Since mid-July, the team at Byres Security, under Eric Byres, has been working hard on determining exactly what operators of SCADA and industrial control systems can do to protect their facilities from infection from the Stuxnet worm. This worm is both complex and dangerous to all control systems.
As a result, they have massively updated our Stuxnet White Paper “Analysis of the Siemens WinCC / PCS7 ‘Stuxnet’ Malware for Industrial Control System Professionals”. There is no charge for this white paper, but you must register on the Tofino Security website. The page also has a link to Englobal’s Joel Langill’s Stuxnet Infection Video where he does an excellent job of detailing what exactly Stuxnet is doing to a computer and the Siemens Project files.
In the latest version they have created a detailed list of Prevention/Mitigation techniques you can use to protect computers running both supported Windows operating systems and older unsupported systems that cannot be patched. These mitigations are recommended for all control systems, regardless of whether a Siemens product is used or not.
Other changes in this version of the Stuxnet White Paper include:
• A new summary of what Stuxnet is, what its consequences are, and how it is spreading
• A revision to the list of vulnerable systems
• An expanded analysis of the available Detection and Removal tools
If you are not currently a member of the tofinosecurity.com website, you will be asked to become a member. Membership is free and is required to limit this information to bona fide industrial control and security professionals only.
Eric Byres concludes, “I hope this information will be helpful to you, your organization and the ICS community as a whole.”
We first covered this on 19th July 2010 when we carried Eric’s first notification on this worm in “Security threat to the control system world!“. We followed up with Andrew Bond’s analysis “Zero day” attack on Siemens control system software shows alarming new level of malware sophistication,” in early August and our last posting on the subject was Nick Denbow’s, “Stuxnet – not from a bored schoolboy prankster!” on 21st September 2010. We have also endevoured to add new relevent information and coverage at the bottom of Nick’s article.