and masks the changes in rotational speed from monitoring systems.

Many companies such as Siemens and Symantec have developed tools for detection and removal of Stuxnet.  The worm’s ability to reprogram external PLCs may complicate the removal procedure. Experts warn that fixing the operating system may not completely solve the infection, and a thorough audit of PLCs may be necessary. Prevention of viral infections like Stuxnet is a topic that is currently being addressed in both the public and the private sector.  Several industry organizations and professional groups have recently published standards and best practice guidelines providing direction and guidance for control system end-users on how to establish a proper security management program.

While there is a big increase in both delivery of Stuxnet via Flame into new host networks and discussion about how to best protect against future infections, there has been very little conversation about this in ThinManager headquarters.  Fortunately, ThinManager is uniquely qualified to provide protection from attacks originating both outside, as well as inside, any industrial network.  The ThinManager Platform default configuration does not allow a mountable USB device to be read or used at any thin client within its network.  As such, these new viruses and threats that are becoming more and more common with the advent of BYOD policies have no default point of entry into a ThinManager network.

ThinManager also provides additional layers of internal protection via their TermSecure function, which allows administrators to keep Windows user login information hidden from end users.  This additional layer of security means that even if a user’s information were compromised or stolen, it could only provide access to the thin clients, which do not contain any stored data.  TermSecure can also limit specific user access to specific terminals throughout any facility.  This feature ensures that a single employee can’t infect multiple machines through external access or third party devices.  Additional hardware is also supported for those looking to implement an RFID or FOB protocol.  By delineating specific user access, ThinManager greatly reduces your risk of infection.

In the world of malware, viruses, and hackers, the cure is often found too late to prevent catastrophic loss to an industrial facility.  Using a secure platform to operate your modern factory floor operations should be the first consideration when developing your network. A platform that PREVENTS intrusion like ThinManager, instead of one that will respond well to fixes and patches after the fact, should be the standard because security is now more important than ever.

Tom Jordan

Marketing Lead for ThinManager - A Rockwell Automation Technology