Thursday, August 26, 2010

Stuxnet Update

Those of you who follow me on Twitter® ( will have noted that yesterday I re-tweeted an announcement from Industrial Defender that they had updated their White Paper on the Stuxnet worm (ID calls it a worm, others have called it a virus or a Trojan). That re-tweet was based upon my experience with their past information. Late last night I finally had a chance to read their updated paper and I certainly was not disappointed.

I have frequently found that white papers by technology companies have been little more than advertising copy for products they sell. Industrial Defender is in the business of providing cyber security services, and there is a brief mention of two of their products in this document, but it hardly counts as real advertising as there are no claims about how well their product does against other such products available in the market.

The White Paper does provide a very good technical discussion of how Stuxnet works and propagates. It outlines what is known about the history of the malware and the response of both Microsoft and Siemens to problem. While the discussion is technical, you don’t have to be a systems engineer to understand the points being made. Anyone with any significant experience in SCADA operations (not necessarily programming) should be able to follow the discussion without significant problems.

Most importantly, the paper provides a detailed discussion about how facilities can protect themselves from future problems with Stuxnet and outlines the types of steps that must be taken to safely remove a Stuxnet infection. Probably the most important piece of advice in the later discussion is to closely involve your control system vender in any removal operations.

The current version of the White Paper is a 21 page .PDF file which downloads quickly. You do have to register with Industrial Defender to be able to complete the download, but the process allows you to opt out of receiving sales literature if you so desire. The download page does provide access to a number of other Industrial Defender information products, including two webinars on the Stuxnet problem.

I think that anyone with a Siemens industrial control system should certainly download and spend some time studying this white paper. Industrial Defender has done an excellent job of preparing and presenting this information. It is certainly a valuable service to the control systems security community.


Andrew Ginter said...

Thank you PJ, those are words of high praise.

The Stuxnet worm is big news in the control systems security world. We have had customers tell us that, while they can build a business case for protecting control systems against "run of the mill" threats, they have not been able to build a case for more costly protections against sophisticated or targeted threats. There simply have not been enough examples or incidents to justify the investments. Stuxnet is changing that equation.

This past year I've had opportunity to attend a number of industry gatherings and conferences on cyber security for industrial control systems. As a rule, it's not possible to sit through one of those gatherings without hearing the Australias "Maroochy" incident mentioned a number of times. I believe that Stuxnet has already eclipsed Maroochy. I predict that for the next half decade at least, every attendee at any ICS conference will hear "Stuxnet" at least two or three times as often as "Maroochy", and far more often than even that in the next 12 months.

If your readers would like to read our Stuxnet paper, just follow this link.

We do ask for your contact info but we send out mailings only infrequently and you can always unsubscribe.

PJCoyle said...

For those wanting information on the Maroochy Incident see report at:

/* Use this with templates/template-twocol.html */